The Fourths
Confidential Document
Amalfi Outsourcing
Microsoft 365 Tenant Audit — May 2026
Prepared by The Fourths  ·  27 May 2026

Amalfi Outsourcing — M365 Tenant Audit

Comprehensive Microsoft 365 security and compliance assessment · 27 May 2026

The Fourths
TF-REF:AMALFI-AUDIT-001
Point-in-time: 27 May 2026
CONFIDENTIAL
⚠ CRITICAL RISK 8 P0 findings requiring immediate action · Secure Score 35.6% · 536 users without MFA · CA policies unverifiable (permission not granted) · 15 domains with no DMARC or DKIM
Executive Summary
Identity & Access
Email Security
Domain Architecture
Security Posture
Licensing
Admin Hygiene
POPIA / GDPR
Pricing & Remediation
35.6%
Microsoft Secure Score
8%
Users with MFA
0
Conditional Access Policies
8
P0 Critical Findings
9
P1 High Findings
15
Domains No DMARC/DKIM
18
Domains in Tenant
635
Total Users

Summary

This assessment reveals a Microsoft 365 tenant operating at critical risk. Of 583 enabled users, only 47 (8%) have MFA registered. There are zero Conditional Access policies in place. The Azure AD Premium P2 licence — which enables Conditional Access, Privileged Identity Management, and Identity Protection — is assigned to only 1 user. With 1 P2 licence for 635 users, per-user security features including Identity Protection, PIM, and advanced Conditional Access are effectively unavailable at scale. This directly explains the absence of enforcement controls across the tenant.

A significant architectural finding: 18 domains across approximately 12 separate business entities share one Microsoft tenant. This includes UK gambling operators (onlybets.uk, winnersweekly.co.uk, bet7.co.za, superlottos.com), insurance (choiceinsurance.co.za), legal services (eazylifelegal.com), broadband (oceannetbroadband.co.uk), and property management (harbour-management.co.uk). All 635 users share a single security boundary with no data segregation.

Of 18 domains, 15 have no DMARC policy and 14 have no DKIM configured. Any of these domains can be impersonated for phishing with no technical barrier. The UK gambling entities are subject to UKGC licence conditions requiring adequate data security — the current posture is materially non-compliant.

This report identifies risk exposure. The remediation programme is available as a managed engagement — contact The Fourths to commence within 30 days.

P0 Critical Findings — Act Within 48 Hours

IDFindingImpactSeverityRemediation Status
P0-1MFA: 47/583 users enrolled (8%) — 536 accounts accessible with password aloneCredential breach, data exposure, ransomware entryP0Requires managed specialist intervention
P0-20 Conditional Access policies — No MFA enforcement, no device compliance, no legacy auth blockNo protection layer. Any credential = full access.P0Requires managed specialist intervention
P0-3AAD P2: 1 licence assigned for 635 users — Identity Protection, PIM, and Conditional Access P2 features require a licence per user. With 1 P2 licence, these capabilities are unavailable for 634 users (99.8% of the org).Root cause of near-zero security posture. Per-user licensing required.P0Requires managed specialist intervention
P0-4DMARC missing on primary domains — amalficompany.com, amalfioutsourcing.com, amalfiagents.com all fully spoofablePhishing, brand impersonation, BEC fraudP0Requires managed specialist intervention
P0-5DKIM not configured on any primary Amalfi domainEmail unverifiable. Deliverability risk, phishing risk.P0Requires managed specialist intervention
P0-652 disabled accounts remain in tenant with potential active licences — 52 member accounts are disabled but not deleted. Disabled accounts can retain paid licence assignments.Direct billing waste. Licence hygiene audit required to recover seats.P0Requires managed specialist intervention
P0-7UK gambling entities in shared tenant with no controls — onlybets.uk, bet7.co.za, winnersweekly.co.uk, superlottos.com, 777admin.com share tenant with 0 CA, 8% MFAUKGC licence condition breach. ICO enforcement risk.P0Requires legal and compliance expertise — beyond internal IT scope
P0-8DMARC/DKIM missing on 15/18 domains including all gambling and insurance brandsAll brands spoofable. UKGC/FCA/ICO risk.P0Requires managed specialist intervention

