Home / Case study · M365 Due Diligence Audit
Anonymised at our discretion — real Evisent engagement, May 2026
Case study · Microsoft 365 audit · two-week engagement

$4,070 in savings. Seven high-severity findings. Two weeks.
What an Evisent audit actually walks into.

A 35-staff Australian wholesale business — referred to in this case study as Hartwell Trading Pty Ltd — engaged Evisent in May 2026 to run a read-only Microsoft 365 audit. The brief was cost optimisation. The brief was met. But the audit also surfaced seven high-severity security findings the client didn't know they had — including an admin account with no MFA that was signed into 17 staff workstations.

See the Sprint (similar engagement) Request the redacted full report
Audit findings preview
7 HIGH · 5 MED · 1 LOW · $4,070/YR SAVINGS
$4,070
Confirmed annual
cost savings
7
High-severity
security findings
17
Workstations signed
into shared admin
2 wks
Read-only audit
delivery time
The setup

The brief was cost optimisation. We met it. Then we kept going.

Hartwell Trading is a 35-staff Australian wholesale business with a Microsoft 365 Business Premium tenant, a third-party email gateway, and an incumbent IT provider that had been in place for several years. The leadership team came to Evisent with a specific question: "is there money we're paying Microsoft that we shouldn't be?"

The answer turned out to be yes — about $4,070 a year in unused or over-assigned licences, recoverable inside a four-week window before the next annual renewal. That was the immediately quantifiable answer. The harder answer came alongside it.

The engagement at a glance

Engagement type: Read-only M365 audit, similar in shape to an AI Readiness Sprint

Duration: Two weeks

Scope: Identity & access, Conditional Access, endpoint & email security, data sharing, licensing, operational hygiene

Output: 27-page audit report, board-ready summary, prioritised remediation roadmap

Microsoft Secure Score (at audit): 66.8%

What we found

Six findings that mattered most.

The full report contains thirteen findings across security, licensing, and operational hygiene. Below are the six that most shaped the conversation with Hartwell's leadership team. Headline numbers preserved; identifying detail anonymised.

The incumbent IT provider's admin account had no MFA — and was signed into 17 staff workstations

High · Identity

The most material finding of the audit. The incumbent IT provider held a shared administrative account that was excluded from the tenant's "Require MFA for all users" policy, held permanent Global Administrator role (the highest privilege level Microsoft 365 offers), and was configured as the Windows sign-in identity on approximately seventeen staff workstations.

A single shared credential, no MFA enforcement, total tenant control, and already "signed in" across half the device fleet. If that one password is ever compromised — through phishing, password reuse, or a credential leak — an attacker has administrator-level access across the entire environment and is already authenticated on a large share of the laptops. This is the configuration profile of either a careless setup or a deliberate persistence mechanism. Either way, it's exactly what an attacker would leave behind.

SharePoint and OneDrive set to "Anyone" — anonymous links never expired

High · Data sharing

External sharing was configured at the most permissive setting Microsoft offers. Anonymous "Anyone" links — which work without sign-in — never expired. Folders shared anonymously permitted upload back into them. Twenty-nine of thirty-five SharePoint sites had external sharing enabled at the site level.

Any staff member who has ever generated an "Anyone" link is still leaking those files today, and that link can be forwarded to anyone on the internet. Combined with no mobile device management (Finding 6 below), this constituted a meaningful data-loss exposure. The configuration profile is most commonly associated with accidental leakage, but it also represents the easiest persistent exfiltration channel for an attacker to use without trigger.

The domain was unprotected against email spoofing

High · Email security

The domain's DMARC policy was set to p=none — a monitoring-only configuration that allows receiving mail servers to report on unauthenticated mail but does not block it. In practical terms: a scammer in another country could send a perfectly legitimate-looking invoice or HR email from anyone@<Hartwell's domain> to Hartwell's customers, suppliers, or staff — and major email providers (Gmail, Outlook) would deliver it normally.

This is the leading vector for business email compromise (BEC) fraud against Australian SMBs. For a wholesale business with regular external supplier and customer correspondence, this is also the configuration that allows fraudulent payment-redirect emails to land convincingly.

The malware defences in their Microsoft licences had not been switched on

High · Endpoint

Hartwell's Microsoft 365 Business Premium subscription included Microsoft Defender preset security policies — protections specifically designed to block the malware patterns used in over 90% of real-world attacks against businesses this size. None had been enabled. No Attack Surface Reduction rules had been deployed.

