Microsoft 365 security for Irish business — assess, harden, sustain
Find the gaps in your Microsoft 365 before someone else does.
Kinane Labs gives Irish businesses an independent, plain-English review of their
Microsoft 365 and Entra security — then helps fix what matters and keeps your
tenant in shape as things change. No jargon. No enterprise price tag.
Independent and read-only — nothing in your tenant is changed.
Microsoft 365 Security Assessment
Prepared by Kinane Labs
Example
68Posture
Admins without phishing-resistant sign-inHigh
Legacy authentication enabledHigh
DMARC not enforcedMedium
MFA registered for all usersPass
Evidence-based · every finding is checked, never assumed
IndependentRead-onlyEvidence-basedPlain EnglishBased in Ireland
Why it matters
The risks that actually hit small businesses in 2026
Attackers rarely "break" Microsoft 365 — they sign in. Most incidents start with a
stolen login, a lingering app permission, or a setting that quietly drifted. Here is what
that looks like today, in plain English.
Phishing that beats MFA
Modern phishing sits in the middle of a real Microsoft login and steals your session as you approve it — even with an app-based prompt. The answer is phishing-resistant sign-in (passkeys / FIDO2), starting with your admins.
Fix: phishing-resistant sign-in
Stolen tokens and sessions
Once an attacker copies a valid session token, they can walk straight past MFA and act as the user until it expires. Sensible session lifetimes and device rules close that door.
Fix: session & device policy
Consent phishing & risky apps
A single "Allow" on a malicious or over-permissioned app can hand away your mail and files — and it keeps that access even after you reset the password. Most tenants have never reviewed what is connected.
Fix: app consent controls
Legacy sign-in protocols
Old mail protocols let attackers skip MFA entirely. If they are still switched on — and in many tenants they quietly are — they are often the easiest way in.
Fix: block legacy authentication
Invoice & payroll fraud
Business email compromise — spoofed invoices and "please change my bank details" emails — costs Irish firms real money. Enforcing DMARC makes your domain far harder to impersonate.
Fix: enforce DMARC
Configuration drift
A tenant hardened once rarely stays that way. A policy loosened for a project, an exception no one removed, a new admin account — small changes add up to a big gap over time.
Fix: ongoing configuration oversight
The good news: nearly every one of these is fixable with settings you already own —
once you can see them clearly.
What we do
Three services, one clear path to a safer tenant
Start with an honest assessment. Fix what matters with a steady, documented hand. Then
stay in good shape as your business — and its settings — change.
Step 1 · See where you stand
Assessment
An independent, read-only review of your Microsoft 365 and Entra security. You get a
branded, plain-English report that scores your posture and, for every finding, explains
what we checked, why it matters, what an attacker actually does, and how to fix it.
Nothing in your tenant is changed
Evidence-based — we never mark a "pass" we couldn't verify
Written for owners and managers, not just IT
Step 2 · Fix what matters
Hardening
We work through the fixes with you, carefully and in the right order. Every change is
captured with before-and-after evidence, and we re-run the assessment at the end to
prove the improvement — in black and white.
Human-supervised, careful and reversible
Before / after evidence for every change
A re-assessment that proves it worked
Step 3 · Sustain
Continuous Improvement
Scheduled re-assessment and oversight of your tenant's security
configuration, at a cadence that suits you. Each cycle re-runs the full
assessment and flags drift in the settings that protect you — a Conditional Access
policy weakened or opened in a way that could leak data, MFA slipping, a risky app
granted access, a new admin appearing — so it is caught early and fixed while it is
still just a setting.
Keeps your tenant in the best possible posture over time
Catches configuration drift before it becomes an incident
Every cycle documented in plain English
Most clients start with a one-off assessment and decide from there. You can stop after any step — there is no lock-in and no obligation to continue.
The report
Every finding, explained four ways
No 200-page audit dump you'll never read. Each finding answers the four questions that
actually matter — so anyone in the business can understand it, and your IT person gets
the detail to act.
1
What we checked
The exact setting or control we looked at, and what we actually found in your tenant.
2
Why it matters
The business risk in plain terms — what is exposed, and to whom.
3
What an attacker does
How this gap gets used in the real world, described without the scare tactics.
4
How to fix it
Clear, ordered steps — and we can carry them out with you during hardening.
Admins can sign in without phishing-resistant methods
HighExample finding
What we checked
Your privileged (admin) accounts and the sign-in methods they're allowed to use. Today they can still sign in with app-based approval only.
Why it matters
Admin accounts are the keys to the whole tenant. If one is taken over, an attacker can reach everything.
What an attacker does
Relays a genuine Microsoft login through a fake page, capturing both the password and the approval in one go — then rides the session past MFA.
How to fix it
Enrol admins in passkeys or FIDO2 keys, then require phishing-resistant sign-in for admin roles with a Conditional Access policy.
Why Kinane Labs
Straight answers from the person doing the work
Kinane Labs is a focused, one-person Microsoft 365 security practice in Ireland. You
deal directly with the person running your assessment — no call centre, no sales team, and
no software you're pressured to buy.
Independent
We don't resell licences or push products. The only thing we're offering is a clear, honest picture of where you stand.
Read-only by default
The assessment connects with read-only permissions. It looks; it doesn't touch. Any hardening change happens later, with you, deliberately.
Evidence-based & honest
Every finding is backed by what we actually checked. If we can't verify something, we say so — we never mark a "pass" we didn't earn.
Plain English
A report a business owner can read in one sitting — what's wrong, why it matters, and exactly how to fix it. Your IT person gets the detail too.
Built for Irish SMBs
Right-sized for small and medium businesses: the protections that matter, using licences you already own — without enterprise cost or ceremony.
Focused on outcomes
Protecting your email, files and money — and reducing your GDPR exposure — not chasing a perfect score for its own sake.
Common questions
Good questions, honest answers
Is it safe to run against our live tenant?
Yes. The assessment uses read-only permissions and changes nothing in your environment. You can see exactly what access is granted, and you can revoke it at any time.
Do we need to be technical to get value from it?
Not at all. The report is written for owners and managers first. If you have an in-house IT person or an external provider, they'll find the technical detail they need too.
What Microsoft 365 licences do we need?
The assessment works with what you already have. Some checks depend on specific licences — where a check can't run, we tell you honestly rather than guessing or marking it as a pass.
How long does an assessment take?
The read-only collection itself is quick. Turning it into a clear, reviewed report typically takes a few working days. We'll agree timing with you up front.
What does it cost?
The initial assessment enquiry is free. Get in touch and we'll explain the scope and pricing plainly before anything starts — no surprises, no obligation to continue.
Where is our data handled?
Kinane Labs is based in Ireland. We collect only the security configuration needed for the assessment, and we're happy to talk through the GDPR specifics for your business.
Get in touch
See where your Microsoft 365 security really stands
Request a free, read-only assessment. You'll get a clear picture of your posture and the
handful of fixes that matter most — with no obligation to go further.