Skip to main content

Help us improve the Digital Marketplace - send your feedback

  1. Digital Marketplace
  2. Lot 2: Cloud software
  3. Microsoft 365

Microsoft 365

Microsoft 365 Enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely.

Microsoft 365 Enterprise consists of: Office 365 Enterprise; Windows 10 Enterprise; and Enterprise Mobility + Security (EMS).

There are three plans to choose from: E3, E5 and F1.


  • Identity & access management, protect users’ identities and control access
  • Threat protection, protect against advanced threats
  • Security management, gain visibility and control over security tools
  • Ensure documents and emails are seen only by authorized people
  • Email and calendar with Exchange
  • Connect to people, content, and apps with SharePoint
  • Voice, video, and chat with Skype and Microsoft Teams
  • Office 365 ProPlus on up to 15 devices per user
  • Broad support for PC, Mac, iOS, & Android platforms
  • Auto-enrollment of Windows PCs and devices


  • Comprehensive management of your entire workforce
  • Connect the experience across devices
  • Minimize TCO across deployment, management, & servicing
  • Visualize information in new ways
  • Create compelling content with intelligent apps
  • Detect and protect against external threats
  • On-premises Client Access Licenses (CALs) to some Microsoft server products
  • Access files and folders hosted in Microsoft's cloud securely anywhere
  • Intelligently collaborate with users across your organization and externally
  • Windows 10 deployment with upgrade in place and Autopilot


£3.80 to £15.10 a user a month

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

6 6 0 6 7 6 7 6 3 0 4 3 2 8 9


Telephone: 01364 654100

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints
Microsoft cloud services require an active internet connection, and can be accessed from a supported internet browser. For information on app-specific or service-specific constraints, we can provide specific information on request.
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Standard level offers you a 2-hour response time for your business-critical issues and our team are available Monday to Friday (excluding bank holidays), 9 am to 5:30 pm.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
None, standard text-based web chat.
Web chat accessibility testing
None, standard text-based web chat.
Onsite support
Yes, at extra cost
Support levels
Standard free support offers: - Unlimited remote break/fix support - 2-hour response SLA for business-critical issues (severity A) - Support incident escalation service - 24x7 access to our ServiceAide helpdesk portal to log support requests, knowledge base and FAQs - Service availability Monday to Friday (excluding bank holidays), 09:00 to 17:30 24x7 support offerings are available upon request.
Support available to third parties

Onboarding and offboarding

Getting started
Combination of onsite training, online training, and user documentation.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Upon request.
End-of-contract process
Option to renew or cancel the contract. Data can be removed or migrated.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Compatible operating systems
  • Linux or Unix
  • Windows
Designed for use on mobile devices
Differences between the mobile and desktop service
Microsoft 365 includes various cloud services which offer mobile device capabilities. Most Microsoft cloud services such as Office 365, Teams, SharePoint, Power BI etc. have a mobile app which has reduced functionality. Where a native mobile app is not available, most commonly used browsers are supported. More details can be provided upon request.
Service interface
User support accessibility
None or don’t know
Description of service interface
Microsoft 365 uses various web portals which allows users and administrators to administer, configure and manage its cloud services. One of the main portals that would be used is
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Microsoft performed these tests to achieve their WCAG certification. Because Microsoft is a major software and cloud-services provider to states and governments around the world, it is committed to complying with all relevant international standards and compliance controls. By adhering to these wide-ranging accessibility standards, Microsoft ensures that all customers—both inside and outside of government—can use Microsoft services and products.
What users can and can't do using the API
Microsoft Graph is a unified API endpoint for accessing data across Microsoft 365, which includes Office 365, Enterprise Mobility, and Security and Windows services. It provides a simplified developer experience, with one endpoint and a single authentication token that gives your app access to data across all these services.

Further reading can be found here:

API documentation is publicly available and further information is available on request.
API documentation
API documentation formats
  • HTML
  • ODF
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Microsoft 365 cloud services can be configured and customised to conform to most business needs, even when they are complex. The customisation can be done by authorised users from within the portals available upon purchasing the product. End users can also customise the desktop applications such as Office apps and Teams, to fit their user preferences. If technical services are required, we can look at technical resource available and any associated costs.


