What was already in place
Before this quarter’s updates, every Carden IT Services managed client already had a robust security foundation in place. MFA enforcement, DMARC, SPF, DKIM, email link scanning and sandboxing, endpoint protection, and managed patching were all part of the standard managed service. These are not optional extras. They have been standard for every client on our managed package for some time, and they form the reason the majority of threats never reach your team at all.
We say this because it is important context. What we have done this quarter is build on a foundation that was already working, not start from scratch.
What we have made stronger
Three additions have been applied to every managed client account this quarter, at no additional cost and with no disruption to your service:
1. Microsoft 365 Security Baseline – Hardened Configuration
We have applied a hardened security configuration across your Microsoft 365 tenancy, going beyond default settings to align your environment with current NCSC and Microsoft best-practice guidance. This covers legacy authentication, admin role scoping, session policies, and a range of settings that are routinely left at insecure defaults in standard deployments, including those managed by other providers.
2. Conditional Access – Country Lockdown
Login attempts to your Microsoft 365 environment from countries outside your normal operating regions are now blocked automatically at the point of authentication. This means that even if an attacker obtains valid credentials, an attempt to use them from an unexpected country is denied before it begins. Your existing configuration already blocks many attack vectors. This adds a geographic layer on top of that.
3. DMARC – Moved to Reject Policy
DMARC was already configured on your domain. We have now moved the policy to reject, the highest enforcement level. Previously set to monitor or quarantine on some accounts, reject means that any email attempting to impersonate your domain is blocked outright at the receiving mail server before it is delivered. Your domain cannot be used to send phishing emails to your clients, partners, or contacts.
✅ Already applied – there’s nothing for you to do
All three changes have been applied. There was no disruption to your service, and no action is required from you. Carden IT Services will be in touch soon to talk through these changes and what comes next.
Carden IT Services will be in touch soon to…
- Understand where your team members work and from which countries – To ensure your Conditional Access country lockdown policies reflect your actual working patterns. If anyone regularly works abroad or travels for business, we will configure their access accordingly so they are never accidentally locked out.
- Review user access levels across your Microsoft 365 environment – We want to confirm that every user account has only the access permissions they genuinely need to do their job, applying least-privilege principles. Over time, accounts accumulate access that is no longer necessary, and tightening this reduces your attack surface significantly.
- Identify any admin or shared accounts that need reviewing – Accounts with elevated privileges are the highest-value targets for attackers. We will confirm that all admin accounts are correctly scoped, protected, and monitored.
- Walk you through what these changes mean in practice for your team’s day-to-day – Most users will notice nothing. But we want to make sure you understand what the controls do and can brief your team if needed, particularly around international access.
