
Microsoft
The secure foundation most organisations already own.
Microsoft 365 and Azure sit at the centre of most environments we work in. That makes Purview, Entra and Defender the natural foundation for identity, data and endpoint security, and the only engine that can govern Copilot from the inside.
What we deliver with it
- ✓Licensing reviews that light up the security already paid for, from Business Premium to E3, E5 and the E7 step-up
- ✓Purview data governance, auto-labelling and Copilot-safe sensitivity labels
- ✓Entra identity: MFA, conditional access, PIM and zero-trust access for BYOD
- ✓Intune device (MDM) and app (MAM) management gating device and infrastructure access
- ✓Defender across endpoint, identity and cloud, plus AI-agent governance
Every device enrolled, hardened and provisioned in minutes.
Device and endpoint management is the craft Cornerstone was built on. We deliver a complete Intune practice on the Microsoft 365 you already own, from physical fleets to virtual desktops: a standard operating environment, zero-touch provisioning, and policy that follows the data, not the hardware.
Endpoint & device securityCorporate secure device management
Company-owned, Entra-joined devices enrolled in Intune across Windows, macOS, iOS and Android, with a hardened SOE, compliance policies and Conditional Access. The locked-down standard for the corporate fleet.
Fully managed · all platformsBYOD & app management (MAM)
Protect corporate data on personal and unmanaged devices with Intune app protection policies (MAM) and Conditional Access. No full enrolment, nothing intrusive on the user's own device.
Protected · no full enrolmentStandard operating environment
One hardened, consistent build for every device, baselined to Essential Eight and your policies.
Essential Eight baselinedAutopilot & zero-touch deployment
Ship a sealed device straight to a new starter, anywhere. They sign in once and Autopilot builds it to your SOE automatically, fully enrolled, secured and app-ready, with no IT hands on the box and no imaging.
Zero-touch deploymentVirtual & cloud desktops
Azure Virtual Desktop architecture and rollouts, and Windows 365 Cloud PCs, secure, Intune-managed desktops streamed from the cloud. Ideal for contractors, BYOD, scale and fast onboarding, with images, host pools and Conditional Access done properly.
AVD · Windows 365 Cloud PCUpdate & patch management
Windows Autopatch and third-party patching keep the whole fleet current automatically, closing the vulnerabilities attackers rely on.
Autopatch · third-partyThe device is the gate to your data.
Identity proves who someone is; the device decides what they can reach. We tie data access to device posture with Conditional Access, so the right person on a healthy, compliant device gets in, and an unmanaged or risky one does not. Two clear strategies, one policy engine.
Full access from trusted, managed devices
- ▸Company-owned, Entra-joined and Intune-compliant devices get full access to corporate data.
- ▸Conditional Access checks device health, compliance and risk on every sign-in.
- ▸Non-compliant or unmanaged devices are blocked or stepped down automatically.
Protected access from personal devices
- ▸Personal and contractor devices reach data through protected apps (MAM), not full enrolment.
- ▸Corporate data stays inside managed apps: no save-to-personal, no copy-paste out, remote wipe of work data only.
- ▸Browser and Cloud PC options give safe access with nothing left on the device.
The result is a single, defensible access model: data access follows the health of the device and the risk of the session, not just a password. It is the practical core of Zero Trust, and the foundation that makes safe Copilot and AI adoption possible.
Windows, Mac, iOS and Android — one managed fleet.
Microsoft is the core, but a real fleet runs Apple and Samsung too. Pick a platform to see how we bring every device under zero-touch, locked, supervised management, alongside Intune.
Zero-touch, supervised, locked
Zero-touch deployment
Macs, iPhones and iPads ship straight to the user and enrol themselves into Intune on first boot.
Supervised & locked enrolment
Devices are supervised and MDM enrolment is locked, so management cannot simply be removed.
App & book distribution
Volume-purchased apps and content pushed silently to the right people.
Mac, done to Apple's standard
For Mac-heavy design, education and exec fleets, we deliver dedicated Apple management alongside Intune, so macOS gets first-class policy, patching and security rather than an afterthought.
It is managed as one fleet, not a silo. Device compliance flows back into Entra ID and Conditional Access, identity stays unified, and your team sees Apple devices next to everything else, so adding a specialist tool never means a second, disconnected console.


Jamf and Iru, integrated with Intune and Entra ID for one managed fleet.
Hardware-backed, zero-touch Android
Knox Mobile Enrolment
Samsung devices auto-enrol into Intune at first power-on, with no manual staging.
Hardware-backed security
Knox's chip-level trusted environment protects credentials and data below the OS.
Android Enterprise modes
Fully managed, work profile or kiosk, the right footing for corporate, BYOD and frontline devices.
One console, the whole Android fleet
Samsung and broader Android devices sit under the same Intune policies, compliance and Conditional Access as everything else, so a mixed fleet is still one standard, not three silos.

