Zero Trust 365 — Microsoft Solutions Partner

Zero Trust 365
Security without on-premises infrastructure

We implement the Microsoft 365 security architecture that lets you eliminate on-premises Active Directory, third-party antivirus, and VPN — all replaced by Entra ID Premium, Intune, Purview, and Defender.

Request free assessment View M365 Plans
☁️

100%

Cloud-native

No on-premises servers required

🖥️

0

Domain Controllers

Entra ID replaces on-premises AD

🛡️

4

Security layers

Identity, device, data, and endpoints

📱

Windows Mac iOS Android

Platforms covered

One single management portal

Technology transformation

What do we replace with this architecture?

The Microsoft 365 Business Premium architecture, properly configured, eliminates the need for costly and complex on-premises infrastructure.

🏢

ANTES

Infraestructura Tradicional

  • On-premises Active Directory (AD DS)

    Physical or virtual servers for identity management, GPOs, and authentication.

  • Third-party antivirus

    Symantec, Kaspersky, ESET, McAfee — additional licenses, separate consoles.

  • Corporate VPN

    Complex infrastructure for remote employees to access internal resources.

  • Manual device management

    Images, scripts, manual deployments, no centralized visibility.

  • ADFS / Federation Service

    Additional server for federated SSO with cloud applications.

Con Dattics

☁️

DESPUÉS

Arquitectura Cloud-Native

  • Microsoft Entra ID Premium

    Cloud identity with Conditional Access, passwordless MFA, dynamic groups, and SSO for 4,000+ apps.

  • Defender for Endpoint (via Intune)

    Native Microsoft EDR protection, managed from the same portal as your devices.

  • Conditional Access + Zero Trust

    Access is granted based on identity, device, and context — no VPN needed.

  • Intune MDM/MAM

    Windows Autopilot, app deployment, policies, and compliance across all devices from one portal.

  • Entra ID PTA / Native SSO

    Single sign-on for all applications without additional federation servers.

The 4 pillars of our architecture

An integrated security ecosystem

Each pillar strengthens the others. Together they form a defense-in-depth that protects identities, devices, data, and applications.

🔐

Microsoft Entra ID Premium P1

Identity & Conditional Access

The brain of security. Every access attempt is evaluated in real time: who, from where, with what device, at what time?

  • Conditional Access based on risk, location, device, and role
  • Adaptive MFA and passwordless authentication (FIDO2, passkeys)
  • Dynamic groups that automatically assign licenses and access
  • SSO for 4,000+ SaaS applications without additional passwords
  • Identity protection with AI-powered anomaly detection
Replaces: On-premises Active Directory + ADFS
📱

Microsoft Intune MDM/MAM

Unified Device Management

Manage and protect all company devices — from a single portal, regardless of platform. Deploy apps, enforce policies, and meet compliance automatically.

  • Full MDM for corporate Windows, macOS, iOS, and Android devices
  • MAM for personal devices (BYOD): protect data without controlling the device
  • Centralized deployment of all your applications on any platform
  • Windows Autopilot: new computers ready in minutes, without touching them physically
  • Security, encryption, and automatic update policies on all devices
  • Corporate data protection on BYOD: selective wipe without affecting personal data
Replaces: SCCM, manual management, PDQ Deploy
🛡️

Microsoft Defender for Endpoint

Intelligent Endpoint Protection

Next-generation antivirus with EDR (Endpoint Detection & Response), managed 100% from Intune. No extra agents, no separate consoles.

  • Antivirus + EDR + automated threat response
  • Anomalous behavior detection with artificial intelligence
  • Integrated vulnerability and patch management
  • Isolate compromised devices with a single click
  • Native integration with Entra ID for Conditional Access policies
  • Full visibility: which process runs, when, with what permissions
Replaces: Symantec, Kaspersky, ESET, McAfee
🔒

Microsoft Purview

Data Protection & Compliance

Label, classify, and protect information wherever it is — in emails, documents, Teams, or devices. Includes DLP, Information Protection, and retention policies.

  • DLP: automatic prevention of sensitive data leaks
  • Sensitivity labels: Public, Internal, Confidential, Highly Confidential
  • Automatic document encryption based on classification
  • Retention and archiving policies: comply with GDPR and local regulations
  • Full audit trail: who accessed, modified, or shared what document and when
  • Protection that travels with the file, even outside the organization
Replaces: Third-party DLP solutions + manual archiving
Entra ID Premium — Conditional Access

Access is never granted without verification

Conditional Access evaluates every access request in real time. If any condition is not met, access is blocked or additional verification is requested — automatically.

