Independence is structural, not claimed
Assurance has value only when it is independent of the people responsible for delivery. This is not a principle Inquilion adopted. It is the reason Inquilion exists.
Your IT team or managed service provider runs Microsoft 365. Your auditors examine controls periodically. Your compliance team tracks regulatory requirements. Each of these functions has a legitimate role, but none of them can independently assure the board that Microsoft 365 configuration is governed in line with your risk appetite.
The IT team cannot independently assure its own work. The managed service provider has a commercial relationship that creates a conflict. The auditor examines controls but rarely at the configuration level, and rarely with the frequency that a dynamic platform requires.
Inquilion sits outside all of these relationships. We do not run your environment. We do not advise on how to configure it. We do not remediate what we find. This separation is not a limitation. It is the foundation of the assurance.
Nine governance domains
Microsoft 365 is not a single application. It is an ecosystem of interconnected services, integrations, and external connections. Inquilion assesses governance posture across nine domains covering this entire surface: from identity and access controls through to data residency, from email security through to the application and sharing configurations that determine what third-party tools can access organisational data and how information flows beyond the tenant boundary. Each domain is translated from technical configuration into governance language that any director can read, challenge and act on.
Identity and Access
Who can access what, how authentication is configured, and whether the controls preventing unauthorised access are operating as expected.
Data Protection
How organisational data is classified, shared and protected. Whether controls exist to prevent data leaving the organisation undetected.
Device Governance
Whether devices accessing organisational data are managed, compliant and operating within the board's risk appetite.
Email Security
How email is protected against impersonation, interception and misuse. Whether the controls in place match the risk the board carries.
Audit and Logging
Whether the organisation can evidence what happened, when, and by whom. The foundation for accountability and regulatory response.
Information Governance
Whether retention policies, records management, and lifecycle controls are in place to meet regulatory obligations. Whether organisational data is retained as required and disposed of when it should be.
Insider Risk Management
Whether policies are configured to detect and respond to insider risk signals, communication compliance obligations, and adaptive protection. Whether the organisation can evidence it has controls around internal threats.
Application and Data Sharing
Which external applications have access to organisational data, what permissions they hold, and whether that access has been formally approved. How external sharing, guest access, and Power Platform integrations are governed.
Data Residency and Sovereignty
Where organisational data physically resides, whether data location aligns with regulatory requirements, and how cross-border data flows are governed.
Every domain is assessed against governance expectations, not feature tiers or licence levels.
The governance domains and assessment scope shown here reflect the current Inquilion methodology as of March 2026. Domains, assessment checks, and regulatory framework coverage are subject to ongoing development as the regulatory landscape and the Microsoft 365 platform evolve.
Governance-grade evidence
Every report is designed for the boardroom, the audit committee, the insurer and the regulator. Not for the IT team.
Board-grade reporting
Technical configuration is converted into plain-language governance summaries. Each domain receives a Red, Amber or Green assurance status. Material findings are framed as actions for management, never as technical instructions.
The board sees whether its governance posture is improving, stable or deteriorating. A cumulative findings tracker shows remediation progress over time. Every report states what was assessed, the benchmarks used, what is excluded and the basis of independence.
Self-contained for any reader
A new NED, trustee, insurer or auditor can pick up any Inquilion report and understand the organisation's Microsoft 365 governance posture from first principles. No prior knowledge of the organisation or its technology is required.
This matters because governance documents circulate. They are read by people who were not in the room when they were commissioned. Every report must stand on its own.
What Inquilion does not do
The boundaries of the service are as important as the service itself. Independence depends on what we choose not to do.
We do not remediate
Findings are framed as actions for management. The board oversees remediation through its existing governance structures. If we fixed what we found, we could no longer independently assure it.
We do not advise on configuration
We assess configuration against governance expectations. We do not recommend how to configure anything. Advisory and assurance cannot coexist without compromising independence.
We do not replace audit
Inquilion complements formal audit by providing the independent evidence layer that auditors can reference but rarely produce themselves at the configuration level.
We do not manage your environment
We have no operational role in your Microsoft 365 tenant. No administrative access, no ongoing presence, no commercial dependency on your IT decisions.
Where Inquilion sits in your governance
Inquilion does not replace any function. It fills the space between operational reporting and formal audit, providing the independent evidence layer that boards need but rarely receive.
Oversight cannot be delegated to those responsible for delivery.
Independent evidence where previously there was assumption
If your board has not yet received independent evidence on how Microsoft 365 is configured, a conversation is the right first step.
Start a conversation