Gable Group — Microsoft 365 Tenant Audit

Security Defaults

OFF

No CA replacement found

MFA Coverage

44%

24 of 54 sampled users

Global Admins

3

Incl. third-party (Connexus)

Guest Accounts

198

More guests than staff (113)

Disabled Accounts

185

Still present in tenant

Verified Domains

11

Across 5 brand domains

Risk Summary

MEDIUM — Security Defaults disabled; Conditional Access deployed with gaps

Security Defaults is disabled — the correct posture when Conditional Access is in use. Audit confirmed 7 CA policies are active: MFA for all users (enforced), legacy auth blocking (enforced), and admin MFA (enforced). However, guest and external user MFA policies remain in report-only mode and are not enforced. No sign-in risk was detected in the sampled period.

Action: Promote guest MFA and external user MFA policies from report-only to enforced. Remove the duplicate "Block legacy authentication" report-only policy to avoid confusion. Confirmed: no additional licensing cost — SPB includes Entra P1.

CRITICAL — Third-party MSP holds Global Administrator + Security Administrator

Connexus (ConnexusAdmin@gable.group) holds both Global Admin and Security Admin roles. This gives a third party unrestricted control over the tenant, including the ability to read all mail, reset any password, and modify all security policies — without Gable oversight.

Action: Scope Connexus access down to least-privilege (e.g. Helpdesk Administrator or specific workload admin roles). If Global Admin is operationally necessary, require PIM just-in-time elevation with approval workflow.

HIGH — MFA registered on fewer than half of sampled users

Of 54 users returned in the MFA registration report, only 24 have MFA registered. Combined with Security Defaults being off, a significant portion of the user base has no second factor — vulnerable to credential stuffing and phishing.

Action: Move MFA registration campaign from "default" (snooze-able) to "enabled" enforcement. Block sign-in for users who have not registered within a defined window.

MEDIUM — 198 guest accounts, no visible lifecycle governance

The tenant has more external guests than internal members. Guests originate from investment firms (Bawag, Marathon, Blackstone, King Street, Balbec, Sculptor, Chenavari, Viola, Waterfall AM, AB CarVal, Arini, Guy Carpenter, Axis, Perenna, MMBS, Dudley BS, Knab, ABN AMRO, Adecco, Target Group, FintechOS, Arch Insurance, and others). There is no evidence of a guest access review process or expiry policy.

Action: Implement Entra ID Guest Access Reviews (quarterly). Set guest account expiry policy. Disable or remove guests from counterparties no longer active.

MEDIUM — 185 disabled member accounts remain in tenant

60% of member-type accounts are disabled. Disabled accounts still exist in the directory, consume namespace, and can be re-enabled by any Global Admin. Stale offboarded accounts represent a latent re-activation risk.

Action: Define a retention and deletion policy for disabled accounts (e.g. delete after 90 days of disable). Run a bulk clean-up of accounts disabled >90 days.

MEDIUM — Privileged Role Administrator role has no members

No one is assigned Privileged Role Administrator. This means the Global Admins self-manage role assignments with no oversight or separation of duties on privilege escalation.

Action: Assign Privileged Role Administrator to a named internal account. Consider enabling PIM for all privileged roles.