🔍 Señales evaluadas

🌍

Geographic location

Block disallowed countries. Alert if login comes from an unusual location.

📱

Device compliance

Only devices registered in Intune that meet security policies.

🔐

MFA / Passwordless

Additional verification based on the risk level of the request.

👤

Identity risk

AI detects anomalous behavior: unusual hours, access patterns, etc.

🏢

Network / IP

Distinguishes between trusted corporate networks and unknown external networks.

📋

Application & role

Different policies based on the app being accessed and the user's role.

Entra ID

Motor de evaluación

En tiempo real

📋 Decisión de política

Acceso Concedido

Dispositivo cumple + ubicación permitida + MFA verificado

  • Sesión iniciada sin fricción
  • Token con scopes correctos
  • Evento registrado en log
🚫

Acceso Bloqueado

Una o más condiciones no cumplidas

  • Acceso denegado instantáneamente
  • Alerta al administrador TI
  • Usuario notificado con razón
📲

MFA Requerido

Riesgo elevado o contexto inusual detectado

  • Solicita verificación adicional
  • Acceso condicionado a MFA
Ejemplo real

📌 Situación

Carlos, del equipo de Ventas, intenta conectarse a Teams desde su laptop corporativa en el aeropuerto de Bogotá, usando la WiFi pública gratuita del terminal.

Laptop corporativa Intune ✔
País: Colombia ✔
Red: WiFi pública no autorizada
IP: fuera de rangos permitidos
🚫

Acceso bloqueado

Entra ID detectó una red no autorizada. Carlos es bloqueado automáticamente y debe conectarse desde una red corporativa.

Microsoft Intune MDM/MAM

One portal.
All devices.
Every platform.

Regardless of operating system or whether the device is corporate or personal, Intune ensures your company's information is protected and your employees have the tools they need.

  • Automatic deployment of corporate applications on any platform with one click
  • Autopilot: a new employee unboxes the laptop and is ready to work in 20 minutes
  • On BYOD devices, protect corporate data without touching the employee's personal device
  • If an employee leaves, wipe only corporate data — not their personal photos
Consultar implementación
🪟

Windows 10 / 11

Full MDM: apps, policies, BitLocker, updates, Autopilot

Full MDM
🍎

macOS

Full MDM: apps, FileVault, security profiles, conditional access

Full MDM
📱

iOS / iPadOS

MDM for corporate + MAM for personal. Apps, per-app VPN, certificates

MDM + MAM
🤖

Android

Android Enterprise, BYOD work profiles, containerized managed apps

MDM + MAM
🛡️

Protección BYOD sin MDM

Con MAM protegemos la información corporativa en el dispositivo personal del empleado sin tocarlo. Los datos de empresa permanecen cifrados y separados; si el empleado sale de la compañía, se borran solo los datos corporativos.

Microsoft Purview — DLP in Practice

How Purview DLP protects your information

These are real examples of what Purview DLP does automatically in your organization, without the employee or administrator needing to intervene manually.

Escenario 1 Blocked
📧

Email with financial data or SSNs

Lo que el empleado hace:

An employee tries to send via Outlook an Excel file with national ID numbers, credit card numbers, or banking data to an external address (Gmail, Hotmail, etc.)

Purview DLP detecta y:

🚫 Email blocked. The employee is notified and the attempt is logged.
The employee receives a message explaining why it was blocked. The administrator receives an alert. The event is recorded in the audit log.
Escenario 2 Auto-blocked
💬

Sharing a 'Confidential' document in Teams

Lo que el empleado hace:

A user tries to share via Teams a file labeled 'Confidential' with a user outside the organization or in a public channel.

Purview DLP detecta y:

🚫 Sharing denied. The sensitivity label prevents it automatically.
The file is encrypted and the label policy prevents external users from opening it, even if they physically obtain the file.
Escenario 3 Alert + Block
📤

Uploading internal files to USB or unauthorized cloud

Lo que el empleado hace:

An employee tries to copy a document labeled 'Internal Use Only' to a USB drive or upload it to Dropbox, WeTransfer, or another unauthorized service.

