A deep-dive assessment of your entire Intune environment: configuration profiles, compliance policies, app deployments, Autopilot, licensing, and security posture. You get a scored report with a prioritized remediation roadmap.
If any of these sound like your environment, the problem isn't your team -- it's accumulated configuration debt that compounds over time.
Policies created by former admins, inherited from SCCM migrations, or copied from blog posts. No documentation, no naming convention, no ownership trail.
Configuration profiles fighting each other. GPO remnants contradicting Intune settings. Devices oscillating between compliant and non-compliant on every sync cycle.
Profiles assigned to groups that no longer exist. Apps targeted at decommissioned device categories. Compliance policies with no active assignments consuming admin overhead.
Users assigned E5 licenses who only need E3. Intune licenses on accounts that haven't enrolled a device. Azure AD P2 features paying for themselves but never configured.
Microsoft's security baselines deployed but never validated. CIS benchmarks referenced in policy but not actually enforced. Gaps between what compliance reports say and what devices actually do.
SOC 2, HIPAA, or cyber insurance auditors asking for device management evidence and you cannot prove your Intune policies are doing what they claim.
Last updated:
Every device configuration profile reviewed for conflicts, redundancy, assignment gaps, and alignment with Microsoft security baselines and CIS benchmarks. We map OMA-URI custom settings and identify shadow IT configurations.
Compliance rules validated against actual device state. Grace periods, non-compliance actions, and Conditional Access integration reviewed. We identify false positives that are eroding trust in your compliance reporting.
Win32 apps, LOB apps, Microsoft Store apps, and web clips. Detection rules, install commands, dependency chains, and supersedence logic. We flag packages with high failure rates and identify root causes.
Deployment profiles, ESP configuration, enrollment restrictions, device categories, and group tagging logic. We identify why certain hardware models fail and optimize provisioning times.
Windows Update for Business ring assignments, deferral periods, deadline configurations, and driver update policies. We ensure your patching strategy balances speed with stability.
Role-based access control assignments, scope tags, admin permissions, and licensing utilization. We identify over-privileged accounts, unused licenses, and opportunities to reduce Microsoft 365 spend.
Each audit area receives a health score from 0-100 with an overall tenant health grade. Findings are categorized as critical, high, medium, or low severity. Executives get the summary; your engineers get the details.
A visual map of every configuration conflict in your tenant: overlapping OMA-URI settings, GPO-vs-Intune contradictions, group assignment overlaps that cause unpredictable behavior, and settings that silently fail because of precedence rules.
Specific recommendations to reduce Microsoft 365 and Azure AD licensing costs. We identify users who are over-licensed, unused add-ons, and features you're paying for but haven't configured. Typical savings: 15-30% of current license spend.
A phased plan that prioritizes fixes by business impact and effort. Phase 1 is quick wins (1-2 weeks). Phase 2 is structural improvements (2-4 weeks). Phase 3 is optimization and hardening (ongoing). Each item includes estimated effort and dependencies.
We present findings directly to your team, answer questions, and help you decide which remediations to tackle first. If you want us to execute the remediation, we scope that as a follow-on engagement.
Our audit examines every layer of your Intune tenant: device configuration profiles, compliance policies, app deployment status, Autopilot profiles, Conditional Access integration, Windows Update rings, security baselines, role-based access control, licensing utilization, and enrollment restrictions. Each area receives a health score with specific findings and remediation steps.
Most audits complete within 5-7 business days. Day 1-2 is data collection using read-only Graph API access and our proprietary assessment tooling. Days 3-5 are analysis and report generation. Days 6-7 are findings review and roadmap presentation. Larger environments with 5,000+ devices or complex co-management scenarios may take 7-10 days.
We require read-only access: Intune Reader plus Global Reader roles. No write permissions, no Global Admin. All access is scoped, time-bound, and documented in the SOW. We use Conditional Access to restrict our own sessions to approved IPs and require MFA. Access is revoked immediately upon audit completion.
No. The audit is entirely read-only. We query the Microsoft Graph API and Intune service to collect configuration data, policy assignments, and device status. No changes are made to your tenant, no policies are modified, and no devices are affected. Your users will not notice anything.
You receive a comprehensive audit report that includes: an executive summary with overall tenant health score, detailed findings organized by severity (critical, high, medium, low), specific remediation steps for each finding, a policy conflict map showing overlapping or contradictory configurations, licensing optimization recommendations, a prioritized remediation roadmap with effort estimates, and a 60-minute walkthrough session with your team.
Free 30-minute consultation to scope your audit. We will review your environment size, current pain points, and timeline.