Pillar 03
Identity, security & compliance consultant.
Built by people who've shipped it at scale.
Active Directory forest audits. Entra ID hybrid identity. Conditional Access and MFA. Microsoft Defender XDR rollout. Copilot readiness and SharePoint permission remediation. GCC High and CMMC for defense contractors.
CMMC Phase 2 enforcement begins November 10, 2026. GCC High implementations typically run 6–12 months for 100–500 users.
What we deliver
Identity work built to stand up to an audit.
01
Active Directory Audit
Forest health, ghost DCs, replication, FSMO, schema, OU hygiene, GPO bloat. Two-week engagement, plain-English findings.
Learn more
02
Entra ID Hybrid
Entra Connect, conditional access, modern auth, MFA rollout, ADFS retirement. Identity that survives the next decade.
Learn more
03
Copilot Readiness
Solve the 12,000-permission problem before you flip the switch. Sensitivity labels, Purview, oversharing remediation.
Learn more
04
GCC High & CMMC
Defense-contractor migration to Microsoft 365 GCC High. CMMC L1/L2/L3 readiness and remediation.
Learn more
The Copilot readiness story
The average enterprise has more than 12,000 unique sharing permissions.
Copilot reads everything a user has access to — which means oversharing becomes a data-exposure event the moment Copilot is enabled. We assess, remediate, label, and govern before you flip the switch.
Marketplace offer
Copilot Readiness in 2 weeks. Fixed fee.
Permission inventory, oversharing report, sensitivity-label baseline, Purview foundations, and a written go-live recommendation. Listed on Microsoft Marketplace.
Field notes
Read the deep-dives.
- → Copilot readiness: the 12,000-permission problem — why oversharing becomes a data-loss event when Copilot turns on, and how to fix it before you flip the switch.
- → GCC High before CMMC Phase 2 — what defense contractors need before Nov 10, 2026, realistic timelines, common mistakes.
FAQ
Common questions about identity, security & compliance work.
What does an identity, security, and compliance consultant do?
An identity, security, and compliance consultant for the Microsoft stack engineers the controls a regulated mid-market needs to operate safely and pass audits. Scope across the lane: Active Directory forest audits and Tier-0 hardening, Entra ID hybrid identity (Entra Connect, modern auth, MFA rollout, Conditional Access, ADFS retirement), Microsoft Defender XDR deployment, Microsoft Purview governance and DLP, Microsoft 365 Copilot readiness assessments, GCC High migration for defense contractors, and CMMC Level 1/2/3 readiness work. Senior-led, vendor-neutral (no resale, no partner-program tier incentives), fixed-fee scope, USA-wide delivery from Seattle.
How does an Active Directory audit differ from a security assessment?
AD audits go deep on identity-substrate health: forest functional levels, replication, FSMO role placement, schema, OU and GPO hygiene, privileged-account inventory, service-account password posture, and Tier-0 protection. A general security assessment covers a wider perimeter — endpoints, network, M365 — but typically goes shallower on AD itself. The AD audit is the right tool when the question is 'is our identity foundation healthy enough to hang Conditional Access, MFA, Defender, or a Copilot rollout off of?'
What does a Copilot Readiness assessment include?
Permission inventory across SharePoint and OneDrive (every site, every share, every guest), oversharing report prioritized by exposure level, sensitivity-label baseline ready for tenant rollout, Microsoft Purview DLP and retention starter policies, license entitlement plan, and a written go-live recommendation per workload (green / yellow / red). Two-week fixed-fee engagement. The deliverable is a written assessment your CIO can take to the board, the auditor, and the IT director.
How long does GCC High migration take for a defense contractor?
GCC High migrations for 100–500 users typically run 6–12 months end-to-end: discovery and gap analysis (4–8 weeks), eligibility validation with Microsoft, tenant provisioning, identity and Conditional Access design, mailbox and SharePoint content migration in waves, and post-cutover compliance documentation for the C3PAO. Larger or more complex environments — multi-site, multi-domain, heavy CUI handling — extend that timeline. CMMC Phase 2 enforcement begins November 10, 2026; six months of buffer is the realistic minimum to start now.
Do you handle CMMC Level 2 and Level 3 readiness?
Yes. CMMC Level 1 is self-attestation and most contractors handle it internally. Level 2 requires third-party C3PAO assessment for contracts touching CUI; we handle the technical readiness work — Microsoft 365 GCC High posture, Conditional Access, Defender, Purview, audit logging, and the documentation package the C3PAO will examine. Level 3 requires government assessment and adds enhanced controls; we scope that explicitly.
Can you do this work without us moving to GCC High?
Sometimes. Contractors handling Federal Contract Information (FCI) only — not CUI — can usually stay in commercial M365 with the right Conditional Access, sensitivity labels, and Purview posture. Contractors handling CUI almost always need GCC High to meet CMMC Level 2 — the data residency, FedRAMP High, and DFARS 7012 requirements are difficult to satisfy in commercial cloud. The discovery phase makes the call based on contract language and data inventory, not assumption.
Get your tenant audit-ready.
Tell us the workload (AD, Entra, Copilot, GCC High, etc.), the seat count, and the deadline. Two-business-day response with scope and fixed-fee range.