Microsoft
Technology partner

Microsoft

The secure foundation most organisations already own.

Why we partner with Microsoft

Microsoft 365 and Azure sit at the centre of most environments we work in. That makes Purview, Entra and Defender the natural foundation for identity, data and endpoint security, and the only engine that can govern Copilot from the inside.

What we deliver with it

  • Licensing reviews that light up the security already paid for, from Business Premium to E3, E5 and the E7 step-up
  • Purview data governance, auto-labelling and Copilot-safe sensitivity labels
  • Entra identity: MFA, conditional access, PIM and zero-trust access for BYOD
  • Intune device (MDM) and app (MAM) management gating device and infrastructure access
  • Defender across endpoint, identity and cloud, plus AI-agent governance
Device security · where we started

Every device enrolled, hardened and provisioned in minutes.

Device and endpoint management is the craft Cornerstone was built on. We deliver a complete Intune practice on the Microsoft 365 you already own, from physical fleets to virtual desktops: a standard operating environment, zero-touch provisioning, and policy that follows the data, not the hardware.

Endpoint & device security

Corporate secure device management

Company-owned, Entra-joined devices enrolled in Intune across Windows, macOS, iOS and Android, with a hardened SOE, compliance policies and Conditional Access. The locked-down standard for the corporate fleet.

Fully managed · all platforms

BYOD & app management (MAM)

Protect corporate data on personal and unmanaged devices with Intune app protection policies (MAM) and Conditional Access. No full enrolment, nothing intrusive on the user's own device.

Protected · no full enrolment

Standard operating environment

One hardened, consistent build for every device, baselined to Essential Eight and your policies.

Essential Eight baselined

Autopilot & zero-touch deployment

Ship a sealed device straight to a new starter, anywhere. They sign in once and Autopilot builds it to your SOE automatically, fully enrolled, secured and app-ready, with no IT hands on the box and no imaging.

Zero-touch deployment

Virtual & cloud desktops

Azure Virtual Desktop architecture and rollouts, and Windows 365 Cloud PCs, secure, Intune-managed desktops streamed from the cloud. Ideal for contractors, BYOD, scale and fast onboarding, with images, host pools and Conditional Access done properly.

AVD · Windows 365 Cloud PC

Update & patch management

Windows Autopatch and third-party patching keep the whole fleet current automatically, closing the vulnerabilities attackers rely on.

Autopatch · third-party
Manage the device, control the data

The device is the gate to your data.

Identity proves who someone is; the device decides what they can reach. We tie data access to device posture with Conditional Access, so the right person on a healthy, compliant device gets in, and an unmanaged or risky one does not. Two clear strategies, one policy engine.

Corporate device access

Full access from trusted, managed devices

  • Company-owned, Entra-joined and Intune-compliant devices get full access to corporate data.
  • Conditional Access checks device health, compliance and risk on every sign-in.
  • Non-compliant or unmanaged devices are blocked or stepped down automatically.
BYOD strategy

Protected access from personal devices

  • Personal and contractor devices reach data through protected apps (MAM), not full enrolment.
  • Corporate data stays inside managed apps: no save-to-personal, no copy-paste out, remote wipe of work data only.
  • Browser and Cloud PC options give safe access with nothing left on the device.

The result is a single, defensible access model: data access follows the health of the device and the risk of the session, not just a password. It is the practical core of Zero Trust, and the foundation that makes safe Copilot and AI adoption possible.

Every platform, one standard

Windows, Mac, iOS and Android — one managed fleet.

Microsoft is the core, but a real fleet runs Apple and Samsung too. Pick a platform to see how we bring every device under zero-touch, locked, supervised management, alongside Intune.

Apple Business Manager

Zero-touch, supervised, locked

Zero-touch deployment

Macs, iPhones and iPads ship straight to the user and enrol themselves into Intune on first boot.

Supervised & locked enrolment

Devices are supervised and MDM enrolment is locked, so management cannot simply be removed.

App & book distribution

Volume-purchased apps and content pushed silently to the right people.

Apple management specialists

Mac, done to Apple's standard

For Mac-heavy design, education and exec fleets, we deliver dedicated Apple management alongside Intune, so macOS gets first-class policy, patching and security rather than an afterthought.

It is managed as one fleet, not a silo. Device compliance flows back into Entra ID and Conditional Access, identity stays unified, and your team sees Apple devices next to everything else, so adding a specialist tool never means a second, disconnected console.

Jamf
Iru

Jamf and Iru, integrated with Intune and Entra ID for one managed fleet.

Samsung Knox

Hardware-backed, zero-touch Android

Knox Mobile Enrolment

Samsung devices auto-enrol into Intune at first power-on, with no manual staging.

Hardware-backed security

Knox's chip-level trusted environment protects credentials and data below the OS.

Android Enterprise modes

Fully managed, work profile or kiosk, the right footing for corporate, BYOD and frontline devices.

Managed through Intune

One console, the whole Android fleet

Samsung and broader Android devices sit under the same Intune policies, compliance and Conditional Access as everything else, so a mixed fleet is still one standard, not three silos.

