March 7, 2026

Summary

A regional Information and Communications Technology (ICT) provider, responsible for delivering managed services to a diverse portfolio of business clients, initiated a strategic project to standardise and elevate its security offerings. The engagement required a lead architect to design and deploy a comprehensive security framework based on Microsoft’s Zero Trust principles. The solution needed to be robust enough for regulated industries and flexible enough to be deployed repeatably across multiple end-client environments, encompassing on-premises servers, modern endpoints, mobile devices, and cloud infrastructure.

Challenge

The primary challenge was to implement a consistent, high-security Zero Trust model across the heterogeneous IT estates of multiple end-clients. This involved navigating existing legacy systems, differing compliance requirements, and ensuring a seamless transition for users to minimise business disruption. Key technical hurdles included migrating clients from various third-party Endpoint Detection and Response (EDR) platforms to a unified Microsoft Defender stack, managing complex tenant-to-tenant migrations for client divestitures, and establishing a secure, auditable framework for multi-tenant partner access and management.

Objectives

• Design and deploy an end-to-end Microsoft Zero Trust security architecture from the ground up.
• Secure all infrastructure layers, including on-premises servers, Windows endpoints, iOS/Android mobile devices, and Azure cloud environments.
• Establish a repeatable, scalable framework to efficiently onboard and secure new and existing clients.
• Consolidate security tooling onto the integrated Microsoft security ecosystem to improve threat detection and response.
• Ensure and demonstrate compliance through automated policy enforcement, comprehensive auditing, and robust governance controls.
• Enable secure, modern work scenarios through Azure Virtual Desktop (AVD) and resilient backup and recovery solutions.

Approach and Delivery

The project was led from the initial architectural design phase through to the hands-on build, configuration, and final rollout. A foundational hub-and-spoke network topology was established in Azure to serve as a secure and scalable pattern for client networking. For business transformation activities like mergers and divestitures, a repeatable and accountable framework was developed to execute complex tenant-to-tenant migrations.

Change management was embedded throughout the delivery process to support user adoption and ensure a smooth integration of new security controls. Each client engagement was supported by detailed Statements of Work (SOWs), comprehensive technical documentation, and bespoke Visio architecture diagrams. Furthermore, the provider’s internal technical and sales staff were mentored on the new security services, building in-house capability and enabling them to effectively market and support the new offerings.

Technical Implementation

• Identity and Access Management: Hybrid identity was configured using Microsoft Entra ID Connect. Security was enforced through granular Conditional Access policies, Privileged Identity Management (PIM) for just-in-time access, and Azure Lighthouse for secure, auditable partner management.
• Endpoint and Server Security: Clients were migrated from multiple third-party EDR platforms to Microsoft Defender for Endpoint and Defender for Servers. Device configurations were hardened using CIS-compliant Intune policies for modern endpoints and traditional Active Directory Group Policies for servers.
• Data Governance: Microsoft Purview was deployed to enforce Data Loss Prevention (DLP) policies and apply sensitivity labelling, protecting critical information across the client tenants.
• Network Security: Azure Firewall and FortiGate virtual appliances were implemented within the hub-and-spoke Virtual Network architecture. Traffic was controlled using Network Security Groups, and services were secured using Azure Private Endpoints.
• Infrastructure and Recovery: Azure Virtual Desktop (AVD) with FSLogix profiles was implemented to provide secure remote desktop capabilities. Business continuity was assured by configuring Azure Site Recovery and deploying Veeam Backup for Microsoft 365.
• Automation and Scripting: PowerShell Desired State Configuration (DSC) and other automation scripts were developed to replicate configurations and deploy Zero Trust policies consistently across multiple tenants, reducing manual effort and ensuring uniformity.

Outcome

The engagement resulted in the successful delivery of secure, compliant, and clean tenant environments for multiple end-clients of the ICT provider. A scalable architectural blueprint for Zero Trust deployments was established, significantly improving the efficiency and consistency of security service delivery.

The overall security posture of end-clients was enhanced by consolidating security tools onto the integrated Microsoft platform, which streamlined operations and improved threat signal intelligence. Vulnerability remediation processes were standardised, and secure remote work was enabled through robust identity management and AVD. The initiative also delivered significant value to the provider by increasing its internal technical capabilities through staff training, process development, and comprehensive documentation.

Risks, Controls and Governance

As the lead consultant and escalation point, all P1 security incidents were managed, including conducting forensic investigations to determine root causes. Governance was programmatically enforced through the automated deployment of security policies for access control, data protection, and endpoint compliance. A formal vulnerability management process was instituted, involving regular scanning with various tools and the creation of comprehensive change packages for remediation. Secure partner access for managed services was strictly governed using Azure Lighthouse and GDAP, providing auditable and time-bound administrative controls that align with the principle of least privilege.

Key Lessons

• A repeatable architectural framework is fundamental to delivering consistent and scalable security outcomes in a multi-client or multi-tenant service provider environment.
• The automation of security policy deployment is essential for maintaining compliance, reducing configuration drift, and ensuring a uniform security posture at scale.
• Combining a technical security rollout with a proactive change management strategy is critical for ensuring user adoption and minimising resistance.
• Consolidating security tools onto an integrated vendor platform like Microsoft’s can simplify operations, improve threat visibility through better signal integration, and ultimately reduce operational overhead.

Related Services

• Zero Trust Architecture & Hardening
  Design and implement a Microsoft aligned Zero Trust programme covering identity, devices, least privilege access, segmentation, and continuous monitoring.
• Defender for Endpoint (EDR)
  Deploy and operationalise Defender for Endpoint with phased onboarding, tuned policies, and clear triage workflows across managed device estates.
• Defender for Servers
  Onboard and configure Microsoft Defender for Servers to protect Azure, hybrid and supported multicloud server workloads with clear operational visibility.
• PowerShell Automation & Scripting
  PowerShell automation service delivering safe tenant operations, reporting and bulk changes across Microsoft 365, Azure and endpoints with auditable scripts.
• Azure Network Architecture (Hub/Spoke, DNS, Private Link)
  Azure network architecture services covering hub and spoke design, DNS, routing and Private Link to support secure, scalable connectivity.