Engineering Services

You bought the SKUs. We make them work.

Most enterprises pay for Microsoft 365 Business Premium, E5, Entra Suite, and Intune Suite — and operationalize a fraction of what the licenses entitle them to. Surya engineers the configuration that lights up the SKUs already on the bill, organized around a persona-driven Zero Trust architecture mapped to the CISA Zero Trust Maturity Model. For enterprises with existing Zscaler or on-premises SASE investments, we engineer the Microsoft control plane around what you already own. And we operate the network edge logistics under the same persona model — so the policy you design lives at every site, automatically.

Start with a gap analysisSee the savings model

/ 01 The Gap Analysis

Start here. Scope the engineering project on real data.

Every engineering engagement starts with a gap analysis. Fixed scope, defined deliverable, three weeks. The output is the artifact your CFO needs to approve the buildout — and the scope document Surya needs to quote the work.

/ Discovery

SKU inventory and configuration audit.

  • +Microsoft license inventory: Business Premium, E5, E5 Security, Entra Suite, Intune Suite, Defender add-ons
  • +Annual run-rate and renewal date for every SKU
  • +Tenant and stack configuration audit: Intune, Entra, Defender, Purview, GSA, and Zscaler (ZIA, ZPA, ZDX, Posture Control, Deception, Risk360) current state
  • +Network edge inventory and architecture audit: site count, site types, current vendor stack, management plane, segmentation posture, and lifecycle state
  • +Persona model maturity assessment

/ Diagnosis

Zero Trust maturity scoring.

  • +Mapped to the CISA Zero Trust Maturity Model
  • +Scored across Identity, Devices, Networks, Applications & Workloads, Data
  • +Traditional / Initial / Advanced / Optimal rating per pillar
  • +MSP displacement map — line-item, dollar-quantified

/ Prescription

Target architecture and engineering quote.

  • +Persona-driven Zero Trust target architecture diagram
  • +Gap-to-target work breakdown by track
  • +Fixed-price engineering project quote per track
  • +30 to 50 page written report you can forward to the CFO and the CISO

Gap Analysis pricing is custom — scoped to tenant complexity, headcount, and compliance regime. Typical engagement: 3 weeks, fixed scope, fixed price.

Engagement Credit

The full gap analysis fee is credited back against the engineering project if you engage within 90 days of receiving the report.

Request a gap analysis →

/ 02 Engineering Tracks

Five tracks, one persona model.

Each track aligns to a Microsoft SKU you either own or are considering. The gap analysis tells you which tracks apply to you and in what order. All four tracks share a single persona model — so identity, endpoint, data, and access policy are defined once and applied consistently.

Track / 01

M365 Business Premium

Business Premium Operationalization

ForMid-market operators (typically 50 to 300 seats) who own M365 Business Premium and haven't operationalized the security stack.

What Surya turns on

  • +Intune device configuration and compliance policies (persona-driven)
  • +Entra ID Conditional Access policies — Zero Trust foundation
  • +Microsoft Defender for Business deployment and tuning
  • +Windows Autopilot tenant setup and persona group design
  • +Information Protection (BitLocker, sensitivity labels at the Business Premium level)
  • +Self-Service Password Reset and MFA enforcement

Outcome

A Business Premium tenant that actually delivers the security and management posture the SKU promises. The first step out of the 'we have M365 but don't do anything with it' trap.

Track / 02

M365 E5 / E5 Security

E5 Security Activation

ForEnterprises (typically 250+ seats) who own M365 E5 or E5 Security and are using a fraction of what they pay for.

What Surya turns on

  • +Defender XDR full deployment — Endpoint, Identity, Office 365, Cloud Apps
  • +Purview Information Protection and DLP policies (persona-driven)
  • +Purview Insider Risk Management
  • +Entra ID P2 — Privileged Identity Management, Identity Protection, risk-based Conditional Access
  • +Defender for Cloud Apps — SaaS visibility and governance
  • +Compliance Manager configuration for HIPAA, NIST 800-171, SOC 2

Outcome

An E5 tenant operating at full feature utilization, with persona-driven policies that span identity, endpoint, data, and SaaS. Once Conditional Access, Intune compliance, Defender for Endpoint, and Purview are running together, you have a Zero Trust architecture by definition — not as a separate engagement.

Track / 03

Network Access Architecture — GSA and/or Zscaler

Identity-driven network access across the modern perimeter

ForEnterprises retiring legacy VPN and flat network controls in favor of identity-driven, Zero Trust network access. Two architectural paths — Microsoft Global Secure Access, Zscaler, or both running in coordination. The gap analysis determines which path applies to your existing investments and which integrations matter.

/ Path A

Microsoft Global Secure Access deployment

ForEnterprises adopting the Entra Suite — Microsoft's identity perimeter expansion that retires legacy VPNs and flat network access controls under a single Microsoft control plane.

