Skip to content
BlueStone Tech
Identity & productivity projects · 7 fixed-price packages · NEW v5

Get more from the Microsoft 365 you’re already paying for.

Most small businesses use about 30% of Microsoft 365. We package the parts that usually sit unused — single sign-on, conditional access, password management, joiner-leaver automation — into seven fixed-price projects.

Email us about an identity project See full pricing

  • No new tools

    Uses your existing Microsoft licences. No RMM, EDR or backup add-ons required.

  • Fixed price · fixed scope

    Most projects finish inside 3 weeks. Written deliverables at handover.

  • First in Melbourne

    No competitor markets these as productised offers — we surveyed 13 AU MSPs to confirm.

The seven projects · in priority order

Pick one. Pick a few. Or start with the audit.

Project 01

SaaS SSO via Entra ID

Stop your team from juggling passwords. Single sign-on for the SaaS apps you actually use.

Price
$1,800
fixed
Duration
2 weeks

What's included

  • Single sign-on configured for 5 SaaS apps via Microsoft Entra ID
  • SCIM auto-provisioning where the app supports it (accounts created and removed automatically as people join and leave)
  • User acceptance testing
  • Documentation handover
  • Recommended app shortlist: Xero, MYOB, Dropbox, Slack, Zoom, HubSpot, Salesforce, Adobe, Atlassian, Asana, Monday, Canva, GitHub, and ~50 others on the Entra catalogue

Prerequisite

Microsoft 365 Business Premium / E3 / E5

Add-on

Each additional app added to SSO after launch: $250

See project page Email us about it
Project 02

⭐ Most popular bundle component

Conditional Access Baseline

Eight policies that block 90% of credential attacks. Designed and deployed in three weeks.

Price
$2,400
fixed
Duration
3 weeks

What's included

  • Eight production-ready Conditional Access policies designed and deployed
  • Block legacy authentication · Require MFA for all users · Geo-fence to permitted countries
  • Require compliant device · Block high-risk / impossible-travel sign-ins
  • Restrict Global Admin access (separate policy stack)
  • Block BYOD access to sensitive apps · Apply session controls (sign-in frequency, browser-only sessions)
  • Test matrix and runbook
  • 30-day stabilisation period (we tune policies based on real user behaviour)

Prerequisite

Microsoft 365 Business Premium / E3 / E5 · Entra ID P1 minimum

Add-on

Quarterly policy review + tune: $400/quarter

See project page Email us about it
Project 03

Joiner-Mover-Leaver Automation Pack

New hire on Monday, your IT does the rest. Same when someone leaves.

Price
$1,200
fixed
Duration
2 weeks

What's included

  • PowerShell + Power Automate workflow triggered by HR signal (new hire, role change, departure)
  • Joiner: account created, licences assigned, security groups added, mailbox configured, welcome email sent
  • Mover: groups updated based on new role, old access revoked
  • Leaver: account disabled, mailbox archived, devices wiped, licences released, manager notified
  • Documentation + handover walkthrough

Prerequisite

Microsoft 365 tenant + at least one HR system (BambooHR, Employment Hero, Xero Payroll, or even a shared HR spreadsheet)

See project page Email us about it
Project 04

Password Manager Rollout

Stop using "Password123!" One vault, one master password, MFA everywhere.

Price
$900 + licence
fixed
Duration
1 week

What's included

  • Tenant setup (1Password Business or Bitwarden Teams — your choice)
  • Policy design (password complexity, vault sharing, recovery)
  • Recommended shared vault structure for your team
  • One-hour all-staff training session
  • Two documentation packs: admin guide + user guide

Prerequisite

None. Works alongside any existing IT setup.

See project page Email us about it
Project 05

Managed DMARC

Stop scammers spoofing your domain. Most Australian SMBs don't have this set up.

