Skip to content
Menshen

Recurring Service · Microsoft 365 Security Posture

Expert eyes
on your Microsoft 365
posture

Keeping expert watch over a Microsoft 365 security posture, every month, takes time and specialisation few IT operations can dedicate. This monitoring keeps that watch for you: an automated, read-only monthly sweep, with a monthly report in Portuguese and alerts on what changed.

Read-only access, with no changes to your environment.

What it is

It monitors, reports and alerts. It does not touch.

For an organisation that runs its own Microsoft 365 day to day but cannot keep expert eyes on its security posture. Every month we run an automated sweep and deliver a monthly report in Portuguese, plus out-of-cadence alerts on anything high-criticality.

Of Menshen's managed Microsoft 365 services, it is the only observation-only one: it watches the tenant without running it, month after month, unlike a one-off assessment.

Reactive

Support Hours

Specialist support when you need it, by the hour.

See

This page

Posture Monitoring

An automated monthly radar, read-only.

You are here

Complete

Managed Microsoft 365

We run the tenant, co-managed or fully managed.

See

The monthly sweep

Four surfaces, every month

Each month produces one report, plus point alerts on anything critical. The report carries light prioritisation ("this looks worth investigating") but stops short of diagnosis. The value is constant, reliable watch over surfaces your own team does not have time to watch.

  • Security posture

    Every month our Microsoft 365 assessment pipeline runs, based on the CISA SCuBA and Microsoft Zero Trust baselines, Microsoft Secure Score and email configuration best practices. You get the Secure Score trend, the drift versus the prior month, and the top posture gaps.

  • Identity and security signals

    Entra ID Protection (risky users and sign-ins) and Defender for Office 365 / XDR alerts, with light prioritisation: what looks worth investigating, short of diagnosing it.

  • Change and lifecycle

    A read of the Microsoft 365 Message Center: upcoming deprecations and required-action deadlines that apply to your tenant, before they become emergencies.

  • Mailflow trust

    A check of the DNS records that keep mail trusted: MX, SPF, DKIM, DMARC, MTA-STS and autodiscover. Pass or drift, with an alert whenever a record changes.

Read-only by design

Simple to adopt, no risk to your environment

The service holds read-only and reporting access only. It does not change configuration and does not hold execution-capable admin roles. This is not a limitation: it is what makes adoption simple and safe for your environment, at a monthly cost proportional to the service. Anything that requires touching the tenant is a separate step, always by your decision.

Access requested

Read-only

Delegated read-only roles, granted and revocable by your organisation. No execution-capable role is requested or held. The technical detail of the access is defined at onboarding.

When something shows up

Investigating or acting is a paid step, separate

Monitoring flags. Diagnosing the cause and fixing it are deliberately separate steps, billed separately. The decision to invest is always yours.

Billed separately

Investigation and diagnosis

When the report flags something, the alert carries a direct question: "we detected something worth a look; would you rather investigate internally, or have Menshen investigate?" If it is us, the root-cause work draws on a Support Hours pack, consumed as findings arise.

See Support Hours

Billed separately

Remediation and execution

Actually fixing a finding is project work (Support Hours or Remediation), or it belongs to the full Managed Microsoft 365 service. Monitoring never executes, by design.

See Managed Services

How it fits

Start light, grow when it makes sense

The monthly report makes the state of your tenant visible, with real findings and month-over-month comparison. Your team decides what to do with each one, with information instead of guesswork.

When a finding warrants analysis, a Support Hours pack covers the investigation. When the pattern of findings shows the operation needs more than watching, the natural step is Managed Microsoft 365, co-managed or fully managed. Each step is your decision, taken with the report in front of you.

Delivered by Menshen's own local certified team. The same engine that runs the assessment runs the monitoring.

FAQ

Frequently asked questions

  • How is this different from the Health & Security Assessment?
    It is the same engine, run every month. The assessment is a detailed snapshot at a point in time; monitoring keeps that engine running, with month-over-month comparison and alerts between reports. Many customers start with the assessment, then keep that picture current with monitoring.
  • How is this different from Managed Microsoft 365?
    Monitoring only watches and flags, it never touches the tenant. It does not administer users, fix configuration, or hold execution rights. When action is needed, that is a paid investigation (Support Hours) or the full Managed Microsoft 365 service.
  • Is this a 24/7 SOC or MXDR?
    No. It is a monthly read-only sweep, not continuous security operations or managed detection and response. If you need continuous monitoring, talk to us about the right scope.
  • What licences do we need?
    The identity-signal portion (Entra ID Protection) requires Microsoft Entra ID P2, included in Microsoft 365 E5 or equivalent. Where a signal is not available on your licences, the report notes it rather than implying coverage that is not there.
  • How much does it cost?
    The fee is set by tenant size and provided in a proposal. The service is automated and read-only, and the price reflects that scope.

Next step

Start with a pilot

Onboarding with read-only access, first report the following month. No changes to your environment. We talk through your tenant size and the right cadence.