Grey Matter Ltd

Microsoft 365

Microsoft 365 Enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely.

Microsoft 365 Enterprise consists of: Office 365 Enterprise; Windows 10 Enterprise; and Enterprise Mobility + Security (EMS).

There are three plans to choose from: E3, E5 and F1.


  • Identity & access management, protect users’ identities and control access
  • Threat protection, protect against advanced threats
  • Security management, gain visibility and control over security tools
  • Ensure documents and emails are seen only by authorized people
  • Email and calendar with Exchange
  • Connect to people, content, and apps with SharePoint
  • Voice, video, and chat with Skype and Microsoft Teams
  • Office 365 ProPlus on up to 15 devices per user
  • Broad support for PC, Mac, iOS, & Android platforms
  • Auto-enrollment of Windows PCs and devices


  • Comprehensive management of your entire workforce
  • Connect the experience across devices
  • Minimize TCO across deployment, management, & servicing
  • Visualize information in new ways
  • Create compelling content with intelligent apps
  • Detect and protect against external threats
  • On-premises Client Access Licenses (CALs) to some Microsoft server products
  • Access files and folders hosted in Microsoft's cloud securely anywhere
  • Intelligently collaborate with users across your organization and externally
  • Windows 10 deployment with upgrade in place and Autopilot


£7.5 per user per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

1 3 9 9 9 5 0 8 1 3 7 6 4 3 4


Grey Matter Ltd

Chris Chandler

01364 654100

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints Microsoft cloud services require an active internet connection, and can be accessed from a supported internet browser. For information on app-specific or service-specific constraints, we can provide specific information on request.
System requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard level offers you a 2-hour response time for your business-critical issues and our team are available Monday to Friday (excluding bank holidays), 9 am to 5:30 pm.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible None, standard text-based web chat.
Web chat accessibility testing None, standard text-based web chat.
Onsite support Yes, at extra cost
Support levels Standard free support offers: - Unlimited remote break/fix support - 2-hour response SLA for business-critical issues (severity A) - Support incident escalation service - 24x7 access to our ServiceAide helpdesk portal to log support requests, knowledge base and FAQs - Service availability Monday to Friday (excluding bank holidays), 09:00 to 17:30 24x7 support offerings are available upon request.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Combination of onsite training, online training, and user documentation.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Upon request.
End-of-contract process Option to renew or cancel the contract. Data can be removed or migrated.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Microsoft 365 includes various cloud services which offer mobile device capabilities. Most Microsoft cloud services such as Office 365, Teams, SharePoint, Power BI etc. have a mobile app which has reduced functionality. Where a native mobile app is not available, most commonly used browsers are supported. More details can be provided upon request.
Service interface Yes
Description of service interface Microsoft 365 uses various web portals which allows users and administrators to administer, configure and manage its cloud services. One of the main portals that would be used is
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing Microsoft performed these tests to achieve their WCAG certification. Because Microsoft is a major software and cloud-services provider to states and governments around the world, it is committed to complying with all relevant international standards and compliance controls. By adhering to these wide-ranging accessibility standards, Microsoft ensures that all customers—both inside and outside of government—can use Microsoft services and products.
What users can and can't do using the API Microsoft Graph is a unified API endpoint for accessing data across Microsoft 365, which includes Office 365, Enterprise Mobility, and Security and Windows services. It provides a simplified developer experience, with one endpoint and a single authentication token that gives your app access to data across all these services.

Further reading can be found here:

API documentation is publicly available and further information is available on request.
API documentation Yes
API documentation formats
  • HTML
  • ODF
  • PDF
API sandbox or test environment No
Customisation available Yes
Description of customisation Microsoft 365 cloud services can be configured and customised to conform to most business needs, even when they are complex. The customisation can be done by authorised users from within the portals available upon purchasing the product. End users can also customise the desktop applications such as Office apps and Teams, to fit their user preferences. If technical services are required, we can look at technical resource available and any associated costs.


Independence of resources Microsoft works continuously to ensure that the multi-tenant architectures of our cloud services support enterprise-level security, confidentiality, privacy, integrity, and availability standards. Microsoft continue to monitor their service available and health and will continue to invest in their data centers which have been designed to support massive multi-tenant enterprise scale.

For more information on their service health and continuity guarantees with Office 365 which is a service that is part of Microsoft 365, please see the following website:


Service usage metrics Yes
Metrics types Microsoft provide service health, service availability, usage metrics, workspace analytics, and many other forms of service metrics as part of your cloud services subscription. Some plans also include Power BI which enables you to create your own dashboards and reports and collaborate intelligently across your organization.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Microsoft

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Data exporting capabilities are available within the Microsoft 365 portals and what can be exported varies by service. For example you can export a list of users and groups from your Office 365 tenant directory, but you cannot export your mailbox data from the Office 365 portal, as Microsoft host the data in their own servers, however mailbox data is cached locally on PST Files and they can be retrieved locally with technical migration tools if required.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Microsoft's 365 service level agreements vary by service. Microsoft provide financial backing to our commitment to achieve and maintain the service levels for each service. If they do not achieve and maintain the service levels for each service as described in the Service Level Agreement, then you might be eligible for a credit towards a portion of your monthly service fees.

The latest SLA document can be downloaded here:

Further information can be provided upon request.
Approach to resilience Information is available on request.
Outage reporting There is a publicly available dashboard which includes service health informtion. Email alerts can be configured, and the API can also be used.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication Office 365 uses the cloud-based user identity and authentication service Azure Active Directory (Azure AD) to manage users. You can choose from two main authentication models in Office 365 to set up and manage user accounts; cloud authentication and federated authentication.
Access restrictions in management interfaces and support channels Microsoft 365 can designate separate administrators to serve different functions. These administrators will have access to features in the Office admin portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user-licenses, and manage domains, among other things.

A user who is assigned an admin role will have the same permissions across all of the cloud services that your organization has subscribed to, regardless of whether you assign the role in the Office 365 portal, or in the Azure portal.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Security governance is standardised via internal policies and procedures. The Microsoft platform complies to all standards detailed within the Microsoft Security and Compliance Centre.
Information security policies and processes Director level ownership, all processes are tracked and audited and there are additional requirements around change management. Accountability at all levels.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Microsoft have developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1 / SOC 2, NIST 800-53, and others.

Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape.

Please see: and
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerability scans are performed on a quarterly basis at a minimum.

Microsoft contracts with independent assessors to perform penetration testing of their datacenters.

Microsoft implement many vulnerability management processes, one of which being their edge router security which provides the ability to detect intrusions and signs of vulnerability at the network layer.

Further information on other processes are available on request.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Microsoft employs sophisticated software-defined service instrumentation and monitoring that integrates at the component or server level, the datacenter edge, their network backbone, Internet exchange sites, and at the real or simulated user level, providing visibility when a service disruption is occurring and pinpointing its cause.

Proactive monitoring continuously measures the performance of key subsystems of the Microsoft cloud services platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Microsoft has developed robust processes to facilitate a coordinated response to incidents.

• Identification – System and security alerts may be harvested, correlated, and analyzed.
• Containment – The escalation team evaluates the scope and impact of an incident.
• Eradication – The escalation team eradicates any damage caused by the security breach, identifies root cause for why the security issue occurred.
• Recovery – During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity.
• Lessons Learned – Each security incident is analyzed to protect against future re-occurrence.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £7.5 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We offer a 25 user 30-day trial for all Microsoft 365 cloud services including Office 365, Enterprise Mobility + Security, and Windows 10.

Service documents

Return to top ↑