One Tenant.
Every Layer.

TechSolutions has three departments: IT, HR, and Marketing. Rather than creating user accounts one by one, I prepared a structured CSV file containing all 10 employee accounts — with UPN, display name, department, and country — then imported them directly through the Microsoft 365 Admin Center in a single operation. Every account was automatically provisioned with correct departmental metadata from day one.

Each imported account was assigned a Microsoft 365 E5 license — the highest tier, covering Defender, Purview, Power Automate, and the full compliance stack. Profile pictures were standardized using the TechSolutions company logo to maintain consistent branding across the Admin Center, Teams, and Outlook. Department fields, job titles, and contact information were populated across all accounts.

Three Microsoft 365 Groups were created — one per department — with users assigned to their respective groups. A fourth master TechSolutions group containing all users was created for tenant-wide communications and simplified license management. Group creation in M365 automatically provisions a shared mailbox, SharePoint site, Teams workspace, and Planner — one action, five connected services.

Permissions were configured at the group level: the HR group received Full Control on the TechSolutions HR SharePoint site and Edit-level access for members — ensuring sensitive HR documents remain locked down by default. The Marketing group was granted rights to create and manage Microsoft Teams workspaces, confirmed by successfully provisioning a Marketing team and adding all Marketing users as members.

Safe Links and Safe Attachments were enabled under Preset Security Policies — Standard and Strict protection applied to all inbound email. Safe Links rewrites every URL at time-of-click, checking against Microsoft's threat intelligence database in real time. Safe Attachments detonates suspicious files in a sandbox before delivery. These two controls alone eliminate the most common enterprise attack vectors.

Anti-phishing was configured through Microsoft Defender's Threat Policies. Mailbox intelligence and spoof intelligence were both enabled — allowing Defender to learn normal sending patterns and flag anomalies. Phishing threshold was set to Standard. Zero impersonated domains or users were detected in the 7-day window post-configuration, confirming clean baseline.

A mail flow rule was configured in the Exchange Admin Center to automatically apply Microsoft 365 Message Encryption (OME) to all internal-to-internal emails. The rule — "Encrypt All Internal Emails" — was enabled and confirmed active. This ensures that any communication between TechSolutions employees is encrypted in transit, with no action required from the sender.

Two DLP policies were created in Microsoft Purview targeting the highest-risk data types for a Canadian organization: Canadian Personally Identifiable Information (PII) and financial data including credit card numbers. Both policies were set to active status and verified by triggering a test — an email containing credit card data immediately generated a high-severity DLP alert, confirming detection was working in real time.

Beyond perimeter security, Insider Risk Management was configured in Microsoft Purview to detect threats from within. A Data Leaks quick policy was deployed covering all active users, with DLP policies integrated as policy indicators. Adaptive Protection was enabled to dynamically tighten Conditional Access controls for users whose risk score elevates — automatically restricting Office app access without requiring manual admin intervention.

The Microsoft Secure Score dashboard was reviewed to assess TechSolutions' overall security posture post-configuration. The score reflected the protections deployed across identity, data, and collaboration layers — with recommended improvement actions flagged for ongoing hardening.

Three dedicated SharePoint team sites were created — TechSolutions IT, TechSolutions HR, and TechSolutions Marketing. Each site was provisioned with its own permission structure: Site Owners receive Full Control, Members receive Edit access, and external sharing is locked down. The HR site has the strictest access — only HR members are permitted, with an Access Denied response verified for unauthorized users attempting to browse.

A dedicated HR Documents Library was created on the HR SharePoint site with two critical governance controls enabled: document versioning (preserving the full edit history of every HR document) and content approval (requiring HR owners to approve any new or modified document before it becomes visible to members). Draft item security was also configured to restrict draft visibility to authors and approvers only.

Organization-wide OneDrive external sharing was locked to "Only people in your organization" — preventing any file from being shared outside the tenant without admin authorization. Two retention policies were then applied: a 5-year retention policy for all OneDrive files (meeting long-term compliance requirements) and a 1-year deletion policy to automatically move stale files to Recycle Bin after 12 months of inactivity.

Viva Engage was configured as TechSolutions' enterprise social network with a strict internal-only usage policy — all Viva Engage activity is restricted to authenticated tenant users only. Four communities were created: Company-Wide Announcements (all-staff), and dedicated communities for IT, HR, and Marketing. The internal-only policy was saved and verified with the "Changes saved" confirmation banner.

Audit logging was enabled across the tenant and a custom audit log search was configured to track SharePoint file activity — file access, uploads, edits, and deletions — for a specific user within a defined date range. This gives IT administrators the ability to reconstruct any user action in SharePoint and meet the forensic requirements of a compliance investigation.

A Suspicious File Activity alert policy was created to notify administrators when anomalous file access patterns are detected — mass downloads, bulk deletions, or unusual access volumes. Separate DLP breach notifications were configured to fire whenever a DLP policy match occurs. Alert severity, threshold, and recipient list were all configured and the policy confirmed active.

A scheduled Power Automate cloud flow was built and deployed to automatically generate and deliver monthly Microsoft 365 usage reports to IT administrators and department heads. The flow runs on a monthly recurrence, retrieves the previous 30 days of activity via Microsoft Graph API, formats the data as CSV, and emails it to the distribution list — covering email activity, SharePoint usage, and security events. The flow was tested and confirmed active.

Service Health email alerts were enabled to automatically notify administrators of any Microsoft 365 service incidents, advisories, or degradations. The Service Health dashboard was reviewed — Exchange Online, OneDrive, SharePoint, Teams, and Viva Engage all confirmed healthy. IT department team members were added as additional notification recipients alongside the global admin, ensuring no incident goes unnoticed.

With all four phases complete, the Microsoft Secure Score dashboard was reviewed as a final validation checkpoint. The score reflects the cumulative effect of all security configurations applied across identity, data, email, and collaboration — confirming that TechSolutions' M365 tenant is hardened against the most common threat categories facing a mid-sized Canadian organization.