What Surya turns on

  • +Microsoft Global Secure Access (GSA) — the umbrella architecture
  • +Entra Internet Access (EIA) — Microsoft's SSE component, identity-based policy enforcement for internet and SaaS traffic
  • +Entra Private Access (EPA) — Microsoft's ZTNA component, identity-driven private app access — the IT/OT differentiator
  • +Entra ID Governance — access reviews, entitlement management, lifecycle workflows
  • +Entra Verified ID — verifiable credentials for workforce, partner, and contractor identity
  • +Entra Permissions Management — cloud infrastructure entitlement management across Azure, AWS, GCP

Outcome

A modern identity perimeter under Microsoft Global Secure Access. EIA covers internet-bound traffic; EPA covers private app and OT-network traffic. The legacy VPN retires. A clinical biomedical engineer or a plant maintenance technician gets identity-driven access to specific OT segments — without a flat tunnel into the OT network.

/ Path B

Zscaler + Microsoft integration

ForEnterprises with existing Zscaler investments who want the Zscaler stack tightly integrated with the Microsoft identity, threat, and SIEM control plane they also own. Surya engineers the integration surfaces between the two stacks so they operate as one Zero Trust architecture rather than two parallel ones.

What Surya engineers

The Zscaler estate

  • +Zscaler Internet Access (ZIA) — SSE policy design, TLS inspection scope, URL/file/SaaS controls, sandbox tuning
  • +Zscaler Private Access (ZPA) — application segment design, connector architecture, browser access, privileged remote access
  • +Zscaler Digital Experience (ZDX) — end-user experience monitoring, application performance scoring, ISP and SaaS path analytics
  • +Zscaler Posture Control (CNAPP) — cloud workload posture across Azure, AWS, GCP
  • +Zscaler Deception — decoy assets and lateral movement detection
  • +Zscaler Risk360 — continuous Zero Trust risk scoring across the estate

The integration surfaces with Microsoft

  • +Entra ID as the identity provider for ZIA and ZPA — SAML/OIDC, SCIM provisioning, group-based access policy
  • +Conditional Access policies that condition Zscaler access on Entra device compliance, user risk score from Entra ID Protection, and session-level signals
  • +Microsoft Defender for Endpoint posture signals into Zscaler Device Posture Profiles — so Zscaler enforces access based on Defender's device compliance and threat detection state
  • +Zscaler logs streamed into Microsoft Sentinel — ZIA web logs, ZPA app access logs, tunnel logs, sandbox detonations — with correlation rules against Defender XDR events
  • +Microsoft Purview sensitivity labels read and enforced by Zscaler DLP — Purview-classified data inherits enforcement across the SaaS perimeter, not just inside the Microsoft estate
  • +Entra ID Governance lifecycle workflows wired to ZPA application segments — access reviews, certifications, and revocations flow through Entra against Zscaler entitlements
  • +SOAR playbooks that respond across both systems — a Defender XDR detection can trigger a Zscaler session termination, and vice versa

Outcome

Two best-of-breed stacks operating as one Zero Trust architecture. Zscaler retains its SSE and ZTNA strengths; Microsoft retains the identity, endpoint, threat, and SIEM control plane. Policy is defined once at the identity layer and enforced consistently across both estates. The customer keeps the Zscaler investment they've already made and extracts full value from the Microsoft licenses they also pay for.

Path A, Path B, or both running together — the gap analysis maps your current investments to the right architecture. Most large enterprises end up with elements of both.

Track / 04

Intune Suite

Intune Suite Activation

ForEnterprises adopting the Intune Suite — Microsoft's endpoint management platform expansion.

What Surya turns on

  • +Endpoint Privilege Management — just-in-time admin elevation, eliminates standing admin rights
  • +Remote Help — Microsoft-native remote support, replaces third-party tools
  • +Advanced Endpoint Analytics — proactive remediation, anomaly detection
  • +Microsoft Tunnel for Mobile Application Management — mobile Zero Trust
  • +Specialty Device Management — frontline worker devices, kiosks, shared devices — directly relevant to clinical and manufacturing personas

Outcome

An Intune deployment that delivers the modern endpoint management story Microsoft sells the SKU on, with persona-driven policies that span corporate, clinical, and OT endpoints.

Track / 05

On-Premises SASE / SD-WAN ZTNA

Vendor-pragmatic network edge for IT/OT and multi-site operators

ForEnterprises whose network access plane should be enforced at the appliance rather than the cloud — typically OT-heavy manufacturers, regulated healthcare networks, and multi-site operators with existing firewall investments. A third architectural option alongside Microsoft Global Secure Access (Track 03 Path A) and Zscaler (Track 03 Path B).

