Microsoft 365 has not always carried this much weight. A decade ago, it was broadly understood as a collection of web applications. Today it is the operational heartbeat of the modern enterprise, the point where identity, collaboration, security policy and workflow all intersect. Security teams, Andrew McAllister, Vice President of APAC Sales at CoreView, said, have struggled to keep pace with that transformation.
“Ten years ago, many organisations were thinking about security in terms of the perimeter,” McAllister said. “Whereas now, if an attacker gains access to a privileged M365 account or can manipulate tenant settings, it can affect all areas of the digital footprint of that organisation.”
Most IT leaders, he argued, have not fully internalised what that means for their own responsibilities. Microsoft secures the platform. Everything else, including how the environment is configured, how access is delegated and how changes are governed, sits with the customer. Premium licensing does not change that equation.
The consequences of misunderstanding this tend to surface at the worst possible moment. One large financial institution experienced a breach that did not result in data loss, but still spent more than four months reconstructing audit logs to satisfy regulators. The data was intact. A clear record of the configuration state was not.
“Usually this discovery happens during a security incident, a major outage, or a failed audit,” McAllister said. “It’s then that organisations realise they can’t reconstruct what a known good state was, they don’t know who changed what or when, let alone how to quickly restore it.”
CoreView’s approach centres on establishing a documented baseline, monitoring for configuration drift and providing the ability to revert changes. McAllister draws a parallel to standard server hardening practice. Organisations would not have deployed a server to the cloud without hardening it first. The same discipline, he argues, should apply to the M365 tenant.
Privilege management is the other side of the problem. Microsoft’s 80 or so native admin profiles were built for a broad user base, not the specific needs of any individual organisation. A SharePoint administrator handed the standard SharePoint admin profile receives access to dozens of sensitive tasks they will never need. That excess is where risk accumulates.
“You can’t rely on general privilege access management principles and tools to manage this very complicated environment,” McAllister says. “That’s really why CoreView exists.”
The goal is privilege delegation at the task level, granting administrators access only to what their specific role requires. Organisations that make this shift find it improves both security and operational efficiency. Administrators are no longer navigating settings and controls irrelevant to their work.
“Once you see M365 as a control plane that the business depends on,” McAllister says, “resilience, configuration protection and least privilege administration become strategic priorities, not just technical nice-to-haves.”