Total Users

311

All accounts in tenant

Enabled

126

Active accounts

Disabled

185

Still in directory

Members

113

Internal staff/service

Guests

198

External invitees

Licensed

32

Assigned at least one SKU

Member Accounts — Enabled & Licensed

Display Name	UPN	Status	Licensed
Bryony Stephenson	bryony@gable.group	Enabled	Yes
Chris Eaton	chris.eaton@gable.group	Enabled	Yes
Chris Lock	chris.lock@gablemortgages.com	Enabled	Yes
Christine White	christine.white@gablemortgages.com	Enabled	Yes
Dave Chapman	dave.chapman@gablemortgages.com	Enabled	Yes
David Newman	david.newman@gablemortgages.com	Enabled	Yes
Dominic Admin	dom.admin@gable.group	Enabled	Yes
Dominic Nel (Gable Group)	Dominic@gable.group	Enabled	Yes
Gila Cruise	gila.cruise@gable.group	Enabled	Yes
Holly Peyre	holly.peyre@gablemortgages.com	Enabled	Yes
Iman Ibrahim	Iman.Ibrahim@gable.group	Enabled	Yes
Imran Aziz	imran.aziz@gablemortgages.com	Enabled	Yes
James Sibley	james.sibley@gablemortgages.com	Enabled	Yes
Jayme Cesman	jayme@gable.group	Enabled	Yes
Johan Admin	johan.admin@gable.group	Enabled	Yes
Johan Slabbert	johan.slabbert@gable.group	Enabled	Yes
Johan Visser	Johan.Visser@gable.group	Enabled	Yes
Joshua Weinstein	JW@gable.group	Enabled	Yes
Kaan Bayat	kaan.bayat@gable.group	Enabled	Yes
Lisa Crane	Lisa.Crane@gable.group	Enabled	Yes
Lucy Barlow	lucy.barlow@gablemortgages.com	Enabled	Yes
Michael Nahon	michael.nahon@gable.group	Enabled	Yes
Mike Robinson	michael@gable.group	Enabled	Yes
Pierre de Villiers	pierre.devilliers@gable.group	Enabled	Yes
Roberta Stankute	roberta.stankute@gablemortgages.com	Enabled	Yes
Tolu Adefuye-Martin	tolu.martin@gable.group	Enabled	Yes
svc-powerautomate	svc-powerautomate@gable.group	Enabled	Yes

Notable Accounts — Flags

Account	UPN	Issue
Connexus Admin	ConnexusAdmin@gable.group	Global Admin + Security Admin — Third Party
Pax8 Audit	Pax8@gable.group	Third-party MSP account — enabled, no licence
Service Blueapp	service.blueapp@gable.group	Service account — unknown application, enabled
GFOUR Work	gfourwork@gable.group	Third-party (The Fourths) account in tenant, disabled
Michael Robinson	michael.robinson@gable.group	Duplicate — also exists as michael@gable.group (enabled)
Mick Gorham	mick@gable.group (disabled, licensed) mick.gorham@gablesure.com (disabled)	Two accounts — one licensed but disabled, wasting licence
Okan Gezgen	Okan@gable.group	Disabled but licensed — unused licence
Trevor Wilson	Trevor@gable.group	Disabled but licensed — unused licence
Rosemarie Mansi	Rosemarie@gable.group	Disabled but licensed — unused licence
Surita Lagah	surita.lagah@gablemortgages.com	Disabled but licensed — unused licence
Admin	admin@gable.group	Break-glass admin — disabled, no licence (correct)
John Doe	john.doe@gable.group	Test/placeholder account — disabled
MDM Service	mdm.service@gable.group	Mobile Device Management service account — disabled
SBC 1 / SBC 2	sbc1@tvxteams... / sbc2@tvxteams...	Telavox SIP trunks — expected, enabled

Guest Accounts — By Organisation

198 guest accounts from the following external organisations (enabled guests only are flagged; all are present in directory).

Organisation	Domain	Active Guests	Notes
Bawag Group	bawaggroup.com / bawagpsk.com	~20+	Funding partner — high volume
Perenna	perenna.co.uk / perenna.com	~20+	Most disabled — past engagement
Marathon Asset Mgmt	marathonfund.com	3	NDA partially executed
Blackstone	blackstone.com	3	Active
King Street Capital	kingstreet.com	4	Active
Balbec Capital	balbec.com	4	Mixed active/inactive
AB CarVal	abcarval.com	5	Mixed
Chenavari	chenavari.com	3	Active
Guy Carpenter	guycarp.com	4	Active — reinsurance broker
Axis Capital	axiscapital.com	3	Active
Arini Capital	arini.com	4	Active
Waterfall AM	waterfallam.com	3	Mixed
Viola Credit	violacredit.com	1	Inactive
Sculptor Capital	sculptor.com	2	Mixed
DKP / Findox	dkp.com / findox.com	3	Active
MMBS (Monmouthshire BS)	mmbs.co.uk	1 (Jamie Hyland)	Active — data partner
Dudley Building Society	dudleybuildingsociety.co.uk	2	Active
Knab / ABN AMRO	knab.nl / nl.abnamro.com	3	Mixed
FintechOS	fintechos.com	1	Inactive — supplier
Connexus	connexus.cloud	1 (Nick Hatton)	Active — IT MSP
Pepper Group	peppergroup.co.uk	2	Active
HPS Partners	hpspartners.com	2	Active
Grant Thornton	uk.gt.com	1	Inactive — auditors
Rock CSP	rockcsp.com	1	1 disabled
Zanoo Consulting	zanooconsulting.co.uk	Mixed	Inactive
Target Group	targetgroup.com	Mixed	Loan servicer
BHO (Blue Halo)	bho.co.uk	Mixed	Staff with personal BHO accounts
Personal (Gmail, Hotmail, Outlook)	gmail.com / hotmail.co.uk	Several	Consumer email in tenant — risk