What Surya engineers

The architecture layer

  • +Next-generation firewall with integrated SD-WAN and ZTNA at every site
  • +Persona-driven security policy enforced at the appliance, mapped to Entra identity claims
  • +IT/OT segmentation aligned to the Purdue model, with industrial protocol awareness at the boundary
  • +Site-to-site SD-WAN with application-aware routing and dynamic failover
  • +Wireless segmentation per persona (clinical, corporate, guest, OT)
  • +Inline threat prevention with sandboxing, IPS, and URL filtering at the edge

The integration surfaces with Microsoft

  • +Entra ID as the identity provider for ZTNA — SAML/OIDC, group-based policy
  • +Conditional Access integration so appliance access decisions inherit Entra device compliance and user risk signals
  • +Microsoft Defender for Endpoint posture signals into ZTNA policy engine
  • +Appliance logs streamed into Microsoft Sentinel for unified SOC operations
  • +SOAR playbooks that respond across endpoint and network edge — a Defender XDR detection can trigger appliance-level session termination

The integration surfaces with the OT environment

  • +Compatibility validation against Siemens, Rockwell, Fanuc, Schneider, and other OT vendor matrices
  • +Industrial protocol inspection at level 3 / 3.5 Purdue boundaries
  • +Coordinated change windows respecting plant production schedules
  • +OT security team sign-off built into the commissioning runbook

Outcome

An enforcement layer at every site that operates as part of the Microsoft Zero Trust architecture, not parallel to it. The on-premises appliance handles what cloud SSE can't reach — OT segments, latency-sensitive applications, sovereign data zones — while inheriting the same persona-driven identity policy as everything else.

Track 03 Path A, Track 03 Path B, Track 05, or a combination — the gap analysis maps your footprint, your existing investments, and your IT/OT requirements to the right enforcement architecture.

Engineering project pricing is custom. Every quote is scoped from the gap analysis — there is no honest fixed price for engineering work without knowing what's already configured, what's licensed, and where the gaps are.

/ 03 Network Edge Logistics

Templated network edge, operated under one persona model.

The engineering tracks define how identity, endpoint, data, and threat policy fit together. The network edge is where that policy gets enforced at every site. Surya operates network edge logistics as a peer layer to endpoint logistics — same persona model, same operational discipline, same RTP facility.

/ Templated

Build

Site-type templates, configured once.

Per-site-type configuration templates — clinic edge, plant edge, warehouse edge, corporate edge, OT-segregated edge. Each template defines firewall rules, VLAN structure, SD-WAN policy, wireless SSIDs, and segmentation boundaries. The customer picks the template that matches the site. We configure, ship, and commission against it.

/ Staged

Ship

Pre-configured, certified, ready to plug in.

Appliances arrive in RTP, firmware leveled to the template's pinned version, base configuration applied, certificates installed, and registered to your management plane. They ship with branded packaging and a guided plug-in runbook a non-IT site contact can execute. Remote validation completes the bring-up — no engineer dispatched, no truck roll.

/ Operated

Lifecycle

Firmware, drift, certificates, refresh.

Once live, the appliance is under continuous Surya lifecycle: firmware updates against the pinned template, configuration drift remediation, certificate renewal, incident response, and end-of-life replacement. When a site closes or refreshes, we dispatch a return kit, recover the appliance, zeroize the configuration, and certify the chain of custody.

Stack selection is footprint-driven and surfaced during the gap analysis. We standardize per customer — not per vendor — so the architecture fits the site count, the security posture, and the platforms you already own.

Start with a gap analysis →

/ 04 The Principle

Policy is persona-driven, not device-driven.

A clinician, a plant operator, a corporate professional, and a contractor each have different access requirements, different data sensitivity exposure, different device compliance needs, and different risk profiles. The Surya engineering work defines those personas once and applies them consistently across identity (Entra), endpoint (Intune), data (Purview), threat detection (Defender), and access (Global Secure Access).

This is the architectural insight that ties the engineering layer to the logistics layer. The same personas that drive the engineered tenant configuration drive the gold images, app deployments, and kit contents in the endpoint logistics layer — and the firewall rules, segmentation policies, and ZTNA access decisions in the network edge logistics layer. One persona model, three operational layers — applied consistently whether your network access plane is Microsoft Global Secure Access, Zscaler, on-premises SASE, or a combination. That's what no MSP and no consulting firm currently delivers as a single offer.

/ 05 Continuous Engineering

Optional retainer — keep the environment current.

After the project work is delivered, Microsoft keeps shipping. New features, new SKU additions, evolving compliance requirements, new personas as the business grows. Continuous Engineering is a monthly retainer with named senior engineering hours.

  • +Quarterly Intune baseline review and update against current CIS benchmarks
  • +Conditional Access policy tuning, new persona rollouts, M365 roadmap integration
  • +Compliance baseline maintenance for HIPAA, NIST 800-171, SOC 2, and customer-specific frameworks

Custom retainer pricing — sized to fleet, persona count, and compliance regime.

/ 06 Start the conversation

The gap analysis is the front door.

Every engagement starts the same way: a fixed-scope, fixed-fee gap analysis. Three weeks, one report, one quote. The gap analysis fee credits back against the engineering project if you engage within 90 days.

Request a gap analysis →Model the MSP savings first