Microsoft 365 and Azure, built for credit unions, banks, and mortgage companies.
750+ financial institutions trust ABT to manage their Microsoft environment. As one of the first 15 Tier-1 CSPs globally, we deliver volume pricing, Guardian security hardening, and a governed foundation for Copilot AI, all through a single relationship. No middlemen. No markup layers. One partner who knows your tenant, your compliance requirements, and your examiner's expectations.
Under 300 seats
Six reasons financial institutions choose ABT over generic MSPs
Every MSP can sell you Microsoft licenses. ABT builds and manages the governed, hardened, AI-ready environment that financial services regulators expect to see.
Direct Microsoft Relationship
ABT buys licenses directly from Microsoft at Tier-1 pricing. No distributors, no markup layers. Volume pricing that scales with your institution, with the flexibility to add, remove, or change plans monthly.
Tier-2 resellers buy through a distributor like Pax8 or Ingram, which adds a margin on top of Microsoft's price. ABT skips that layer entirely. For a 200-person institution on Business Premium, the annual difference between Tier-1 and Tier-2 pricing can reach $15,000 or more depending on the product mix.
ABT also gets direct escalation paths to Microsoft engineering. When a critical issue hits your tenant, ABT opens a case directly with Microsoft support, not through a distributor's queue.
Financial Services Specialization
GLBA, FFIEC, SOC 2 Type II, NIST CSF 2.0. ABT understands the compliance frameworks your examiners reference because we manage tenants for credit unions, community banks, and mortgage companies every day.
Generic MSPs configure Microsoft 365 the same way for a law firm and a credit union. ABT configures tenants for regulatory compliance from day one. That means conditional access policies that match FFIEC authentication guidance, DLP rules that detect GLBA-defined sensitive data types, and audit logging that produces the artifacts examiners request during IT examinations.
ABT maps 62 of 77 Guardian policies directly to GLBA Safeguards Rule (16 CFR Section 314.4) subsections, with per-policy relevance explanations and automation classifications.
Guardian Security Built In
Every ABT-managed tenant is hardened through Guardian, our managed security and governance platform. Secure Score optimization, conditional access policies, data loss prevention, and audit logging from day one.
Guardian is not a product you install. It is an operating model that wraps around the client's tenant with 80 JSON policy templates across 11 categories, continuous monitoring of 160+ Microsoft Secure Score controls, and zero-tolerance threat response automation that revokes all sign-in sessions on any risk detection, 24 hours a day.
Security Insights gives executives a monthly report showing Secure Score trends, compliance gaps, external sharing exposure, and sign-in anomalies. Productivity Insights tracks application adoption, Copilot usage, and license utilization across every user.
Copilot-Ready Foundation
80% of employees already use AI tools at work. For regulated financial institutions, that creates compliance risk when those tools operate outside the governed environment. ABT builds the foundation so Copilot Business runs inside your tenant with DLP policies, sensitivity labels, and audit trails in place before AI goes live.
Without governance, Copilot can surface overshared files, generate content from stale data, and operate without audit trails. ABT's deployment process includes a pre-Copilot security assessment, Guardian hardening for AI-specific risks, and a 30-day adoption sprint with role-based training.
Zero-Downtime Migration
Switching your Microsoft 365 licensing provider should not mean downtime or data risk. ABT has migrated hundreds of tenants from other providers with zero disruption to daily operations.
A license transfer is a billing change, not a data migration. Your tenant, users, email, files, and settings remain exactly where they are. ABT assumes billing authority through the CSP channel while your team continues working. The process typically completes within 48 hours.
For organizations moving from on-premises Exchange, ABT runs a full migration project with mailbox-level scheduling, calendar sync validation, and post-migration testing during off-hours.
Ongoing Managed Services
Premier support with direct access to ABT engineers who know your tenant. License optimization reviews, security posture monitoring, and proactive recommendations, not just break-fix when things go wrong.
ABT runs quarterly license reviews to right-size your subscription mix. If 40 of your 200 users only need email and Teams, you should not pay for desktop Office apps they never open. ABT identifies those savings and adjusts licenses to match actual usage patterns.