They were paying Microsoft for the capability and not getting the benefit. The Microsoft Secure Score top-recommended actions for the tenant were all ASR rules — controls that block well-known malware delivery patterns such as Office applications creating executable content, Win32 API calls from macros, and credential theft from the LSASS process. The protections cost nothing extra; they had simply not been turned on.

$3,670/yr in unused licences — recoverable inside the four-week renewal window

High · Licensing

Fourteen user accounts held paid Microsoft 365 licences but were not active users. They included disabled ex-staff accounts (some inactive for 1-4 years), accounts that had never been signed in (including one new-starter account with two stacked licences worth $533/yr that had never been used), and Teams Phone service accounts using paid user licences rather than free resource-account licences. The tenant was also over-assigned (35 users, 33 paid Business Premium licences) — Microsoft had already flagged this for billing at the next renewal.

Licence category
Seats
Annual value (AUD)
Business Premium
5
$1,998
Business Standard
3
$684
Business Basic
2
$194
Exchange Online (Plan 1)
4
$298
Teams Phone Standard
2
$266
Unused Business Standard seat
1
$228
Immediate licence cleanup
17
~$3,670

Staff phones accessing company email were not managed at all

High · Endpoint / Data

Microsoft Intune — included in Business Premium licences — had zero mobile devices enrolled. Every iPhone or Android device staff used to read company email was completely unmanaged: no enforced screen lock, no remote-wipe capability when a device was lost, no separation of work data from personal data, no audit trail of which devices held company information.

Combined with the permissive external sharing posture, this constituted a substantial data-loss exposure: a forgotten phone in a taxi could expose company data with no way to retrieve it. The relevant Intune capability was already paid for and merely had to be turned on.
The harder answer

What we found was a setup that could have been used to defraud the company.

We weren't asked to investigate whether a prior compromise had occurred. We were asked to assess the current state. But the current state read like the inheritance from one: a shared admin account exempt from MFA, the same identity active on seventeen workstations, a domain that could be spoofed without programmatic protection, anonymous file-sharing links that never expired, and twelve security controls that had been previously implemented and silently drifted out of compliance.

Each finding individually is a configuration weakness. Taken together, they describe the exact pattern of conditions a well-prepared attacker would want left behind — persistent administrative access, an exfiltration channel, an impersonation channel, and detection controls that had been quietly disabled. Whether the configuration was the inheritance of a prior compromise, the residue of a former provider's habits, or simply the cumulative drift of a tenant nobody had audited in several years — the operational risk was the same.

The findings were ranked, reported plainly, and walked through with Hartwell's leadership team. The remediation roadmap was sequenced against the four-week renewal window so that the cost recovery could fund the security uplift. The work is ongoing.

What this means for businesses like Hartwell

The audit was a Sprint by another name.

The engagement Hartwell ran with us is structurally the same shape as our productised AI Readiness Sprint — read-only, two weeks, fixed-scope, board-ready output. The same methodology applied to the AI Governance question instead of the M365 cost-and-security question produces a comparably substantive deliverable in the same timeframe.

If you're a Hartwell-shape buyer

10-200 staff, Microsoft 365 tenant, an incumbent IT provider you haven't deeply audited in years, an upcoming renewal you'd like to size correctly. Start with the Sprint.

See the AI Readiness Sprint →

If you want ongoing governance

After Sprint-style findings, most clients move into the AI Governance Bundle — the recurring service that keeps the framework, the policies, and the controls aligned quarter after quarter.

See the AI Governance Bundle →

If you need a specific build

Hartwell's roadmap included a small Power Automate workflow build to surface renewal alerts before the next billing cycle. Build & Operate engagements are how specific use cases get delivered.

See Build & Operate →
The full anonymised report

The complete 27-page audit report — anonymised at the same level as this case study, with all client-identifying detail removed — is available on request as a sample of the deliverable shape. Useful if you're evaluating Evisent against another provider and want to see what an audit output actually looks like, end to end.

Email info@evisent.com.au with "sample audit" in the subject line — we respond same business day.

Two ways to find out what's in your environment

Take the quiz. Or book the Sprint directly.

The AI Readiness Quiz scores your environment in three minutes against three readiness axes — Governance, Build, Operations — and routes you to the right SKU. Or book a Sprint directly if you'd rather skip the quiz.

Take the AI Readiness Quiz Or book the Sprint Call · 1300 384 736