01see it for yourself

A live tenant, open to inspect.

The blu3print is a Microsoft 365 tenant we run as a reference. Hardened the way we’d harden yours, with agents working inside it.

environment
live M365 tenant
inside
agents · full config
access
read-only · invited
status
under construction

02what it is

Not a deck. A working system.

real, not mocked · live, not staged · nothing hidden

what you’re looking at

Most security stories are told in slides. This one is a login. Open any object and you’re reading the live configuration, not a screenshot of it.

03the intersection

The estate we already secure,
now with AI running through it.

Anyone can spin up an agent. Few keep them scoped: permissions pile up, no one signs off. AI isn’t a second platform to secure; it’s a new dimension through the estate you already control.

the AI layera new dimension

Copilot · Copilot Studio · Foundry · Agent 365

the blu3print · one live M365 tenant
  • Entra

    Conditional Access, PIM, named agent identities

  • Intune

    compliance baselines, configuration profiles

  • Defender

    Defender & Sentinel, detection, posture, alerts

  • Purview

    sensitivity labels, DLP policies

the security estate Microsoft 365

every object opens read-only in Microsoft 365

04THE NAVIGATOR

Ask it anything,
read it yourself.

A read-only navigator over the same tenant. Ask how something’s configured and it answers from the estate, then opens the exact object so you can check it.

blu3print · navigator read-only
How can I detect config drift? ↵ run

agent-config-drift: checks the tenant for drift every 6h, matches each change to its approval and the PIM activation behind it, and flags anything no one signed off.

read-only: it sees every change and makes none. It writes to three places only: a SharePoint report, one mailbox, and a Sentinel alert when a change has no approval.

runs as itself in Entra Agent ID · autonomous · named sponsor · directory reads least-privilege · every call logged

you could ask

illustrative. The live navigator runs read-only on an invited tenant

the ledger — every agent, proposed to retired

AGENTS.changelog v0.1.4
2026-05-12

+ added agent-config-drift: flags any tenant change with no approval behind it.

proposed by agent-composer · APPROVED · T. DE BACKER

2026-06-03

~ re-scoped agent-config-drift: dropped Sites.ReadWrite.All; write now scoped to one site (Sites.Selected).

flagged by agent-lifecycle · APPROVED · P. MEERBERGEN

2026-06-08

– retired agent-export-legacy: replaced by native UTCM monitoring; no run in 31 days.

flagged by agent-lifecycle · APPROVED · M. BRUYNDONCKX

05take a look

Come see it
take shape.

Open by invitation while we build it out. Leave an email and we’ll set up a read-only login so you can walk the tenant yourself.

Contact us →

We’d rather show you than tell you.