Your designated ABT engineer tracks your Secure Score, monitors policy drift, and proactively addresses Microsoft configuration changes that affect your tenant.
Every Microsoft 365 plan, side by side
ABT recommends Business Premium for most financial institutions under 300 seats. It includes Intune device management, Entra ID P1, Conditional Access, and Defender for Business at $22 per user per month. For institutions that need advanced compliance, eDiscovery, or Insider Risk Management, E5 or the new E7 Frontier bundle adds those capabilities without requiring separate add-ons.
| Feature | Business Basic $6/user/mo |
Business Standard $12.50/user/mo |
Business Premium $22/user/mo ABT Recommended |
Enterprise E3 $36/user/mo |
Enterprise E5 $57/user/mo |
E7 Frontier $99/user/mo |
|---|---|---|---|---|---|---|
| Core Productivity | ||||||
| Desktop Office Apps (Word, Excel, PowerPoint, Outlook) | - | ✓ | ✓ | ✓ | ✓ | ✓ |
| Web and Mobile Office Apps | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Microsoft Teams (Chat, Meetings, Calling) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Exchange Online Mailbox | 50 GB | 50 GB | 50 GB | 100 GB | 100 GB | 100 GB |
| OneDrive for Business | 1 TB | 1 TB | 1 TB | 5 TB+ | 5 TB+ | 5 TB+ |
| SharePoint Online | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Identity and Access Management | ||||||
| Entra ID (Azure AD) | Basic | Basic | P1 | P1 | P2 | Entra Suite |
| Conditional Access Policies | - | - | ✓ | ✓ | ✓ | ✓ |
| Intune (Device Management) | - | - | ✓ | ✓ | ✓ | ✓ |
| Windows 11 Enterprise | - | - | - | ✓ | ✓ | ✓ |
| Security and Threat Protection | ||||||
| Microsoft Defender for Business | - | - | ✓ | - | - | - |
| Microsoft Defender for Endpoint (P1/P2) | - | - | - | P1 | P2 | P2 |
| Defender for Office 365 (Anti-Phishing, Safe Links) | - | - | ✓ | - | ✓ | ✓ |
| Compliance and Data Protection | ||||||
| Data Loss Prevention (DLP) | - | - | ✓ | ✓ | ✓ | ✓ |
| eDiscovery | - | - | - | Standard | Premium | Premium |
| Information Protection (Sensitivity Labels) | - | - | ✓ | ✓ | ✓ | ✓ |
| Insider Risk Management | - | - | - | - | ✓ | ✓ |
| AI, Analytics, and Advanced Services | ||||||
| Copilot (AI Assistant) | Add-on: $21/user | Add-on: $21/user | Add-on: $21/user Promo: $18 thru Jun 30 |
Add-on: $30/user | Add-on: $30/user | ✓ Included |
| Agent 365 (AI Agent Governance) | - | - | - | - | - | ✓ Included |
| Power BI Pro | - | - | - | - | ✓ | ✓ |
| Entra Suite (Verified ID, Internet Access, Private Access) | - | - | - | - | - | ✓ |
| Licensing Limits | ||||||
| Maximum Seats | 300 | 300 | 300 | Unlimited | Unlimited | Unlimited |
| ABT Recommendation | Kiosk or shared-device users who only need web email and Teams | Standard productivity users who need desktop Office apps | Best value for FIs under 300 seats. Includes Intune, Defender, Conditional Access, and DLP in a single license. | Institutions above 300 seats or those needing Windows 11 Enterprise licensing | Institutions requiring advanced compliance, eDiscovery Premium, Insider Risk, and Power BI Pro | Early-adopter institutions that want Copilot, Agent 365, Entra Suite, and every E5 feature in one bundle |
All prices shown are per user per month, billed through ABT as your Tier-1 Cloud Solutions Provider. Pricing reflects current Microsoft commercial rates as of April 2026. ABT offers monthly billing flexibility with no annual lock-in. Volume discounts and promotional pricing may apply. Contact ABT for a quote based on your institution's seat count and product mix.