Global Administrator Members

Display Name	UPN	Enabled	Assessment
Connexus Admin	ConnexusAdmin@gable.group	Yes	CRITICAL — Third-party MSP
Johan Admin	johan.admin@gable.group	Yes	Internal — dedicated admin account (correct pattern)
Dominic Admin	dom.admin@gable.group	Yes	Internal — dedicated admin account (correct pattern)

Security Administrator Members

Display Name	UPN	Enabled	Assessment
Connexus Admin	ConnexusAdmin@gable.group	Yes	CRITICAL — Same third-party MSP holds both Global Admin and Security Admin

All Active Directory Roles (27)

The following roles are provisioned in the tenant. Members of sensitive roles beyond Global Admin and Security Admin were not enumerated in this pass.

Role	Risk Level
Global Administrator	Critical
Privileged Authentication Administrator	Critical
Privileged Role Administrator	Critical — No members assigned
Security Administrator	High
Exchange Administrator	High
SharePoint Administrator	High
Teams Administrator	Medium
Compliance Administrator	Medium
Intune Administrator	Medium
User Administrator	Medium
Application Administrator	Medium
Authentication Administrator	Medium
Authentication Policy Administrator	Standard
Billing Administrator	Standard
Cloud App Security Administrator	Standard
Hybrid Identity Administrator	Standard
License Administrator	Standard
Power Platform Administrator	Standard
AI Administrator	Standard
Helpdesk Administrator	Standard
Service Support Administrator	Standard
Teams Communications Administrator	Standard
Cloud Device Administrator	Standard
Directory Readers	Standard
Directory Writers	Standard
Global Reader	Standard
Azure AD Joined Device Local Administrator	Standard

No PIM (Privileged Identity Management) detected

There is no evidence of Privileged Identity Management (PIM) being used. All privileged role assignments appear to be permanent. For a regulated financial services firm, persistent Global Admin assignments — particularly to a third party — represent a standing attack surface and a governance gap under FCA Senior Managers & Certification Regime (SMCR) accountability expectations.

Action: Evaluate Entra ID P2 licensing to enable PIM. Move all privileged roles to just-in-time activation with approval and MFA challenge. At minimum, remove Connexus from standing Global Admin.

Security Defaults

OFF

Disabled

Conditional Access

7 Policies

4 enforced · 3 report-only

MFA Registered

44%

24 of 54 sampled

MFA Campaign

Active

Snooze-able (default)

Authentication Methods

Method	State	Assessment
Microsoft Authenticator (TOTP/push)	Enabled	Correct — primary MFA method
FIDO2 Security Keys	Enabled	Good — phishing-resistant option available
Software OATH Tokens	Enabled	Acceptable fallback
SMS OTP	Enabled	Weak — SIM-swap risk. Consider restricting to fallback only.
Email OTP	Enabled	Weak — only as strong as email account security
Temporary Access Pass (TAP)	Disabled	Correct — should remain disabled or tightly controlled
Voice Call OTP	Disabled	Correct — deprecated method
Hardware OATH Tokens	Disabled	Acceptable if not needed
X.509 Certificate Auth	Disabled	Fine for current maturity

MFA Registration Campaign

Setting	Value	Assessment
State	default	Not enforced — users can snooze indefinitely
Snooze duration	1 day	Low friction — users will defer
Force after all snoozes	True	Will eventually enforce
Target	All users → Microsoft Authenticator	Correct target

Conditional Access Policies (7)

Policy	State	Scope	Controls
Require MFA for all users	Enforced	All users · All apps	MFA
Block legacy authentication	Enforced	All users · All apps	Block
Securing security info registration	Enforced	All users · All apps	MFA
Require MFA for admins	Enforced	Admin roles · All apps	MFA
Require MFA for guest access	Report-only	Guests · Specific app	MFA (not enforced)
Block legacy authentication (duplicate)	Report-only	All users · All apps	Block (not enforced — redundant)
Require MFA for external users (failsafe)	Report-only	External users · All apps	MFA (not enforced)