Whatever the badge, the same policy follows the data
Windows, macOS, iOS and Android all enrol into Intune through their native zero-touch program, inherit your standard operating environment, and answer to the same compliance and Conditional Access rules. New starters are productive in minutes; leavers are wiped in one click.





Standing admin rights are the back door. Close it.
The accounts attackers want most are the ones with permanent admin rights. Microsoft's own answer is Privileged Identity Management (PIM) in Entra ID P2: no one holds privilege all the time, they request it when needed, and it expires automatically.
Elevate only when needed
Admin roles are activated on request, time-bound and auto-expiring, so there is no standing privilege for an attacker to inherit.
Gate the powerful roles
Elevation can require approval, justification and a fresh MFA challenge, with every activation logged for audit.
Prove who holds privilege
Recurring certification of who can elevate, so privilege does not quietly accumulate, the evidence assessors increasingly ask for.
Beyond the Microsoft estate
For credential vaulting, automatic secret rotation, session recording and privileged access to servers, databases and contractors, we layer in Delinea.
PIM needs Entra ID P2 (included in E5 or the Entra ID P2 add-on). Check what your current plan covers in the licensing planner below, or see Identity & Access.
Assessment is step one. The rebuild is where the risk actually drops.
A readiness assessment shows you what Copilot can reach. Phase two is the work that closes it: rebuilding the foundations so access, classification and governance hold up before AI is switched on across the business. This is where most of the value is, and where we spend most of our time.
First, fix what AI would read
A central, future-proofed library with a clear three-layer folder model, hub sites, Microsoft Teams integration and Viva Connections. We remediate oversharing and broken inheritance, replace ad-hoc sharing with governed Entra ID groups and access reviews, and keep permissions clean as people join, move and leave. The structure Copilot can be trusted to read.
Classify it, then stop it leaving
A sensitivity-label taxonomy the business understands and auto-labelling where it earns its place, then Purview DLP policies across email, SharePoint, endpoints and the browser that stop sensitive data leaving, including into GenAI tools, and decide what Copilot is allowed to surface.
Secure how people reach your data
Intune device management (MDM) and app protection (MAM), device compliance and Conditional Access, so corporate data is only reached from healthy, trusted devices. Company-owned devices get full access; personal and BYOD devices reach data through protected apps, with no full enrolment.
Copilot switched on with confidence
With the foundations rebuilt, data classified, access governed and policy enforced, AI goes live against an environment that is ready for it, so productivity arrives without the exposure. This is the payoff the first three steps make safe.
You probably own more security than you use.
Most organisations are paying for capabilities they have never switched on, and missing a few that need a deliberate licence step. Pick your current plan to see what you can light up today across identity, device and data, and what unlocks the rest.
Indicative mapping of Microsoft 365 plans to the capabilities we deliver, verified against Microsoft licensing documentation. Plans and add-ons change; a licensing review confirms the exact, cheapest path for your tenant.
See every capability mapped to every plan, or price the step-up.
The full feature matrix compares all 36 capabilities across the six plans; the cost calculator turns a plan change into an indicative per-seat and multi-year investment.
See exactly where you stand
A rapid assessment of your tenant, your licences and your gaps, with a prioritised plan in plain English.
Start a health checkStop paying for shelfware
We map what you own to what you actually need, switch on what is already licensed, and right-size the rest before you renew.
Book a licensing reviewWhat Microsoft already gives you, and how we make it work.
From Entra to Purview, in plain terms.
What does Microsoft 365 give us out of the box?
Identity (Entra), device management (Intune), endpoint protection (Defender), data protection (Purview), email security (Defender for Office), and the productivity suite. Most controls organisations need exist somewhere in M365; the work is configuring and connecting them. See our endpoint and data protection pages for what we build on top.
What licence level do we need?
It depends on the controls you need to deliver. We map your obligations and your Essential Eight maturity target back to the right SKUs and rationalise what you already own. We do not push enterprise SKUs you do not need.
What is Entra ID?
Microsoft’s cloud identity platform (the renamed Azure AD). It handles sign-in, MFA, Conditional Access, application access, and identity governance. See our identity page for the full pattern.
What is Intune for?
Cloud device and app management for laptops, desktops, phones and tablets. The modern replacement for legacy MDM and Group Policy.
What is Purview for?
Data security and governance across M365: sensitivity labels, DLP, retention, eDiscovery, insider risk, and compliance reporting. The foundation for safe Copilot rollout.
What about Microsoft Defender?
A family of products: Defender for Endpoint (EDR), Defender for Office 365 (email), Defender for Cloud Apps (CASB), Defender for Identity (on-prem identity threats), and Defender XDR which stitches them together.
Microsoft is one piece. We design the whole system.
We back the best-fit technology in each domain, integrate it properly, and hand it over to you to run. No lock-ins, just results.