Purview DLP detecta y:

⚠️ Action blocked. Defender + Purview log the attempt and alert the security team.
Intune controls which USB devices are authorized. Purview DLP blocks uploads to unauthorized domains from the browser or desktop applications.
💡

All DLP rules are configurable by your IT team or by Dattics. Custom rules can be created for financial, legal, healthcare, or any specific regulatory requirement in your industry.

Microsoft Purview — Information Protection

Protection travels with the document

Purview sensitivity labels encrypt and protect the file wherever it goes — email, SharePoint, Teams, USB, or even if someone forwards it outside the company.

✍️

Paso 1

Creation

The user creates the document in Word, Excel, or any Office app.

🏷️

Paso 2

Labeling

Purview suggests or automatically applies the correct label based on detected content.

🔐

Paso 3

Encryption

The file is encrypted with AES-256 according to the label policy.

🔗

Paso 4

Access control

Only authorized users or groups can open the file, on any device.

📋

Paso 5

Audit

Every opening, edit, or access attempt is recorded in the audit log.

🗃️

Paso 6

Retention / Archive

Retention policies define how long it is kept and when it is archived or deleted.

Public

Information shareable with anyone

No encryption. No distribution restrictions.

Internal

Information for organization employees

Access only to @company.com accounts. Cannot be forwarded to external parties.

Confidential

Sensitive business or client information

Encryption + authorized groups only. Not printable by external parties.

Highly Confidential

Critical data: financial, legal, executive

Strong encryption + no forwarding + no screenshots + full audit trail.

Zero Trust — No on-premises servers

Yes, you can eliminate on-premises Active Directory

This is one of the questions clients ask us most — and the answer is yes. With Entra ID Premium and the right architecture, on-premises AD becomes completely redundant.

🗑️

Lo que se elimina

  • Domain Controllers (AD DS)

    The servers managing Kerberos and NTLM authentication disappear.

  • AD FS (Federation)

    The federation service for SSO with cloud apps is replaced by native Entra ID.

  • Manual GPOs

    Group Policies are replaced by Intune Configuration Policies — more granular and domain-free.

  • Corporate VPN

    Conditional Access with Intune-compliant devices replaces VPN for secure resource access.

  • Third-party antivirus

    Defender for Endpoint included in M365 Business Premium replaces Symantec, ESET, McAfee, etc.

🚀

Lo que se gana

  • Cloud identity with Entra ID

    Access from any location, device, and network — with the same or superior security level.

  • Zero Trust by design

    Never trust, always verify. Access based on identity and context, not network location.

  • Savings on antivirus licenses

    Defender for Endpoint is included in Business Premium. No third-party costs.

  • One single management portal

    Intune + Entra ID + Defender + Purview — all from the same Microsoft 365 portal.

  • Reduced attack surface

    No domain controllers to compromise, no VPN as entry vector, no vulnerable GPOs.

💰

With Microsoft 365 Business Premium you get Entra ID P1, Intune, Defender for Business, and Purview — all at a monthly per-user price. The savings compared to maintaining on-premises AD + third-party antivirus + federation server can exceed 40% of IT costs in mid-sized companies.

Microsoft Defender for Endpoint

The antivirus that's already
in your license

Defender for Endpoint is not just an antivirus — it's a full EDR platform that detects, investigates, and responds to advanced threats. And it's already included in Microsoft 365 Business Premium.

  • 🧠

    Behavior-based + AI detection

    Doesn't rely on virus signatures. Detects anomalous behavior in real time, including zero-day attacks and new ransomware.

  • 🔍

    Automated Investigation & Response (AIR)

    When a threat is detected, Defender automatically launches an investigation and can isolate the device without human intervention.

  • 📊

    Vulnerability management

    Assesses the exposure level of each device, identifies outdated software, and prioritizes patches by risk level.

  • 🔗

    Conditional Access integration

    If a device is compromised, Entra ID automatically revokes access until the issue is resolved.

🎛️ Gestionado desde Intune

Defender for Endpoint se administra 100% desde el portal de Intune — mismo panel donde gestiona dispositivos, apps y políticas. Sin consola adicional, sin agentes separados.

Intune Portal
Defiender Policy
Endpoint Protegido

✅ Reemplaza a:

Symantec Endpoint
Kaspersky Business
ESET Endpoint
McAfee ENS
Trend Micro
Sophos Intercept X
Dattics — Microsoft Solutions Partner

Ready to eliminate your on-premises infrastructure?

Our team does a free assessment of your current architecture and shows you exactly how the new one would look — with clear costs, timelines, and steps.

Request free assessment View Microsoft 365 Plans