Levett Consultancy Ltd

Microsoft 365 Platform

Microsoft 365 is the productivity cloud that brings together best-in-class Office apps with powerful cloud services, device management, and advanced security. All brought together under a range of flexible licensing options to help meet organisations cloud platform requirements.


  • Flexible licensing and features to support organisations requirements
  • Latest versions of Word, Excel, PowerPoint
  • Email and calendaring
  • Keep your team on the same page with Microsoft Teams
  • Manage your files from anywhere with OneDrive storage
  • Captured insights using surveys, polls, and questionnaires
  • 24/7 Support


  • Simplified IT management
  • Keep customer data safe
  • Defend against cyberthreats
  • Automated processes
  • Streamlined workflow
  • Works with the apps you already have
  • Related services provided Levett Consultancy Microsoft Partner


£45.60 a user a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@levettconsultancy.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

8 0 4 5 5 7 8 2 3 0 0 2 4 5 7


Levett Consultancy Ltd Joanne Levett
Telephone: 01279 799256
Email: gcloud@levettconsultancy.co.uk

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints
There are multiple licensing options for flexibility, and not all services and features are available in every version. For full details, please visit - the following: https://www.microsoft.com/en-gb/microsoft-365/compare-all-microsoft-365-products?&activetab=tab:primaryr2
System requirements
  • A modern browser
  • Full list of requirement can be found here: https://bit.ly/MS365-Requirements

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Monday to Friday 8am to 5pm excluding Saturday and Sundays or UK public holidays. Responses times are described within the G Cloud Support 'Service Definition' document.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
In addition to standard Microsoft support, Levett Consultancy provides support as part of our G Cloud Cloud support service. Levett Consultancy also provides a dedicated account manager and Microsoft certified support engineers.
Support available to third parties

Onboarding and offboarding

Getting started
Levett Consultancy is a long-term Microsoft Partner with a proven track record of deploying Microsoft technologies into Central & Local Government, Education, 3rd Sector and Private sector. If required Levett Consultancy at an additional cost, provides a fully comprehensive onboarding deployment service that is detailed within our optional G Cloud deployment services, that includes consultancy, deployment, data migration and training.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Admins can export data following the guidance here: https://docs.microsoft.com/en-us/microsoft-365/commerce/subscriptions/back-up-data-before-switching-plans?view=o365-worldwide
End-of-contract process
In the term of an active subscription, a subscriber can access, extract, or delete customer data stored in Office 365. If a paid subscription ends or is terminated, Microsoft retains customer data stored in Office 365 in a limited-function account for 90 days to enable the subscriber to extract the data. After the 90-day retention period ends, Microsoft disables the account and deletes the customer data. No more than 180 days after expiration or termination of a subscription to Office 365, Microsoft disables the account and deletes all customer data from the account. Once the maximum retention period for any data has elapsed, the data is rendered commercially unrecoverable.

Full details on data retention and deletion can be found here: https://docs.microsoft.com/en-us/office365/enterprise/office-365-data-retention-deletion-and-destruction-overview

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Custom mobile applications are available both for iOS and Android which provide a bespoke user experience tailored to the operating system in question. For other mobile operating systems, web browser support is included which provides an equivalent experience to the desktop environment.
Service interface
Description of service interface
Microsoft 365 is accessed Microsoft 365 portal using a modern web browser from any device.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Microsoft makes accessibility a core consideration from the earliest stages of product design through release. A central accessibility team has a mandate to monitor the state of accessibility of all Microsoft products, further details can be found here: https://www.microsoft.com/en-us/accessibility/
What users can and can't do using the API
Microsoft 365 services, such as OneNote, Outlook, Excel, OneDrive, Microsoft Teams, Planner, and SharePoint, are now exposed in Microsoft Graph. Microsoft Graph is a unified API endpoint for accessing data across Microsoft 365, which includes Office 365, Enterprise Mobility, and Security and Windows services. It provides a simplified developer experience, with one endpoint and a single authentication token that gives your app access to data across all these services.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Depending on the type of Microsoft 365 license applied will dictate what an organisation can customise within Microsoft 365. Standard customised features allow an organisation to change its theme to match its branding within the Microsoft 365 admin centre. End users can personalise pinned apps and notifications. Microsoft 365 also provides Microsoft Power Apps to allow developers to build applications quickly to innovate and solve problems.