Independence of resources
Microsoft works continuously to ensure that the multi-tenant architectures of our cloud services support enterprise-level security, confidentiality, privacy, integrity, and availability standards. Microsoft continue to monitor their service available and health and will continue to invest in their data centers which have been designed to support massive multi-tenant enterprise scale.

For more information on their service health and continuity guarantees with Office 365 which is a service that is part of Microsoft 365, please see the following website:


Service usage metrics
Metrics types
Microsoft provide service health, service availability, usage metrics, workspace analytics, and many other forms of service metrics as part of your cloud services subscription. Some plans also include Power BI which enables you to create your own dashboards and reports and collaborate intelligently across your organization.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Data exporting capabilities are available within the Microsoft 365 portals and what can be exported varies by service. For example you can export a list of users and groups from your Office 365 tenant directory, but you cannot export your mailbox data from the Office 365 portal, as Microsoft host the data in their own servers, however mailbox data is cached locally on PST Files and they can be retrieved locally with technical migration tools if required.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Microsoft's 365 service level agreements vary by service. Microsoft provide financial backing to our commitment to achieve and maintain the service levels for each service. If they do not achieve and maintain the service levels for each service as described in the Service Level Agreement, then you might be eligible for a credit towards a portion of your monthly service fees.

The latest SLA document can be downloaded here:

Further information can be provided upon request.
Approach to resilience
Information is available on request.
Outage reporting
There is a publicly available dashboard which includes service health informtion. Email alerts can be configured, and the API can also be used.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication
Office 365 uses the cloud-based user identity and authentication service Azure Active Directory (Azure AD) to manage users. You can choose from two main authentication models in Office 365 to set up and manage user accounts; cloud authentication and federated authentication.
Access restrictions in management interfaces and support channels
Microsoft 365 can designate separate administrators to serve different functions. These administrators will have access to features in the Office admin portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user-licenses, and manage domains, among other things.

A user who is assigned an admin role will have the same permissions across all of the cloud services that your organization has subscribed to, regardless of whether you assign the role in the Office 365 portal, or in the Azure portal.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Security governance is standardised via internal policies and procedures. The Microsoft platform complies to all standards detailed within the Microsoft Security and Compliance Centre.
Information security policies and processes
Director level ownership, all processes are tracked and audited and there are additional requirements around change management. Accountability at all levels.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Microsoft have developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1 / SOC 2, NIST 800-53, and others.

Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape.

Please see: and
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability scans are performed on a quarterly basis at a minimum.

Microsoft contracts with independent assessors to perform penetration testing of their datacenters.

Microsoft implement many vulnerability management processes, one of which being their edge router security which provides the ability to detect intrusions and signs of vulnerability at the network layer.

Further information on other processes are available on request.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Microsoft employs sophisticated software-defined service instrumentation and monitoring that integrates at the component or server level, the datacenter edge, their network backbone, Internet exchange sites, and at the real or simulated user level, providing visibility when a service disruption is occurring and pinpointing its cause.

Proactive monitoring continuously measures the performance of key subsystems of the Microsoft cloud services platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Microsoft has developed robust processes to facilitate a coordinated response to incidents.

• Identification – System and security alerts may be harvested, correlated, and analyzed.
• Containment – The escalation team evaluates the scope and impact of an incident.
• Eradication – The escalation team eradicates any damage caused by the security breach, identifies root cause for why the security issue occurred.
• Recovery – During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity.
• Lessons Learned – Each security incident is analyzed to protect against future re-occurrence.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks

Social Value



Further information on Grey Matter’s culture and corporate responsibility can be found here:


£3.80 to £15.10 a user a month
Discount for educational organisations
Free trial available
Description of free trial
We offer a 25 user 30-day trial for all Microsoft 365 cloud services including Office 365, Enterprise Mobility + Security, and Windows 10.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.