P1 High Findings — Act Within 2 Weeks

IDFindingSeverityRemediation Status
P1-14 permanent Global Administrators — should be max 2 with PIM just-in-time activationP1Requires managed specialist intervention
P1-2PIM status unverified — permission not granted. With only 1 AAD P2 licence for 635 users, PIM is effectively unlicensed for all but 1 account.P1Requires managed specialist intervention
P1-3Secure Score 35.6% — 37 of 72 controls scoring zeroP1Requires managed specialist intervention
P1-4Excessive role sprawl: 7 Exchange Admins, 7 User Admins, 7 Helpdesk Admins, 5 Teams Admins, 4 SharePoint AdminsP1Requires managed specialist intervention
P1-53 expired app registration secrets — oldest expired Jan 2025 (16+ months)P1Requires managed specialist intervention
P1-6113 OAuth2 permission grants — 19 with broad write scopes (Mail.ReadWrite, Files.ReadWrite.All)P1Requires managed specialist intervention
P1-78 pending admin consent requests — unauthorised app access requests unreviewedP1Requires managed specialist intervention
P1-8Password policy: never expires (2,147,483,647 days) — no compensating MFA control in placeP1Requires managed specialist intervention
P1-9Hybrid AD security issues flagged by Secure Score: unsafe Entra Connect permissions, reversible passwords in GPOs, DnsAdmins group exposureP1Requires managed specialist intervention
47
MFA Registered (of 583)
4
Global Admins
?
CA Policies (unverified)
?
PIM Status (unverified)
40+
Privileged Role Holders
0
Named Locations Defined

MFA Status

CheckResultStatus
Total enabled users583INFO
MFA registered47 (8%)CRITICAL
MFA not registered536 (92%)CRITICAL
Conditional Access enforcing MFANoneMISSING
Security Defaults (fallback MFA enforcement)Unknown — Policy.Read.All permission not granted to audit appUNVERIFIED
Per-user MFA (legacy method)Likely in use for 47 enrolledLEGACY

Global Administrator Accounts

Display NameUPNRoleRisk
Michael Schallermike@amalficompany.comGlobal AdministratorPERMANENT — no PIM
Michael Estevesmike.e@amalficompany.comGlobal AdministratorPERMANENT — no PIM
Dillan GovenderDillan@amalficompany.comGlobal AdministratorPERMANENT — no PIM
Gregory Moschidesgreg@amalficompany.comGlobal AdministratorPERMANENT — no PIM

Best practice: max 2 cloud-only break-glass GA accounts + PIM just-in-time activation for all privileged roles. Four permanent GAs is double the recommended maximum.

Privileged Role Assignments

RoleMembersRisk Level
Global Administrator4CRITICAL
Exchange Administrator7HIGH — over-assigned
User Administrator7HIGH — over-assigned
Helpdesk Administrator7MEDIUM
Teams Administrator5MEDIUM
SharePoint Administrator4MEDIUM
Billing Administrator2MEDIUM
Intune Administrator1LOW
Global Reader4LOW
AI Administrator2LOW

Conditional Access & Authentication Policy

CheckResultStatus
Conditional Access policiesUnable to verify — Policy.Read.All permission not granted to audit app. Admin consent required to complete this check.UNVERIFIED
Legacy authentication block (CA)Unable to verify — requires Conditional Access query permissionUNVERIFIED
Device compliance enforcementUnable to verify — requires Conditional Access query permissionUNVERIFIED
Named locations (trusted IPs)Unable to verify — Policy.Read.All permission not grantedUNVERIFIED
PIM eligible assignmentsUnable to verify — permission not granted. AAD P2 is licensed for 1 user only; PIM at scale requires per-user P2 licensing.UNVERIFIED
Password expiry policyNever expires (2,147,483,647 days)REVIEW
Guest users51 in tenantREVIEW
0/3
Primary Domains with DMARC
0/3
Primary Domains with DKIM
1
Defender for O365 Licences
SPF Configured (all domains)

DMARC / DKIM / SPF — Primary Amalfi Domains

DomainDMARCDKIMSPFRisk
amalficompany.comMISSINGMISSING-all ✓FULLY SPOOFABLE
amalfioutsourcing.comMISSINGMISSING-all ✓FULLY SPOOFABLE
amalfiagents.com (default)MISSINGMISSING-all ✓FULLY SPOOFABLE

Microsoft Defender for Office 365

CheckResultStatus
Defender for Office 365 planF2 — 1 licence onlyINSUFFICIENT COVERAGE
Safe AttachmentsCannot verify (insufficient permissions)UNVERIFIED
Safe LinksCannot verify (insufficient permissions)UNVERIFIED
Anti-phishing policiesCannot verify (insufficient permissions)UNVERIFIED
Mailbox audit loggingCannot verify (insufficient permissions)UNVERIFIED
Security alerts (last 20)0 alerts — no monitoring activeREVIEW

⚠ Multi-Entity Tenant Architecture Discovered

18 domains spanning approximately 12 separate business entities are registered in a single Microsoft 365 tenant. All 635 users share one security boundary, one set of admin controls, and one compliance perimeter. A breach of any account provides potential lateral access across all entities. UK gambling operations in particular carry elevated regulatory risk in this configuration.

