Get Started
MICROSOFT 365 PARTNER

Microsoft 365
Deployed and
Locked Down

Tenants stood up properly. Conditional Access that actually blocks something. Defender for Business tuned. Intune compliance policies that mean what they say. Licensing right-sized in ZAR. We have been in the M365 admin centre since back when it was called BPOS.

Book an M365 Hardening Review → See the Stack
Microsoft 365
8/10
Tenants we audit have a Conditional Access gap
99.9%
Of password attacks blocked by enforced MFA
2 weeks
From kickoff to a hardened 50-seat tenant
ZAR
Local invoicing, CSP partner pricing
Accreditations & partnerships
Microsoft CSP
Cloud Solution Provider
Defender for Business
Configured properly
Entra ID & Intune
Conditional Access design
Exchange Online
Since BPOS days
CIS Benchmark
M365 v3 audit standard
Founded 2001
24 years trading
ZAR billing · local VAT
In M365 admin centre since BPOS
CIS Benchmark audit on every tenant
1-hour SLA on admin escalations
Sandton-based · SA-only clients
The honest picture

Eight out of ten tenants we audit have a Conditional Access gap. Most passed a security review last year.

MFA enforced, green tick in the admin centre, security policy on paper. The IMAP client still connects. The service account excluded from MFA is unchanged since 2021. The Conditional Access policy scoped to SharePoint is in report-only because no one was confident enforcing it wouldn't break something.

This is the typical Business Premium tenant we inherit. The licences are right. The intent was right. The follow-through wasn't. Legacy authentication still permitted. An attacker who finds a credential logs in via IMAP or SMTP AUTH. The MFA prompt never fires. Conditional Access covers the right apps on paper and misses three service accounts in practice. Defender for Business is fully licenced, policies are default, console untouched for six months.

The most common question we get after an audit is "how did this pass our last review?" The answer is usually that the review checked whether policies existed, not whether they were in enforcement. There's a difference, and attackers know it.

Block legacy auth before you celebrate the green tick. It's one Conditional Access policy. The reason most tenants still have it open is that nobody is sure what it will break. Test it in a pilot group, run report-only for a week, then enforce it. We've done this for 50+ tenants. Nothing breaks. Reach out and we will walk you through every step.

On licensing: most South African SMEs should be on Business Premium. It's the smallest licence that includes the full security stack: Defender for Business, Intune, Conditional Access via Entra ID P1, and Sensitivity Labels. Drop to Business Standard and the security stack simply isn't there. Mixed tiers across the tenant are normal and often cheaper, frontline staff on Business Basic, knowledge workers on Business Premium. Right-sizing is part of the audit, and email authentication (SPF, DKIM, DMARC) goes in as part of the deployment. The full detail is on the DMARC page.

Licensing deep dive

Which SKU actually fits

Most SMEs end up on the wrong tier. Here's the short version we walk clients through before they sign anything. Business Premium is the right answer for almost everyone. Below it, the security stack doesn't exist.

SKU Defender for Business Intune Conditional Access Our take
Business Basic No No No Email, Teams and OneDrive. No security stack at all. Fine for frontline workers on a mixed tenant.
Business Standard No No No Adds desktop Office apps. Still no security stack. The gap between Standard and Premium is the entire security product suite.
Business Premium Yes Yes Yes (Entra P1) The right SKU for most SMEs. Defender, Intune, Conditional Access, and AIP P1 for Sensitivity Labels are all included.
E3 Via add-on Yes Yes (Entra P1) Needed when compliance, e-discovery or legal hold requirements appear. Most SMEs hit this when a regulator or listed-company obligation lands.
E5 Yes (P2) Yes Yes (Entra P2) Defender for Office 365 P2, Purview, Entra P2. Worth it when you have a security analyst reading the alerts. Rarely right below 200 seats.

Mixed tiers are normal and cheaper

Frontline staff on Business Basic, knowledge workers on Business Premium. The security stack applies tenant-wide through Conditional Access regardless of per-user licence. Right-sizing the mix is part of the audit.

Pricing in ZAR moves

Microsoft reprices the local market periodically. Anyone quoting a fixed rand figure from a website is quoting something stale. We pass through CSP partner pricing, billed in ZAR, and give you the current rate when you ask.

Business Standard is the wrong SKU if security matters

Business Standard doesn't include Defender, Intune, or Conditional Access. That's an absent security product, not a missing feature. If you're in a regulated industry or have had a phishing incident, we've had that conversation with clients before.

WHAT WE DELIVER

What We Do in Your M365 Tenant

Tenant Deployment
Greenfield builds and migrations from on-prem Exchange or Google Workspace. Domains, DNS, identity, Exchange Online, Teams, SharePoint, Intune: stood up in the right order.
Security Hardening
Conditional Access design and enforcement, Defender for Business policies beyond default, Intune compliance baselines, Sensitivity Labels taxonomy, DMARC to p=reject.
Licensing and Reselling
We are a Microsoft CSP partner. Single ZAR invoice for licences and managed service. Licences flex month-to-month. Right-sized at every renewal. Nobody pays for seats that left six months ago.
Ongoing Managed Support
Monthly Secure Score review, quarterly Conditional Access revisit, licence audit at renewal, admin escalations on a one-hour SLA, and incident response when a phish lands.
Email Authentication
SPF trimmed to actual senders, both DKIM selectors live, DMARC graduated to p=reject on a safe timeline, MTA-STS published. Goes in at deployment, not six months later when someone finds the gap.
Migration
Cutover, staged, and hybrid Exchange migrations. Google Workspace migrations via Microsoft native tooling or BitTitan MigrationWiz. No big-bang Friday afternoon cutovers.
HOW IT WORKS

How an M365 Engagement Runs

01
Audit and Sizing

Tenant audit against CIS Microsoft 365 Foundations Benchmark v3, licence right-sizing, identity posture check, mail-flow and DNS audit. Written findings, prioritised.

