— The Coverage-Proof Protocol

Don't sign the renewal
you can't prove.

"I'm signing something I cannot verify, and the consequences land on me personally."

— What every managing partner thinks at renewal

When the cyber renewal asks for exportable proof of MFA, admin access, and offboarding — have it. Built for the managing partner who signs the attestation.

Start the Readiness Report

24 questions · ~4 minutes · No call required

i. The brief

Three moments where policy isn't enough.

Every managing partner at a 150–350 person professional services firm is one document away from finding out what they actually signed.

Renewal Roulette

The cyber renewal asks for exportable proof of MFA, offboarding, and access reviews. You have policies, not evidence. One mismatch between attestation and tenant reality, and a future claim is denied.

ii.

Questionnaires You Can't Pass

Enterprise prospects send 100–300 question security questionnaires before signing. Vague answers cost the engagement. Specific answers require evidence the firm hasn't organized.

iii.

Paying, Not Using

The firm already pays for M365 Business Premium or E3. SSPR, Conditional Access, and lifecycle automation are all included. None of it is configured.

ii. Why it persists

Five assumptions quietly costing you the renewal.

The pain isn't accidental. It's downstream of how mid-market firms have been told to think about identity for the last decade.

Trusting the MSP to handle "security." They handle helpdesk; identity governance is a different job.
Treating identity as a one-time project rather than a managed function.
Believing "MFA is on" means MFA is enforced and exportable.
Assuming the cyber policy covers what it appears to cover. (It mostly doesn't — read it.)
Waiting for the renewal application to think about renewal answers.

iii. The Coverage-Proof Protocol

Six principles your
renewals can rely on.

A repeatable sequence — not a checklist. You don't Seal before you Standardize. Each principle produces exportable evidence from the live tenant, not a policy PDF.

[ MICROSOFT 365 + ENTRA ID · LIVE-TENANT EVIDENCE · UNDERWRITER-FORWARDABLE ]

Standardize

Document JML Turn joiner-mover-leaver into a written, repeatable workflow with a clear owner. The thing every questionnaire asks about and most firms can't show.

Stabilize

Source of Truth Connect HR to M365 / Google Workspace (directly or via TalkIAM) so identities are created and disabled cleanly — without a ticket, a memory, or a hope.

Envelope

SSO + App Connections Connect SSO for up to 10 key apps; normalize identities and access inside each app. The footprint underwriters actually look at.

Seal

Bolt the Door (MFA) Implement and gap-fill MFA by role and risk; remove weak exceptions; make posture easy to prove. Not "MFA is on" — MFA is enforced and exportable.

Train the Guards

Manage the Keys (PAM) Reduce standing admin access. Make elevation approved, time-bound, and logged — so "who had admin when?" never goes unanswered again.

Proof Automatic

Audit-Ready Evidence Capture audit-ready evidence as a byproduct of daily operations — approvals, reviews, logs. The renewal answers itself when you reach this step.

Each principle produces exportable evidence from the live tenant — not a policy PDF nobody has opened.

iv. The fit

Built for one specific person.

The Managing Partner at a 150–350 person professional services firm — law, accounting, or insurance — running Microsoft 365. The one signing the cyber renewal and the enterprise client questionnaire.

A strong fit

If you're the one signing

01Managing Partner / Senior Partner — or the ops leader supporting them — at a law, accounting, or insurance firm
02150–350 employees, hybrid or multi-office, on Microsoft 365 / Entra ID
03Renewal applications and client questionnaires forcing "prove it" answers on MFA, admin access, JML, and access reviews
04Personally accountable for every attestation. Budget authority. Signature pen.

Probably not

If you want a buzzword

01You want a tool rollout without changing how access is owned, approved, and evidenced
02You're looking for a generic checkbox exercise disconnected from real controls
03You want "zero trust" branding without the underlying work
04You'd rather have a slide deck than a forwardable evidence packet

v. The outcome

Three things that change when this is done right.

Coverage that pays. Questionnaires that close deals. Licenses that finally earn out.

i. SIGN WITH CONFIDENCE

Every answer is documented and exportable

When the renewal or questionnaire arrives, you sign what's true and prove it. No scrambling. No "we think." No hoping the IT vendor remembers.

ii. A CLAIM THAT PAYS OUT

Coverage that actually responds

When something happens, the carrier finds the controls match the attestation. The policy works the way you bought it to work. Fewer surprise exclusions.

iii. LICENSE EARNS OUT

The M365 you're already paying for, working

SSPR, Conditional Access, lifecycle automation — capabilities the firm pays for finally produce the evidence underwriters and clients want.

FOUNDER · 01

Darrick R.

Founder, Greysolve Consulting

Two decades of identity work. One opinion.

Darrick Richardson has spent twenty years configuring identity and access at firms whose names appear on every breach roundup — and every list of firms that didn't get breached.

Greysolve brings that discipline to professional services firms that need proof, not buzzwords. The protocol you see above is built from what underwriters and enterprise security teams actually accept as evidence — not what a vendor catalog says they should.

Toyota· Blackstone· CVS Health· T-Mobile· Credit Suisse· Leidos

— Start here

Renewals and questionnaires aren't getting easier.

Get the Readiness Report to see where your access story stands before the next carrier review forces the issue. 24 questions. About 4 minutes. No call required.