Every engagement runs on evidence, stays safe in production, and leaves your team able to operate everything without me.
Vulnerabilities, reported with evidence
Every security finding is backed by collected evidence — the data, the standard it was measured against, and what was and wasn’t covered. No opinions dressed as facts, no false clean bills.
Production-safe by default
Read-only where it should be, CAB-aligned change windows, and a tested rollback before anything goes live — across 800k+ mailboxes migrated and tenants hardened without breaking what your team relies on Monday morning.
Built to outlast the engagement
Architecture diagrams, runbooks, and operational standards your team owns — so whether I migrated your Exchange estate or hardened your tenant, you’re left able to run it yourself, not dependent on me.
Client Feedback
What Clients Say
“
Carlos brought a level of architecture rigour we rarely see from external consultants. Every change was documented, every rollback was pre-tested. We went from a fragmented endpoint estate to a fully enforced Zero Trust posture — with zero disruption to the business.
Security Program Lead
Ericsson · Defender XDR Program · 15k+ endpoints · 2023
“
The Exchange 2019 deployment was the cleanest infrastructure project we have run in years. Zero mail loss on cutover, PKI rebuilt end-to-end, and a full handover runbook our team could actually use the next day.
IT Infrastructure Manager
Metro Lisboa · Exchange Migration · Zero mail loss · 2023
“
Standardising Intune and Defender across 20+ subsidiaries is the kind of project that usually takes 18 months and three vendors. Carlos scoped it, delivered it in sprints, and left runbooks that our subsidiary IT teams could follow independently.
Bespoke engagements, scoped to your environment — architecture, migrations, hybrid identity, and hands-on delivery. Remote, sprint-based.
Packaged Engagements
Defined scope, clear price.
Fixed scope, fixed price — book directly. Enterprise-grade rigour powered by my own assessment tooling, delivered in days.
One-time
M365 Security Posture Assessment
Know exactly where your Microsoft 365 tenant is exposed — a board-ready report and prioritised remediation roadmap, delivered in days, not weeks.
From€750
From access granted to readout in days.
What’s included
Read-only, app-only assessment across 12 M365 services — Entra ID, Conditional Access, Defender, Exchange Online, Intune, SharePoint, Teams and more
~78 curated security and configuration rules, mapped to recognised frameworks via a compliance crosswalk
Core five-report set: HTML + Word executive summary, M365 inventory, findings, crosswalk, and an exports/limitations record
Coverage-aware results — anything not assessed is stated plainly, never reported as a false pass
Prioritised remediation roadmap with quick wins flagged
What you provide
Read-only delegated access to the tenant
One 30-minute scoping call
One-time
App & AI Agent Posture Assessment
See every application, workload identity and AI agent in your tenant — what they can access, where the risk sits, and how to lock it down before it is exploited.
Contact for pricing
A focused read-only review, scoped to your app and agent estate.
What’s included
Full inventory of app registrations, service principals and workload identities — with their permissions and configurations
AI agent governance review (Entra Agent ID) — agent inventory, scope and exposure
Gaps and security issues identified against security pillars and official frameworks
Concrete recommendations to remediate over-privilege and harden identities
Same coverage-aware, fail-closed discipline and five-report deliverable set as the M365 assessment
What you provide
Read-only delegated access to the tenant
One 30-minute scoping call
Project
Hardening & Remediation Sprint
Close the gaps the assessment found — hands-on Zero Trust implementation, with an evidence pack and tested rollback at every step.
PIM for all privileged Entra ID roles — zero standing admin
Legacy authentication eradication across clients and protocols
Defender XDR / endpoint hardening as scoped
Operational runbook and rollback procedures for handover
What you provide
Change-window alignment
A technical point of contact
A prior assessment (or we run one first)
Most popular
Recurring
Managed Security Posture
Stay hardened as your tenant drifts — recurring re-assessment, a severity-ranked drift report, and advisory access so posture never silently degrades.
Contact for pricing
Quarterly cycle, ongoing.
What’s included
Quarterly re-run of the full posture assessment
Drift report — what changed since last cycle, ranked by severity
Prioritised remediation guidance each cycle
Advisory access for security questions between cycles
What you provide
Standing read-only access
A quarterly review slot
The engine behind the assessments
One assessment engine. Your entire Microsoft estate.
Most consultants run manual assessments based on interview notes. Every assessment I deliver is powered by a purpose-built PowerShell engine that collects evidence directly from your tenant APIs and generates structured reports — HTML, Word, Excel, CSV, and JSON.
This is not a checklist. It is an automated audit engine. The output gives you a complete, reproducible evidence pack of your environment — something you can hand to your security team, your auditors, or your board.
Security
M365 Security Assessment
Read-only security and inventory assessment across your entire Microsoft 365 tenant. Runs ~78 curated rules against CIS and CISA benchmarks, Maester tests, and ORCA policies, and collects a full tenant inventory — admin roles, applications, devices, licensing, Exchange, SharePoint, Teams and more. Coverage-aware: anything that can’t be collected is stated, never reported as a false clean bill.
HTML Technical ReportWord Executive SummaryM365 InventorySecurity FindingsExcel WorkbookCSV FindingsJSON Evidence
Azure
Azure Assessment
Azure infrastructure discovery and operational maturity framework designed for pre-managed-services onboarding. Assesses compute, networking, AKS, Defender for Cloud, monitoring, storage, Key Vault, and costs — producing complexity scores, risk findings, and managed services sizing estimates.
Workloads Covered
ComputeNetworkingAKSDefender for CloudMonitoringStorageKey VaultCostsRBAC & Identity
Report Outputs
Executive HTML ReportWord ReportInventory ReportCSV ExportsJSON Evidence
Security
Zero Trust Maturity Assessment
Structured assessment of your Zero Trust posture across all five CISA pillars — Identity, Devices, Networks, Applications, and Data. Benchmarks your current maturity level and produces a phased roadmap to advance it.
Zero Trust Maturity ReportPillar ScorecardGap AnalysisPhased RoadmapExecutive Summary
Apps & AIIn development
Apps & AI Agents
A second purpose-built engine, currently in development, that inventories and assesses application identities, service principals, and AI agents (Entra Agent ID) — applying the same evidence-first, framework-aligned approach to surface over-privilege and exposure before it is exploited.
Every finding is backed by collected API evidence — not interview notes or manual spot checks. At the end of the assessment, you receive a complete evidence pack: raw data, normalised findings, remediation roadmap, and an executive summary your board can read.
The deliverable
See exactly what the assessment delivers.
Board summary, technical findings, compliance crosswalks and a remediation roadmap — built from evidence collected directly from your tenant. See the reports and a live sample.
Real enterprise engagements. Problem → Architecture → Implementation → Results.
Senior Microsoft Architect
Carlos Annes
Microsoft 365 · Hybrid Identity · Infrastructure · Lisbon, Portugal
Carlos Annes
Senior Microsoft Architect
Lisbon, Portugal · Remote worldwide
Microsoft infrastructure architect specialising in hybrid identity, security architecture, and large-scale Microsoft 365 migrations. Based in Lisbon, delivering remote-first engagements to enterprise organisations across Europe.
Enterprise programs delivered for Ericsson, the European Commission, Metro Lisboa, and Körber — covering security transformation, hybrid identity architecture, and global tenant standardisation. Prior to independent consulting, served as O365 and Exchange Support Engineer at Microsoft.
Book a no-obligation discovery call. I'll review your current setup, identify quick wins, and outline a structured engagement with defined outcomes — before any contract is signed.