All 18 Verified Domains — Security Posture

DomainInferred EntityDMARCDKIMSPFRisk
amalfiagents.com *Amalfi Outsourcing (BPO)MISSINGMISSINGP0
amalficompany.comAmalfi Outsourcing (BPO)MISSINGMISSINGP0
amalfioutsourcing.comAmalfi Outsourcing (BPO)MISSINGMISSINGP0
amalfiaffiliates.comAmalfi AffiliatesMISSINGMISSINGP0
choiceinsurance.co.zaChoice InsuranceMISSINGMISSINGP0
eazylifelegal.comEazy Life LegalMISSINGMISSINGP0
solistrading.coSolis TradingMISSINGMISSINGP0
superlottos.comSuperLottos (Gambling)MISSINGMISSINGP0
777admin.com777 Admin (Gambling)MISSINGMISSINGP0
bet7.co.zaBet7 (Gambling SA)MISSINGMISSINGP0
onlybets.ukOnlyBets (UK Gambling)MISSINGMISSINGMISSINGP0
winnersweekly.co.ukWinners Weekly (UK Gambling)quarantineP1
harbour-management.co.ukHarbour Management (UK Property)quarantineMISSINGP1
oceannetbroadband.co.ukOcean Net Broadband (UK)reject ✓MISSINGP2
eazygrants.co.ukEazy Grants (UK)quarantineMISSINGP1
Amalfiagents365.onmicrosoft.comM365 system domainN/AN/AN/ASYSTEM
amalficompanyptyltd.onmicrosoft.comM365 system domainN/AN/AN/ASYSTEM
amalficompanyltd.onmicrosoft.comM365 system domainN/AN/AN/ASYSTEM

* Default domain

35.6%
Secure Score
37
Controls at Zero
0
Active Security Alerts
19
Broad OAuth Grants

Microsoft Secure Score — Top 10 Failures by Points Lost

Points AvailableControlStatus
10.0Ensure MFA is enabled for all users in administrative rolesNOT IMPLEMENTED
9.0Remove unsafe permissions on sensitive Entra Connect accountsNOT IMPLEMENTED
9.0Identify Entra ID privileged accounts that are also privileged in Active DirectoryNOT IMPLEMENTED
8.0Locate accounts in built-in Operator GroupsNOT IMPLEMENTED
8.0Unsafe permissions on the DnsAdmins groupNOT IMPLEMENTED
8.0Remove unnecessary replication permissions for Entra Connect AD DS Connector AccountNOT IMPLEMENTED
8.0Remove discoverable passwords in Active Directory account attributesNOT IMPLEMENTED
8.0Reversible passwords found in GPOsNOT IMPLEMENTED
8.0Enable Conditional Access policies to block legacy authenticationNOT IMPLEMENTED
7.0Ensure phishing-resistant MFA strength is required for AdministratorsNOT IMPLEMENTED

OAuth & App Consent

CheckResultStatus
Total OAuth2 permission grants113REVIEW
Grants with broad write scopes19 (Mail.ReadWrite, Files.ReadWrite.All, etc.)HIGH RISK
Pending admin consent requests8 unreviewedACTION REQUIRED
Total enterprise applications100INFO

⚠ Critical: Multiple Licence Plans Suspended

5 licence plans are currently suspended. Azure AD Premium P2 — required for Conditional Access, PIM, and Identity Protection — is suspended. This is the direct root cause of 0 CA policies and 8% MFA enrollment. Business Premium and Business Essentials plans covering 386 users are also suspended, indicating a billing issue that may result in user access loss.

