Questions we hear most often

When identity, access and data lived on local servers managed by an onsite team, configuration was a local operational concern. That is no longer the reality. Microsoft 365 now centralises these functions on a single platform where a misconfiguration can affect the entire organisation. That makes it a governance concern, not an IT task. Delivery remains with IT. Understanding exposure, and evidencing oversight, sits at board level.

Most organisations, from boards through management to IT teams, have never had to govern Microsoft 365 configuration or evidence how it is controlled. They have no framework for it and have never been asked to evidence it, until an insurer, auditor or regulator raises the question. Better questions help, but they rely on assumptions about how exposure behaves in practice. In complex, interconnected environments, no single function has a complete view. Independent assurance exists for precisely this situation, when the board needs evidence it is not equipped to produce itself.

Internal audit has a broad remit and limited capacity. It cannot sit permanently inside every critical dependency. What often sits between management reporting and periodic audit is a gap: focused, repeatable visibility into how a specific environment is configured and how that configuration shapes risk over time. Inquilion fills that gap.

Your managed service provider operates the environment. That is their role and it is a legitimate one. But operational delivery and independent assurance are structurally different functions. The people responsible for running a system cannot independently assure it, for the same reason your finance team does not audit its own accounts. Inquilion provides the board with independent evidence on a system that others deliver.

No. Security assessments examine vulnerabilities and exploitability. Penetration testing examines whether defences can be breached. Inquilion addresses a different question: whether Microsoft 365, as a core business system, is configured and governed in line with board accountability and risk appetite, and whether that position can be evidenced over time. These are complementary, not competing.

Usually nothing, until something happens. The risk is not that an incident occurs, but that the organisation is surprised by how it unfolds. Without independent assurance, the board has no evidence that configuration was being governed. That gap becomes visible at precisely the moment it matters most, when an insurer, regulator, or auditor asks what the board knew and when.

Exactly where it already sits. Management remains responsible for delivery and operation. The board remains responsible for oversight. Assurance does not transfer accountability. It provides the evidence to support it.

For most organisations it is where identity, access and information converge. When a single platform underpins authentication, collaboration and data handling, its configuration determines whether failures stay local or spread. Governance is most effective when scope is explicit rather than abstract.

Inquilion assesses Microsoft 365 configuration. Where an organisation uses external tools for antivirus, patch management, device management, or other controls, those tools sit outside the scope of the assessment. This is made explicit in every report. The board is told clearly what has been assessed, what has not, and where residual risk may sit as a result.

This is not a limitation. It is a governance-relevant boundary. It also highlights a strategic question for the board: whether operational technology decisions made outside Microsoft 365 are creating governance blind spots that need to be addressed through other means. Inquilion surfaces these boundaries so the board can make informed decisions, rather than assuming everything is covered.

Not more dashboards or operational detail. A clear, scoped view of how the Microsoft 365 environment is configured, what that implies for exposure, and whether that position is stable or drifting, presented in governance terms rather than technical ones. The board reviews it, challenges management on findings, and tracks remediation over time.

Every engagement begins with a defined assessment that establishes the governance baseline. From there, organisations can choose to maintain standing assurance, ongoing independent oversight aligned to board cadence, or use the assessment at specific governance events. The important point is repeatability, not frequency. The baseline assessment is always required first.

No. Every report is designed to be read by a director, trustee, insurer, or auditor with no technical background. Findings are framed as governance positions, not configuration details. Actions are framed as what the board should ask management to do, never how to configure anything technically.

Inquilion does not deliver, implement, configure, manage, or remediate anything within a client's Microsoft 365 environment. There is no commercial relationship between Inquilion's assurance work and any delivery or advisory engagement. Independence is structural. It is maintained by complete separation from delivery, not by policy alone.

Inquilion assesses governance posture across nine domains: Identity and Access, Data Protection, Device Governance, Email Security, Audit and Logging, Information Governance, Insider Risk Management, Application and Data Sharing, and Data Residency and Sovereignty.

The assessment covers core M365 configuration and extends to areas that are rarely visible at board level, including how third-party applications access organisational data, how information is shared beyond the tenant boundary, how retention and records management obligations are met, and where organisational data physically resides. All assessment activity is read-only and non-invasive. The output is a governance report written for the boardroom, not the server room.

Assessment scope is subject to ongoing development. The domains and checks described here reflect the current methodology as of March 2026.