Microsoft 365 Services

Microsoft 365 is a cloud-based IT Solution providing email, file, collaboration, productivity, mobility and security with Office Applications.
Oncore IT provide consultancy, licensing, design, implementation and ongoing support.


  • Microsoft Office Applications - Desktop and Web
  • File storage, management and Sharing
  • Email, calendaring and archiving
  • Online Meetings, Video calls and Chat
  • Team Sites for Information sharing
  • Security and Compliance
  • PC and Mobile Device Management


  • Work from anywhere
  • Access to the latest versions of applications throughout the subscription
  • Modern Working - Team work and Collaboration
  • Increase company security posture - platform and endpoints
  • Increased productivity - mobility and security, AI services
  • Reduce IT Maintenance costs - Cloud platform managed by Microsoft
  • Data Protection with privacy and compliance tools


£3.80 a user a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

4 4 9 8 4 2 2 7 8 7 2 1 5 0 8


Telephone: 02038183411

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
Dependent on each deployment

User support

Email or online ticketing support
Email or online ticketing
Support response times
Dependent on the level of support required from Oncore IT. These will be defined as part of the Project.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Onsite support
Support levels
Oncore IT can provide 24x7x365, Business Hours or Bespoke hours support in accordance with the Clients requirements.
Support Levels will be agreed with the client as part of the Project.
Each client will be assigned an Account Manager and Technical Lead.
Please also refer to our Infrastructure and Desktop Support Services on G-Cloud.
Support available to third parties

Onboarding and offboarding

Getting started
Oncore IT Account Manager, Technical consultant and Project Manager will be assigned to the account. These will provide consultancy to assess requirements for a M365 solution, including a review of current IT Infrastructure, Network and Endpoints for suitability and recommendations for change. Training requirements will be identified and training provided.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Please refer to Microsoft published information,
End-of-contract process
It will be discussed with the Client prior to renewal whether they wish to continue the contract with Oncore IT. If the contracted is not renewed then Oncore IT can assist with an Offboarding process, this will be managed as a separate project at additional cost.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices
Differences between the mobile and desktop service
Mobile Office apps included in subscription. These are specifically designed for mobiles and link in with the Cloud solution and desktop applications.
Service interface
Description of service interface
Admin Center
Security & Compliance Center
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Microsoft have a strong Accessibility approach. Please refer to
What users can and can't do using the API
Office 365 APIs
Office 365 Management APIs
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Admin and users can customise the Microsoft 365 Experience.
Choice of various plans depending on business requirements + add on applications


Independence of resources
Platform and Virtual Infrastructure is actively monitored
Platform is designed for mass scalability on a global and regional level


Service usage metrics
Metrics types
Built in usage reports
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
There are multiple tools within Microsoft Azure to safeguard data according to the security and compliance needs of the Client. These are many and numerous.
Information Protection - set policies
Secure Score - measure protection
Security & Compliance Center - Management
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
See Microsoft Published information on data portability,
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Refer to Microsoft Data Portability published documents
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • See Microsoft Fastrack -
  • .txt

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Please refer to the published 'Service Level Agreement for Microsoft Online Services'
Approach to resilience
Refer to published Microsoft document 'Resiliency/Reliability: Azure keeps your applications up and running and your data available'
Outage reporting
Microsoft 365 Service health status - web
Email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Active Directory
Role-based access control (RBAC)
Multi-Factor Authentication
Privileged Identity Management
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Oncore - Approachable Certification Ltd - Microsoft - see
ISO/IEC 27001 accreditation date
Oncore IT - 26 April 2019 - Microsoft - see
What the ISO/IEC 27001 doesn’t cover
Oncore IT - all operations
Microsoft - see
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
Microsoft -
CSA STAR certification level
Level 4: CSA C-STAR Assessment
What the CSA STAR doesn’t cover
See Microsoft Audit Reports in the Service Trust Portal
PCI certification
Who accredited the PCI DSS certification
See - Audit Reports
PCI DSS accreditation date
Various - see Audit Reports (Link below)
What the PCI DSS doesn’t cover
See Microsoft Accreditation -
Other security certifications
Any other security certifications
See for a full list

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
Refer to
Information security policies and processes
A number of teams across Microsoft contribute to identifying information security risks, developing policies to protect the infrastructure on which data is hosted and accessed, and revising policies and controls to address such risks.
See published document 'Information Security Management System
for Microsoft’s Cloud Infrastructure'

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
See Microsoft published information -
If Oncore IT are managing changes then we will follow out change control procedure, changes are agreed with the client, documented with risk assessment and electronically signed by both parties.
Other changes (standard) are given a unique reference, ticketed and stored in our PSA system.
The Service Level Agreement defines the various changes and process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Microsoft platform conforms to a recognised standard
Vulnerability scanning, vulnerabilities tracked and verified for remediation.
Automated patching
Regular Penetration Testing
Please see the Microsoft Trust Centre for more information
Protective monitoring type
Protective monitoring approach
Available on Request
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
ITIL based service desk operation
Dependent on the support Oncore IT is providing, will be defined as part of the process. Typically Incidents are classed based on impact and urgency - P1 to P4. This is all define in the Oncore IT Service Level Agreement, see Oncore Infrastructure and Desktop Support Services in G-Cloud.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£3.80 a user a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.