Independence of resources
Microsoft provides a high level of tenant isolation, both for security and for performance. Microsoft data centres are massively scaled and offer dedicated performance. For more information, please review the latest information below:


Service usage metrics
Metrics types
You can easily see how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who may not need a Microsoft 365 license at all. Reports are available for the last 7 days, 30 days, 90 days, and 180 days. Data won't exist for all reporting periods right away. The reports become available within 48 hours.

Full details here: https://docs.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Reseller providing extra support
Organisation whose services are being resold

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Further information is available here: https://www.microsoft.com/security/blog/2015/09/10/cloud-security-controls-series-encrypting-data-at-rest/
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
User can export their data by following the guidance here: https://docs.microsoft.com/en-us/microsoft-365/commerce/subscriptions/back-up-data-before-switching-plans?view=o365-worldwide
Data export formats
  • CSV
  • Other
Other data export formats
  • Docx
  • Xlsx
  • Pptx
Data import formats
  • CSV
  • Other
Other data import formats
  • Docx
  • Xlsx
  • Pptx

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Microsoft provides a financially backed uptime SLA. For details, please visit
Approach to resilience
Microsoft offers a high level of resilience using multiple redundant data centres across the UK and the EU. Further details can here: https://docs.microsoft.com/en-gb/Office365/securitycompliance/office-365-data-resiliency-overview
Outage reporting
A tenant-specific 'Service Health' Dashboard is available in the Microsoft 365 Admin Center. Outages are also reported via email to the organisation administrators.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
All support can be carried out by specified administration accounts only as required. Only those with granted permissions can access the admin centre and command-line operations. Administration access is governed using Multi-factor authentication (MFA) and conditional access rules.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Details of items that are included and not included can be found here: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide?command=Download&downloadType=Document&downloadId=7c413968-9965-4a68-b59f-c0d106c63e4b&docTab=4ce99610-c9c0-11e7-8c2c-f908a777fa4d_ISO_Reports
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes
Microsoft customers and regulators expect independent verification of our security, privacy, and compliance controls. In order to provide this, Microsoft undergoes several independent third-party audits on a regular basis. For each one, an independent auditor examines data centres, infrastructure, and operations. Regular audits are conducted to certify our compliance with the auditing standards ISO 27001, SOC, FedRAMP and PCI/DSS. Audit reports can be found here: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Microsoft 365 has developed formal standard operating procedures (SOP's) governing the change management process. These SOP's cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1/SOC 2, NIST 800-53, and others.
Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft. OSA combines this knowledge with the experience of running hundreds of thousands of servers in datacentres around the world.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Microsoft administrates a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built tools, intensive automated/manual penetration efforts, quality assurance processes, software security reviews and external audits. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The vulnerability management team tracks such issues and follows up frequently until they can verify that the issues have been remediated. Microsoft also maintains relationships and interfaces with members of the security research community.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Microsoft uses threat intelligence as protective monitoring of the product vulnerabilities. Threat intelligence gathers indicators or signals from a breadth and depth of sources to understand the threat landscape. As a security leader, Microsoft builds on our vast experience as a global enterprise, ongoing study of the threat landscape, broad scale, strength of signal, and visionary thinking to help understand and mitigate the effects of increasingly sophisticated attacks. These include zero-day attacks, targeted phishing campaigns, and other novel attack methods. Microsoft employs threat researchers and analytics systems across our global network to implement timely actions in view of the threat.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
If an incident occurs, the security team logs and prioritises it according to severity. Events directly impacting customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Microsoft incident management program is structured on handling incidents. Key staff are trained in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools. Testing of incident response plans is performed for key areas, such as systems that store sensitive customer information. Tests consider a variety of scenarios, including insider threats and software vulnerabilities.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£45.60 a user a year
Discount for educational organisations
Free trial available
Description of free trial
A 1-month free trial is available for Microsoft 365.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@levettconsultancy.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.