Sign-in Log Analysis (200 interactive sign-ins, last 5 days)

Successful Sign-ins

169

of 200 sampled

Failed Sign-ins

31

15.5% failure rate

Legacy Auth

0

Block policy working

Risk Events

None

All sign-ins: risk = none

Metric	Value	Assessment
Sign-in geography	GB: 149 · ZA: 49 · PT: 1 · US: 1	Expected — UK primary, SA seconday
MFA policy applied (all users)	138 success · 14 not applied	14 sign-ins bypassed — investigate
MFA policy applied (admins)	26 success · 126 not applicable	Admin MFA enforcing correctly
Guest MFA policy	150 report-only (not applied)	Not enforced — guests have no MFA gate
Legacy auth attempts	0	Block policy confirmed effective
Invalid credential failures	11	Monitor — potential credential stuffing probe
Disabled guest sign-in attempts	5	Disabled guests attempting access — confirm offboarding complete
Top applications	Office365 Shell · M365 Copilot · Windows Sign In · SharePoint	Expected for M365 tenant

MEDIUM — Guest and external user MFA policies not enforced (report-only)

Two CA policies covering MFA for guests and external users are in report-only mode. Sign-in logs confirm: 150 guest sign-ins show the policy as "reportOnlyNotApplied" — guests are not required to authenticate with MFA. With 198 guest accounts (more guests than members) and multiple regulated financial counterparties in the tenant, this is a meaningful exposure.

Action: Promote both guest/external MFA policies from report-only to enforced. Test with a guest account first. Also remove the duplicate "Block legacy authentication (report-only)" policy — it duplicates the enforced version and creates policy management noise.

LOW — 14 sign-ins bypassed the "Require MFA for all users" policy

Of 200 sampled sign-ins, 14 show the all-users MFA policy as "notApplied." This may be due to trusted named locations, compliant device exemptions, or service account exclusions. Without a policy exclusion audit, this cannot be confirmed as intentional.

Action: Review the CA policy exclusions on "Require MFA for all users." Confirm each exclusion is deliberate and documented. Remove any stale exclusions.

Subscribed SKUs

SKU	Used	Total	Spare	Status
Microsoft 365 Business Premium (SPB)	12	16	4	4 unused — includes Entra P1 + Intune + Defender
Microsoft 365 Copilot	8	14	6	6 unused Copilot licences — significant cost
O365 Business Essentials	16	18	2	Near full utilisation
Teams Phone (MCOEV)	5	5	0	Fully utilised
Power BI Pro	2	2	0	Fully utilised
Visio Client	2	2	0	Fully utilised
Visio Plan 2 (Dept)	1	1	0	Fully utilised
Project Professional	1	2	1	1 unused
Power BI Standard (Free)	5	1,000,000	—	Free tier — fine
Power Automate Free	20	10,000	—	Free tier — fine
Defender for Servers	0	1	1	Unused — verify if needed

6 unused Microsoft 365 Copilot licences

Microsoft 365 Copilot is priced at approximately £25–£30/user/month (as of 2026). 6 unused licences represents approximately £1,800–£2,160/month in unrecovered spend. If these are assigned to disabled or departed users (e.g. Mick Gorham, Trevor Wilson, Okan Gezgen), they should be reclaimed immediately.

Action: Audit which users hold Copilot licences. Remove from any disabled or non-active accounts. Re-assign to active users who will benefit.

NOTE — SPB includes Entra ID P1 (Conditional Access)

Microsoft 365 Business Premium includes Entra ID P1, which enables Conditional Access policies. Gable has 16 SPB licences. This means Conditional Access is available today with no additional licensing cost — it simply has not been configured.

Verified Domains (11)

Domain	Default	Auth Type	Notes
gable.group	Yes	Managed	Primary tenant domain
gablemortgages.com	No	Managed	Gable Mortgages Ltd brand domain
gablesure.com	No	Managed	Gable Sure Ltd brand domain
gablesure.co.uk	No	Managed	Gable Sure Ltd UK domain
gablefs.com	No	Managed	Gable Financial Services domain — no active accounts observed
charcoltd.com	No	Managed	Charco/Charcol Holdings domain
gablegroup.global	No	Managed	Group-level global domain
gablegroup.onmicrosoft.com	No	Managed	Microsoft default domain — always present
AKZP74CQHPHRVSST0C5AF3CKCK.excl.cloud	No	Managed	Vendor domain verification token — likely email security vendor (Mimecast/Proofpoint)
tvxteams301158-sbc1.sfbcust.telavox.se	No	Managed	Telavox SIP trunk for Teams Phone
tvxteams301158-sbc2.sfbcust.telavox.se	No	Managed	Telavox SIP trunk for Teams Phone (redundant)

gablefs.com — no active accounts observed

The domain gablefs.com is verified in the tenant but no user accounts using this domain were observed in the user list. If this entity is active, accounts should use the domain. If it is dormant or a reserved brand domain, it should be documented as such.