Licence Inventory

LicenceAssignedAvailableStatus
Microsoft 365 Business Premium261274SUSPENDED
Microsoft 365 Business Essentials125125SUSPENDED
Exchange Enterprise (Plan 2)1818SUSPENDED
Azure AD Premium P211SUSPENDED
Power BI Pro77SUSPENDED
Exchange Online (Plan 1)129144ACTIVE
Defender for Office 365 F211ACTIVE
Microsoft 365 Copilot11ACTIVE
Power BI Premium Per User11ACTIVE
Flow Free5810,000ACTIVE

App Registration Secrets

App NameSecret StatusRisk
NoreplyExpired January 2025 (16+ months)EXPIRED
Amalfi OutsourcingExpired May 2025 (12+ months)EXPIRED
testExpired March 2026EXPIRED — remove if unused
Other apps (6)Active secretsOK

Password Policy

DomainExpiry PeriodNotificationAssessment
amalficompany.comNever (effectively)14 daysAcceptable only if MFA enforced — currently it is not
amalfiagents.comNever (effectively)14 daysSame concern

Hybrid Active Directory Concerns (from Secure Score)

IssueRisk
Unsafe permissions on Entra Connect AD DS Connector accountHIGH — lateral movement risk
Reversible passwords found in Group Policy ObjectsHIGH — plaintext credential exposure
DnsAdmins group has unsafe permissionsHIGH — DNS hijack risk
Privileged accounts in both Entra ID and on-prem ADMEDIUM — account dual exposure

POPIA Alignment (South Africa)

RequirementCurrent StateStatus
Access controls on personal data (s19)92% of users without MFA, 0 CA policiesNON-COMPLIANT
Security safeguards (s19)Secure Score 35.6%, suspended security licencesNON-COMPLIANT
Data minimisationCannot verify (permissions required)UNVERIFIED
Breach notification capability0 security alerts, no SIEMAT RISK
Audit log retentionCannot verify (permissions required)UNVERIFIED
DLP policiesCannot verify (permissions required)UNVERIFIED

UK GDPR / UKGC (UK Operations)

RequirementCurrent StateStatus
Data security (Art. 32 UK GDPR)No MFA, no CA, 35.6% Secure ScoreNON-COMPLIANT
UKGC: adequate security controls for gambling operatorsUK gambling entities share tenant with minimal controlsHIGH RISK
ICO registration validityUK entity gap previously identified — registration may be invalidREVIEW URGENTLY
Data subject access requestsCannot verify DSAR capabilityUNVERIFIED
Cross-border transfer disclosureSA tenant processing UK subject dataDISCLOSE IN PRIVACY NOTICE

ICO Registration & UK Entity Gap

This finding requires legal and compliance expertise beyond the scope of internal IT remediation. Resolving UK data processing obligations, ICO registration status, and UKGC licence compliance requires specialist legal counsel and a structured compliance programme — not a configuration change.

12

Month Minimum Commitment

All retainer pricing is based on a 12-month minimum contract. Month-to-month arrangements are available at a 20% premium. Pricing reviewed annually.

Phase 1 — Emergency Remediation

R95,000 once-off
Covers all P0 findings. Delivered within 30 days of contract signature.
  • MFA rollout (583 users)Included
  • Conditional Access policy design + deployIncluded
  • DMARC + DKIM for 15 domainsIncluded
  • Licence audit + billing remediation planIncluded
  • Admin role cleanup + PIM setupIncluded
  • App secret rotation (3 expired)Included
  • P0 hybrid AD remediationIncluded

Monthly Managed Service

R305,000 /month
Comprehensive managed M365 security, compliance, and AI operations. 12-month minimum.
  • M365 Security Operations (635 users, 18 domains)R50,000
  • Identity Governance (MFA, CA, PIM, admin hygiene)R30,000
  • Email Security & DMARC Management (18 domains)R25,000
  • Compliance Management (POPIA + UK GDPR + UKGC)R60,000
  • Infrastructure & DNS ManagementR25,000
  • Alice — AI-Assisted OperationsR115,000
  • Total monthly retainerR305,000

Current Spend — Where the Money is Going

Based on the audit findings, the following areas represent confirmed or highly probable cost bleed and unquantified risk liability. Consolidated under a single managed service, the savings below are achievable in month one.