Samsung
One standard, every device

Whatever the badge, the same policy follows the data

Windows, macOS, iOS and Android all enrol into Intune through their native zero-touch program, inherit your standard operating environment, and answer to the same compliance and Conditional Access rules. New starters are productive in minutes; leavers are wiped in one click.

Microsoft
Apple
Samsung
Jamf
Iru
Privileged access

Standing admin rights are the back door. Close it.

The accounts attackers want most are the ones with permanent admin rights. Microsoft's own answer is Privileged Identity Management (PIM) in Entra ID P2: no one holds privilege all the time, they request it when needed, and it expires automatically.

Just-in-time

Elevate only when needed

Admin roles are activated on request, time-bound and auto-expiring, so there is no standing privilege for an attacker to inherit.

Approval & MFA

Gate the powerful roles

Elevation can require approval, justification and a fresh MFA challenge, with every activation logged for audit.

Access reviews

Prove who holds privilege

Recurring certification of who can elevate, so privilege does not quietly accumulate, the evidence assessors increasingly ask for.

Where Delinea extends it

Beyond the Microsoft estate

For credential vaulting, automatic secret rotation, session recording and privileged access to servers, databases and contractors, we layer in Delinea.

PIM needs Entra ID P2 (included in E5 or the Entra ID P2 add-on). Check what your current plan covers in the licensing planner below, or see Identity & Access.

AI readiness · phase 2

Assessment is step one. The rebuild is where the risk actually drops.

A readiness assessment shows you what Copilot can reach. Phase two is the work that closes it: rebuilding the foundations so access, classification and governance hold up before AI is switched on across the business. This is where most of the value is, and where we spend most of our time.

01
Foundation rebuild · SharePoint & Entra ID

First, fix what AI would read

A central, future-proofed library with a clear three-layer folder model, hub sites, Microsoft Teams integration and Viva Connections. We remediate oversharing and broken inheritance, replace ad-hoc sharing with governed Entra ID groups and access reviews, and keep permissions clean as people join, move and leave. The structure Copilot can be trusted to read.

Hub sites & structureTeams & VivaEntra ID groupsAccess reviews
See the architecture guide
02
Data loss prevention (DLP)

Classify it, then stop it leaving

A sensitivity-label taxonomy the business understands and auto-labelling where it earns its place, then Purview DLP policies across email, SharePoint, endpoints and the browser that stop sensitive data leaving, including into GenAI tools, and decide what Copilot is allowed to surface.

Sensitivity labelsAuto-labellingPurview DLPEndpoint & browser
03
Device & access security · Intune

Secure how people reach your data

Intune device management (MDM) and app protection (MAM), device compliance and Conditional Access, so corporate data is only reached from healthy, trusted devices. Company-owned devices get full access; personal and BYOD devices reach data through protected apps, with no full enrolment.

Intune MDMApp protection (MAM)Device complianceConditional Access
04
Then, safe adoption

Copilot switched on with confidence

With the foundations rebuilt, data classified, access governed and policy enforced, AI goes live against an environment that is ready for it, so productivity arrives without the exposure. This is the payoff the first three steps make safe.

Copilot readyGovernedNo exposure
Microsoft 365 licensing planner

You probably own more security than you use.

Most organisations are paying for capabilities they have never switched on, and missing a few that need a deliberate licence step. Pick your current plan to see what you can light up today across identity, device and data, and what unlocks the rest.

Indicative mapping of Microsoft 365 plans to the capabilities we deliver, verified against Microsoft licensing documentation. Plans and add-ons change; a licensing review confirms the exact, cheapest path for your tenant.

Go deeper

See every capability mapped to every plan, or price the step-up.

The full feature matrix compares all 36 capabilities across the six plans; the cost calculator turns a plan change into an indicative per-seat and multi-year investment.

Microsoft 365

What Microsoft already gives you, and how we make it work.

From Entra to Purview, in plain terms.

What does Microsoft 365 give us out of the box?

Identity (Entra), device management (Intune), endpoint protection (Defender), data protection (Purview), email security (Defender for Office), and the productivity suite. Most controls organisations need exist somewhere in M365; the work is configuring and connecting them. See our endpoint and data protection pages for what we build on top.

What licence level do we need?

It depends on the controls you need to deliver. We map your obligations and your Essential Eight maturity target back to the right SKUs and rationalise what you already own. We do not push enterprise SKUs you do not need.

What is Entra ID?

Microsoft’s cloud identity platform (the renamed Azure AD). It handles sign-in, MFA, Conditional Access, application access, and identity governance. See our identity page for the full pattern.

What is Intune for?

Cloud device and app management for laptops, desktops, phones and tablets. The modern replacement for legacy MDM and Group Policy.

What is Purview for?

Data security and governance across M365: sensitivity labels, DLP, retention, eDiscovery, insider risk, and compliance reporting. The foundation for safe Copilot rollout.

What about Microsoft Defender?

A family of products: Defender for Endpoint (EDR), Defender for Office 365 (email), Defender for Cloud Apps (CASB), Defender for Identity (on-prem identity threats), and Defender XDR which stitches them together.

Microsoft is one piece. We design the whole system.

We back the best-fit technology in each domain, integrate it properly, and hand it over to you to run. No lock-ins, just results.