02
Hardening Plan

Conditional Access design, Defender for Business policy build, Intune compliance baselines, Sensitivity Labels taxonomy, mail authentication (DMARC, SPF, DKIM, MTA-STS). Change windows agreed in writing.

03
Roll Out in Waves

Pilot group first. Every CA policy goes through report-only mode for at least a week before enforcement. Intune compliance staged by device group. No surprises.

04
Managed Operations

Monthly Secure Score and patch review, quarterly CA revisit, licence right-sizing every renewal, admin escalations on a one-hour SLA during business hours.

CSP partner or buy direct from Microsoft?

Where the partner channel earns its keep, and where it doesn't

Capability Via OSH (CSP) Direct from Microsoft
ZAR invoicing, local VAT Limited
Month-to-month licensing Annual commitment
SKU advice (not sales-led) Sales-led
Partner escalation channel Public queue
Tenant audit against CIS Benchmark Self-service
Hardening project delivery Partner-routed
Monthly Secure Score review Not included

Get a 60-Minute M365 Fit and Hardening Review

We log into your tenant read-only, score it against the CIS Microsoft 365 Foundations Benchmark v3, and tell you the three changes that would close the biggest gaps. Written report. No obligation. Real engineer.

Book the review → Email us directly
QUESTIONS

M365 Questions We Get Every Week

For most SMEs the answer is Microsoft 365 Business Premium. It is the smallest licence that includes Defender for Business, Intune, Conditional Access via Entra ID P1, and Azure Information Protection P1 for Sensitivity Labels. Drop to Business Standard and you lose the entire security stack. Climb to E3 and you start paying for capabilities most SMEs will not use until they have a security analyst on staff or a regulator in the room. We will tell you in the audit if you actually need E3, and it usually comes down to a specific compliance driver or seat count above 300.

Yes. Google Workspace migrations run through Microsoft native tooling or BitTitan MigrationWiz depending on size and complexity. On-prem Exchange migrations are cutover (under 150 mailboxes), staged, or hybrid. Realistic timelines: a 50-seat greenfield tenant takes about two weeks; a 50-seat migration from on-prem Exchange or Google Workspace runs 6 to 10 weeks once you account for DNS cutover, profile rebuilds, archive moves and user training.

It means about a dozen Conditional Access policies that block something: legacy auth blocked tenant-wide, MFA required for all users, compliant device required for desktop access to Exchange and SharePoint, phishing-resistant MFA for admins (hardware keys, not push prompts). Plus Defender for Business policies beyond default: tamper protection on, attack surface reduction rules in block mode, network protection enabled. Sensitivity Labels deployed and applied by default. DMARC at p=reject. Admin accounts on hardware security keys. The CIS Microsoft 365 Foundations Benchmark v3 is the public yardstick.

A greenfield 50-seat tenant with no migration takes about two weeks of elapsed time, maybe five engineering days spread across it. A migration from on-prem Exchange or Google Workspace runs 6 to 10 weeks depending on mailbox sizes, archive volume and how well the source environment is documented. We do not compress that timeline artificially. The breakage from a rushed migration lasts months.

Yes, and we treat it as part of the deployment rather than an afterthought. Both DKIM selectors get enabled, SPF is trimmed to actual senders, DMARC starts at p=none in monitoring mode and graduates to p=reject once the alignment data shows it is safe. MTA-STS goes onto public DNS as a TXT record and policy file. The full detail is on the DMARC page.

Yes. We resell Microsoft 365 licences as a CSP partner. That means a single ZAR invoice for licences and our managed service fee, licences that flex month-to-month rather than annual-commitment pricing, and direct partner-channel support escalation when something is broken on Microsoft’s side, which bypasses the public queue.

Managed M365 is billed per user per month in ZAR, separate from the Microsoft licence cost. The fee covers admin escalations, monthly Secure Score and patch review, quarterly Conditional Access revisit, licence right-sizing at renewal, and tenant-level incident response. We do not charge per ticket and we do not charge for the routine work of moving licences around when staff join or leave.

Get a 60-Minute M365 Fit and Hardening Review

We log into your tenant read-only, score it against the CIS Microsoft 365 Foundations Benchmark v3, and tell you the three changes that would close the biggest gaps. Written report. No obligation. Real engineer.

Email us directly support@osh.co.za

Get in touch

Related services
Intune for M365 Business Premium Autopilot zero-touch, Conditional Access, MAM for BYOD. GravityZone alongside Defender for Business When a third-party EDR/XDR makes more sense than the bundled one. Centralised email signatures on Microsoft 365 Set up without breaking DKIM.