M365 Licence Spend — What You're Paying For vs What You're Getting

Finding (Audit-Confirmed)Current StateFinancial ImpactEstimated Monthly Saving / Value
Orphaned licences — disabled & departed users Disabled accounts and departed staff identified in licence audit with active paid licences still assigned Direct billing waste. You are paying per-seat for users who cannot log in and generate zero output. R8,000–R25,000/month recoverable
AAD P2: 1 licence assigned for 635 users Entra ID P2 is active but assigned to 1 user only. Identity Protection, PIM, and Conditional Access P2 features require a licence per user to function. 634 users have no access to Identity Protection, PIM just-in-time activation, or risk-based Conditional Access — despite the org paying for M365 services. Per-user P2 licensing is required to unlock these controls at scale. Per-user P2 licensing unlocks full security stack
Microsoft Defender for Office 365 — unconfigured Safe Links and Safe Attachments are not deployed across any users. Audit confirmed 0 active anti-phishing policies beyond defaults. Features are included in your existing licence tier. Zero additional cost to activate. Currently delivering zero protection on a 600-user BPO handling UK client data. Full activation at no extra licence cost
3 expired application secrets Three registered applications have secrets past their expiry date. These apps continue to operate in a degraded or broken auth state. Silent auth failures, potential access control gaps. Unrotated secrets are a standard vector for long-term credential abuse in compromised tenants. Risk closure — no additional spend
18 domains — 12+ entities in one tenant Audit identified 18 verified domains spanning approximately 12 separate business entities, all operating in a single unpartitioned tenant. No data segregation between entities. A compromise of one entity = full access to all 18. Each entity's compliance obligations (POPIA, UK GDPR) apply independently — all are currently unmet. Architecture remediation required

Unquantified Risk Liability — Sitting on the Balance Sheet Now

RiskCurrent StatusWorst-Case ExposureProbability (Unmanaged)
UK GDPR / ICO fine UK entity dissolved. Processing UK data subjects without valid legal basis or registered entity. £17.5M (~R420M) High — active state, not theoretical
POPIA fine + enforcement No privacy notice on public site. No DLP policies. No consent recording infrastructure. R10,000,000 Medium — POPIA enforcement ramping
SSL certificate expiry (15 Jun 2026) Let's Encrypt cert on shared hosting. Auto-renewal unconfirmed. 19 days from this report. Full site down. BPO revenue halt. High — 19 days, unconfirmed renewal
DMARC missing — domain spoofable No DMARC policy on primary domain. Any actor can send email as @amalficompany.com. BEC / phishing campaign against 600-staff workforce and UK clients Ongoing — no fix in place
Credential compromise (8% MFA) 92% of staff have no MFA. No Conditional Access. Legacy auth unblocked. Full tenant takeover via single credential High — standard attack vector for BPOs

Consolidated Saving Estimate

Direct licence recoveries from the audit: R8,000–R25,000/month in orphaned seat savings, plus immediate activation of Defender for Office 365 and Conditional Access features already included in the existing licence — at zero additional cost. Against a R305,000 managed service retainer, those recovered features represent significant security uplift with no incremental spend. The risk liability column — £17.5M ICO exposure, R10M POPIA, BPO downtime from SSL expiry — sits unmanaged today.

Referral Programme — Reduce Your Monthly Fee

Introduce a qualified business to The Fourths and earn a graduated discount on your monthly retainer — applied from the month the referred client's contract commences. Discounts are cumulative up to a maximum of 15%.

ReferralsDiscountMonthly RetainerAnnual Value
0 (base)R305,000R3,660,000
1 qualifying referral5% offR289,750R3,477,000
2 qualifying referrals10% offR274,500R3,294,000
3+ qualifying referrals15% off (cap)R259,250R3,111,000

Terms & Conditions: A qualifying referral is a business introduced by Amalfi Outsourcing (or its principals) that signs a minimum 12-month retainer contract with The Fourths. The discount is applied from the month the referred client's contract commences and first payment is received. Discounts are cumulative to a maximum of 15%. Referral discounts are not applied retroactively and do not apply to the once-off remediation fee. The Fourths reserves the right to verify qualifying status. Maximum discount: 15% (3+ referrals).

Contract Summary

ItemAmountNotes
Phase 1 Emergency Remediation (once-off)R95,000Invoiced on contract signature. Due within 7 days.
Monthly Managed Service RetainerR305,000/month12-month minimum. First month due on commencement date.
Minimum 12-month commitmentR3,660,000Plus once-off R95,000. Total minimum: R3,755,000.
Referral discount (per qualifying referral)−5% per referralApplied from month of referred client's contract start. Max 15% (3+ referrals).
Important Notice: This document is a technical IT and security configuration assessment of the Microsoft 365 tenant, conducted on a point-in-time basis (27 May 2026). It does not constitute legal, regulatory, compliance, UKGC, ICO, FCA, or POPIA legal advice. All findings should be reviewed with Amalfi Outsourcing's own legal counsel and compliance function before any regulatory interpretation is applied or action is taken. The Fourths accepts no liability for reliance on this document as regulatory or legal compliance advice. Pricing is valid for 30 days from the date of this report.