Scope: Review global settings in Admin Center and Entra ID - Validate Entra Connect (users/groups/devices/writeback) - Consistent UPN strategy and hardening of admin accounts - Onboard domains, assess DNS and network access

Scope: Gather requirements per user group - Policies for user risk, location, device/platform, and apps - Block legacy authentication, activate session controls - Structured rollout: Report-Only → Pilot → Go-Live

Scope: Safe Links and Safe Attachments including detonation - Configure anti-phishing and impersonation protection - Customize policies per user group - Reporting dashboard and end-user awareness materials

Scope: Inventory current role assignments - Identify critical roles for PIM protection - Configure just-in-time access (JIT) and approval workflows - Migrate existing permanent roles into PIM

Scope: Implement SSPR in Microsoft Entra ID - Define authentication methods and security measures - Configure hybrid environments (writeback to on-premises AD) - Structured pilot and staged rollout

Scope: App Protection Policies for corporate data in mobile apps - Block access when protection measures are missing - Remote wipe processes for theft or loss - Works on managed and unmanaged devices (BYOD)

Scope: Existing Windows devices into Intune via Hybrid Join or Entra Join — Public DNS CNAMEs for auto-discovery — Compliance baseline (BitLocker, firewall, Defender, Secure Boot, minimum OS) — Automatic MDM enrollment GPO — Proof-of-value: one software deployment + one configuration profile — Staged wave rollout with compliance monitoring

Scope: Configure Windows Autopilot (user-driven/self-deployment) - Set up Enrollment Status Page and Entra Join - Deploy standard apps, set compliance and configuration policies - End-to-end tests with pilot devices

Scope: Implement central Local Administrator Password Solution (LAPS) - Gradually deactivate existing local admin accounts - Decommission GPO-based LAPS solution - Guides for IT admins and end users

Scope: SPF consolidation per domain — DKIM signing for every M365 domain — Staged DMARC rollout from monitoring to enforcement — Anti-spoofing hardening and SMTP AUTH cleanup — Mail flow rule audit and sender inventory

Scope: Inventory data, plan pilot with 20-30 users - Migrate home directories including Known Folder Move - Optimize sharing and sync settings - Training and communication packages for adoption

Scope: Pragmatic approach for standard collaboration scenarios - Criteria for Teams Voice in internal communication - Lifecycle process for teams and messages - App baseline and process for new apps

Scope: Develop reusable templates for Teams project rooms - Involve stakeholders from project operations in the design - Guides for task planning, document management, and tool usage - Best practices for permissions and activities after project completion

Scope: Set up B2B access (Guest/Direct Connect) and shared channels - Define governance (naming, owners, sensitivity labels) - Conditional Access/session controls for external access - Decision template for the right collaboration model with partners

Scope: Data inventory and classification strategy for sensitive information types - DLP policies for Exchange, SharePoint, OneDrive, and Teams - Phased rollout: Simulation → Policy Tips → Enforcement - DLP Alerts Dashboard and incident reporting

Scope: Define label taxonomy with 4-6 core labels - Configure sensitivity labels for documents, emails, and containers - Set up default labels and mandatory labeling - Pilot group and phased rollout

Scope: Activate Bookings and set up shared booking pages - Teams integration for online meeting links - Power Automate workflows for appointment confirmations - Governance concept and end-user adoption

Scope: Inventory existing WSUS infrastructure - Configure Intune Update Rings and Scan Source Policy - Activate Windows Autopatch and set up deployment rings - Create WSUS decommissioning plan

Scope: Define update channel strategy (Monthly Enterprise as standard) - Cloud Policy Service for macro security and add-in management - M365 Apps Security Baseline via Intune - Phased rollout with pilot group

Scope: Activate Shifts app and set up frontline teams - Configure Time Clock with geo-fencing - Schedule groups by roles and locations - Change management communication and training materials

Scope: Define environment strategy and secure default environment - Configure DLP policies in 3-tier model - Tenant-wide connector classification - Deploy CoE Starter Kit basics

Scope: Printer inventory and compatibility assessment - Universal Print Connector and printer registration - Configure Intune Printer Provisioning - Phased migration and print server decommissioning

Scope: Copilot Readiness Assessment and oversharing analysis - Data governance: sensitivity labels, DLP for Copilot - Technical configuration and pilot deployment - Adoption kit with use case catalog

Scope: User persona analysis and application compatibility - Network readiness and latency measurement - Cost modeling: AVD vs. Windows 365 vs. hybrid - Decision matrix and migration roadmap

Scope: FinOps analysis: costs, savings plans, orphaned resources - RBAC audit: privileged roles, least privilege - Policy compliance and Azure Advisor baseline - Prioritized action plan with quick wins

Scope: Use case definition and data preparation - Azure AI Search index with hybrid search and semantic ranking - RAG pattern with Azure OpenAI implementation - Security and evaluation setup

Scope: Set up Log Analytics Workspace - Configure alerts with dynamic thresholds and action groups - Dashboards and workbooks for infrastructure overview - Azure Policy for consistent monitoring

Scope: Management group hierarchy and dedicated subscriptions - Hub-and-spoke networking with firewall and VPN - Azure Policy initiatives for governance and compliance - IaC deployment with Bicep/Terraform

Scope: Configure Recovery Services Vault and backup policies - Activate VM, SQL, and Azure Files backup - Azure Policy for automatic backup enforcement - End-to-end restore test and runbook

Scope: Data classification by access frequency and retention requirements - Lifecycle management policies for automatic tiering - Immutable storage (WORM) for regulated data - Document rehydration strategy

Scope: Network assessment with cost breakdown - Configure NAT Gateway and Private Endpoints - Consolidate hub-and-spoke with gateway transit - Set up Traffic Analytics and budget alerts

Scope: Device onboarding for Windows, macOS, iOS, Android - Security policies: Next-Gen Protection, ASR Rules, Firewall - Automatic Attack Disruption and Vulnerability Management - Define incident response process

Scope: Set up Cloud Discovery (MDE integration or log collector) - Risk analysis of top 50 apps - App discovery policies and sanctioning strategy - Shadow IT governance playbook

Scope: Shadow IT discovery and app connectors configuration - Security policies: DLP, activity, discovery - Conditional Access App Control for critical apps - App governance and SaaS security posture management

Scope: Configure Cloud Kerberos Trust (no PKI needed) - Intune WHfB Settings Catalog profile - Conditional Access: WHfB as authentication strength - Pilot group and phased rollout with training materials

Scope: Validate Azure subscription and create dedicated resource group - Set up Foundry resource and project in Germany West Central - Configure RBAC roles with least privilege - Enforce EU data residency - Set up cost management with budgets and alerts - Deploy first model (GPT-4.1-mini) - Document governance baseline