charcoltd.com — naming inconsistency

The SharePoint folder structure references "Charco Holdings" while the verified domain is charcoltd.com. This may indicate a trading name vs registered name distinction, or a legacy domain. Should be verified and documented.

Prioritised Recommendations

#	Priority	Recommendation	Effort
1	Critical	Promote guest and external user MFA policies from report-only to enforced. Core CA policies (MFA for all users, block legacy auth, admin MFA) are already enforced and working. The gap is guests — 198 external accounts have no MFA gate. Promote the two report-only guest/external MFA policies and remove the duplicate report-only legacy auth policy.	Low (1–2 hours)
2	Critical	Remove Connexus from Global Administrator and Security Administrator roles. Scope their access to the minimum required for IT support (e.g. Helpdesk Administrator, specific service admin roles). If break-glass Global Admin access for Connexus is genuinely required, implement a time-limited, audited process — not a standing assignment.	Low (<1 hour)
3	High	Enforce MFA registration. Change the MFA campaign state from "default" (snooze-able) to "enabled" (enforced). Set a deadline for all active users to register. Block sign-in for users who have not registered within 14 days.	Low (1 hour)
4	Medium	Implement guest access review. Configure Entra ID Access Reviews for all guest accounts on a quarterly cadence. Remove or expire guests from inactive counterparties. As a minimum, immediately review all guests from organisations with no current active relationship.	Medium (1 day)
5	Medium	Reclaim licences from disabled accounts. At least 4 disabled users hold licences (Mick Gorham, Trevor Wilson, Okan Gezgen, Rosemarie Mansi, Surita Lagah). Reclaim immediately. Audit all 6 unused Copilot licences — if assigned to inactive users, reclaim and reassign or cancel.	Low (1 hour)
6	Medium	Define and run a disabled account clean-up policy. Accounts disabled for more than 90 days should be deleted (after confirming no mailbox preservation requirement). This reduces the attack surface and cleans the directory. 185 disabled accounts is excessive.	Medium (half day)
7	Medium	Assign Privileged Role Administrator role to a named internal account. No external or third-party should hold this role. This creates a separation of duties for role management.	Low (<1 hour)
8	Medium	Remove personal email guest accounts (Gmail, Hotmail, Yahoo, Outlook.com). Consumer email addresses should not have guest access to a regulated financial services tenant. These provide no accountability trail and could bypass corporate monitoring.	Low (1 hour)
9	Medium	Investigate `service.blueapp@gable.group`. This enabled service account has an unknown purpose. Identify the application, confirm it is still in use, and document the service account against an owner.	Low (<1 hour)
10	Low	Disable SMS as a standalone MFA method. SMS OTP is susceptible to SIM-swap attacks. Where Microsoft Authenticator or FIDO2 is available, SMS should be a fallback only — consider configuring Entra authentication strengths to exclude SMS for high-value operations.	Low (1 hour)
11	Low	Verify Pax8 account purpose. `Pax8@gable.group` is an enabled, unlicensed account for the IT procurement platform. Confirm whether this is required and document its purpose. If not needed as a tenant account, disable and remove.	Low (<1 hour)
12	Low	Clarify `gablefs.com` and `charcoltd.com` domain ownership and use. Ensure both domains are covered by the same DMARC / email security configuration as primary domains.	Low (1 hour)

Audit Scope & Limitations

This audit was conducted using a read-only app registration (TheFourths-AuditReader) with 25 delegated Graph API scopes. The following areas were not in scope or were inaccessible with the current app permissions:

SharePoint tenant sharing settings (requires SharePoint Administrator scope)
Exchange Online mail flow rules and transport rules (requires Exchange Administrator scope)
Teams meeting policies and external access settings (Teams admin scope required)
Intune device compliance and MDM enrolment state
Defender for Identity / Microsoft Secure Score
Data Loss Prevention policies