Price
$290 + $90/mo
ongoing
Duration
Setup 1 week; monthly review thereafter

What's included

  • DMARC, SPF, and DKIM records configured for your domain
  • Move from p=none → p=quarantine → p=reject over 90 days, with monitoring
  • Monthly DMARC compliance report — see who's trying to spoof your email
  • Defends against business email compromise (BEC) — the #1 cyber-claim category in 2026

Prerequisite

Control of your domain's DNS (we'll work with you or your domain provider)

See project page Email us about it
Project 06

Privileged Access Cleanup

Most Melbourne SMBs have 4–8 Global Admin accounts. They should have one or two.

Price
$1,500
fixed
Duration
2 weeks

What's included

  • Audit of all Global Admin / Privileged Role accounts in your Microsoft 365 tenant
  • MFA enforcement on every privileged account
  • Break-glass emergency account configured (with secure procedure for use)
  • Conditional Access policy stack just for admins (no admin signs in from a non-managed device)
  • Aligned to Essential 8 ML2 "Restrict Administrative Privileges" control

Prerequisite

Microsoft 365 tenant access at Global Admin level

See project page Email us about it
Project 07

Start here if unsure

Identity-First 2-Hour Audit

Don't know where to start? Two hours, one report, prioritised by risk.

Price
$390
waived if you sign Standard or Secure+ within 14 days
Duration
2 hours of audit + same-day written report

What's included

  • Quick inventory of who has what access in your Microsoft 365 tenant
  • MFA status check across every account
  • Password reuse / weak password identification (without seeing the passwords)
  • Dormant account list (people who haven't logged in for 90+ days)
  • Global Admin sprawl assessment
  • One-page prioritised action plan, mapped to fixed-price remediation offers above

Prerequisite

Microsoft 365 tenant access (read-only is enough)

See project page Email us about it

Most clients combine 3-4 of these into a single sprint

The natural "identity foundation" bundle.

If you don't know which to pick, the most common combination is SSO + Conditional Access + Privileged Access Cleanup. Total: $5,700 ex GST · 6 weeks · single sprint. Add Joiner-Mover-Leaver if you have regular hires/leavers.

Frequently asked

What people actually ask about these.

Why "Identity & Productivity" — what links these together?
Every offer here uses Microsoft 365 / Entra ID capabilities you already pay for. SSO, Conditional Access, JML automation, password policy, DMARC, privileged-access cleanup — they're all 'identity-layer' work that activates licences sitting unused. No new RMM, EDR or backup tooling required. Pure configuration labour.
Do I need a specific Microsoft 365 plan?
For 6 of the 7 projects, yes — Microsoft 365 Business Premium / E3 / E5 (any of these). The Conditional Access Baseline additionally needs Entra ID P1 (which is included in Business Premium and E3+). The Password Manager Rollout works alongside any setup; no Microsoft licence required for that one.
Can I bundle multiple projects?
Yes — most clients combine 3-4 identity projects into a single 6-week sprint. The natural cluster is SSO + Conditional Access + Privileged Access Cleanup ($5,700 fixed). Add JML if you have regular hires/leavers, or DMARC if your domain isn't protected yet.
How does the 2-hour audit credit work?
The Identity-First 2-Hour Audit is $390 ex GST. If you sign a Standard or Secure+ retainer within 14 days of the audit report, the $390 is fully credited back. The audit report alone is yours either way — no obligation.
Can audit firms refer specific findings to specific projects?
Yes — that's exactly the design. An "ML2 admin privileges gap" finding maps to Privileged Access Cleanup ($1,500). An "MFA coverage" finding maps to Conditional Access Baseline ($2,400). Audit firm partners can refer with confidence — fixed scope, fixed price, written evidence at handover. See /audit-firm-partners for the full referral framework.
Same-business-day email reply · no sales calls

Want a quote for an identity project? It takes 2 minutes.

We'll email back with a tailored proposal — no calls, no follow-ups you didn't ask for.

Get a free quote Book a call