VUMBUZI IMPACT AFRICA (VIA)

Terms of Reference

Azure Cloud Infrastructure & Device Management Consultancy

Microsoft Intune Implementation & Security Hardening

June 2026

1. Objectives

The primary objectives of this consultancy are to:

• Audit and document the current Azure/M365 configuration and detect gaps.
• Design and execute a secure, scalable Azure environment aligned with best practices.
• Deploy and configure Microsoft Intune for unified endpoint and device management.
• Harden security using Microsoft Defender for Cloud and related tools.
• Establish governance frameworks including Identity & Access Management (IAM) and Conditional Access Policies.
• deliver training to VIA's internal IT staff and produce comprehensive documentation.
• Deliver a roadmap for ongoing maintenance and future growth.

2. Scope of Work

The consultant shall undertake the following activities across four defined phases. Each phase has specific deliverables and acceptance criteria as outlined in Section 3.

2.1 Phase 1: Discovery, Audit & Design (Weeks 1–3)

• perform a comprehensive audit of the existing M365 tenant, Azure subscriptions, and Defender for Cloud configuration.

1. evaluate current user accounts, licences, groups, and roles
2. Assess existing security policies and compliance posture
3. Inventory all enrolled and unmanaged devices
4. Document current network topology and integration points

• detect security gaps, misconfigurations, and areas of non-compliance.
• create a detailed Target Architecture Design Document covering:

1. Azure Active Directory (Entra ID) structure and governance model
2. Intune device management architecture
3. Security baseline and Conditional Access framework
4. Network segmentation and identity boundaries

• Present findings and proposed architecture to VIA leadership for approval.

2.2 Phase 2: Identity, Access & Security Foundation (Weeks 4–7)

• Configure and harden Azure Active Directory / Microsoft Entra ID:

1. execute Multi-Factor Authentication (MFA) for all users
2. Configure Privileged Identity Management (PIM) for admin accounts
3. Set up Self-Service Password Reset (SSPR)

• Deploy and configure Conditional Access Policies:

1. Risk-based access controls and sign-in policies
2. Device compliance requirements as access gate
3. Named location and trusted IP configurations

• Optimise Microsoft Defender for Cloud:

1. Enable Defender for Endpoint plans
2. Configure threat protection and alert rules
3. Establish a Security Information baseline and Secure Score targets

• execute Azure Policy and role-based access control (RBAC) governance.

2.3 Phase 3: Microsoft Intune & Device Management (Weeks 8–12)

• Deploy and configure Microsoft Intune:

1. Enrol Windows and macOS devices as applicable
2. Design and deploy Device Configuration Profiles
3. Establish Device Compliance Policies.
4. Configure Autopilot for zero-touch device provisioning.

• Configure App Management:

1. Deploy required organisational apps through Intune Company Portal
2. Configure Microsoft 365 Apps deployment and update rings
3. execute app protection policies for BYOD scenarios

• Integrate Intune with Defender for Endpoint for unified device compliance signals.
• Set up Windows Update for Business and patch management rings.
• Configure remote device management capabilities (wipe, lock, reset).

2.4 Phase 4: Optimisation, Documentation & Handover (Weeks 13–16)

• perform end-to-end security evaluate and penetration-readiness assessment.
• Tune and optimise all deployed configurations based on operational experience.
• create and deliver comprehensive documentation:

1. System Administration Guide
2. Intune Device Enrolment Guide (end-user facing)
3. Incident Response Runbook
4. Azure Architecture Diagram (as-built)

• Deliver training to VIA IT staff covering day-to-day administration tasks.
• Produce a 12-month IT Roadmap with prioritised recommendations.
• Formal knowledge transfer and handover session.

3. Phased Implementation Plan

The table below summarises the four phases, their key activities and timelines. The total engagement is estimated at 16 weeks.

4. Deliverables & Acceptance Criteria

5. Consultant Qualifications & Requirements

Requirements

• Minimum 5 years of hands-on experience with Microsoft Azure and Microsoft 365 administration.
• Demonstrated experience deploying Microsoft Intune in organisations of similar size and complexity.
• Proven experience configuring Microsoft Entra ID, Conditional Access, and Defender for Cloud.
• Fluency in English; ability to communicate technical concepts clearly to non-technical stakeholders.

Desirable Requirements

Microsoft Certified: Security Operations Analyst Associate (SC-200).

• Microsoft 365 Certified: Endpoint Administrator Associate (MD-102) — current and valid.
• Microsoft Certified: Azure Administrator Associate (AZ-104) — current and valid.
• Familiarity with data protection regulations applicable within the East African region.
• Experience with Microsoft Sentinel or similar SIEM tools.
• Track record of delivering remote engagements with limited on-site presence.

6. Working Arrangements

• The consultant will report to VIA's designated IT guide and will deliver weekly progress updates in writing.
• A dedicated Slack or Teams channel will be maintained for day-to-day communication.
• All work must be conducted in VIA's own Microsoft tenant and subscriptions; no third-party systems are to be used for configuration or data storage.
• Change management: all changes to the production environment must be scheduled, communicated to VIA in advance, and rolled back if unsuccessful.
• VIA will assign an internal IT point-of-contact who will participate actively in all phases.

7. Evaluation Criteria

8. Application

Interested firm consultants should submit the following documents to  info@via-foundation.org and include subject “Application for IT service provision” before 30 June 2026.   
Evaluation and contract award will be conducted strictly based on capacity, compliance with requirements, and value for money.  

Vumbuzi Impact Africa (VIA) Foundation is an equal opportunity organization and ensures fair competition in all procurement processes. All eligible and qualified firms are invited to apply, and only shortlisted applicants will be contacted.

— End of Terms of Reference —