July 2026 price increases are confirmed
Microsoft announced pricing adjustments across multiple plan tiers effective July 1, 2026. Business Premium is the only plan with no increase. Institutions that lock in licensing through ABT before July keep their current rates through the billing cycle.
| Plan | Current Price | July 2026 | Change |
|---|---|---|---|
| Business Basic | $6.00 | $6.60 | +10% |
| Business Standard | $12.50 | $14.00 | +12% |
| Business Premium | $22.00 | $22.00 | No change |
| Enterprise E3 | $36.00 | $40.00 | +11% |
| Enterprise E5 | $57.00 | $61.00 | +7% |
| E7 Frontier | $99.00 | $99.00 | No change |
| Copilot Business | $21.00 | $21.00 | No change |
| Copilot Enterprise | $30.00 | $30.00 | No change |
Why Business Premium is the best position right now
Business Premium is the only SMB-tier plan that holds its price through July 2026. At $22 per user, it includes the security and device management features that most financial institutions already need: Conditional Access, Intune, Defender for Business, DLP, and Information Protection.
For institutions considering the jump to enterprise licensing, the E3 increase from $36 to $40 closes the value gap between Business Premium and Enterprise. Unless you need more than 300 seats or Windows 11 Enterprise licensing, Business Premium delivers more security per dollar.
The Copilot Business promotional price of $18 per user runs through June 30, 2026. Institutions that add Copilot before the deadline get the discounted rate for the duration of that billing cycle. Combined with Business Premium at $22, the total cost is $40 per user for the same feature set that would cost $69 or more through enterprise licensing with Copilot added on top.
The E7 Frontier window: May through July
Microsoft launches E7 Frontier in May 2026 at $99 per user. E7 bundles E5, Copilot, Agent 365 governance, and the full Entra Suite into one license. For institutions that would otherwise buy E5 ($57) plus Copilot ($30) plus Entra Suite add-ons, E7 at $99 is a net savings with the added benefit of Agent 365 for governing AI agents. Early adopters who commit between May and July lock in $99 before any potential post-launch adjustments.
Your licenses are probably costing more than they should
Most financial institutions are paying for features their team never uses, while missing security tools they actually need. ABT runs a 30-minute license optimization review that identifies 15-20% in annual savings on average. No cost, no commitment, and you keep your current provider until you decide otherwise.
Copilot Business: AI that runs inside your governed tenant
Copilot Business is the SMB-tier AI assistant for Microsoft 365, available to any institution with 300 seats or fewer. It works inside Word, Excel, PowerPoint, Outlook, and Teams using your organization's data and your tenant's security policies. Unlike consumer AI tools, Copilot Business respects DLP rules, sensitivity labels, and Conditional Access policies.
Copilot Business is not a chatbot bolted onto the sidebar. It is embedded directly into the applications your team already uses, pulling from SharePoint, OneDrive, Exchange, and Teams conversations to generate drafts, summaries, analyses, and action items. Every interaction stays within the Microsoft 365 compliance boundary.
At $21 per user per month ($18 promotional through June 30, 2026), Copilot Business is priced for SMB-scale deployment. Bundled with Business Premium at $22, the total is $32 per user through the promotional window, or $43 at full price. Enterprise Copilot at $30 per user requires an E3 or E5 foundation, making the total cost $66 to $87 per user.
Word and PowerPoint
Draft documents from prompts, rewrite sections for tone or audience, generate slide decks from Word documents. Copilot pulls context from SharePoint files and recent conversations.
Excel Analysis
Analyze data sets with natural language questions. Generate formulas, create pivot tables, and surface trends without writing VBA. Works on spreadsheets stored in OneDrive or SharePoint.
Outlook Triage
Summarize long email threads, draft replies in your writing style, and prioritize messages by urgency. Copilot flags action items buried in multi-recipient chains.
Teams Meetings
Real-time meeting transcription with speaker attribution. Post-meeting summaries, action item extraction, and follow-up draft emails generated automatically.
Copilot Studio
Build custom Copilot agents scoped to specific workflows. A loan processing assistant, an onboarding guide, or a compliance FAQ bot, all governed by your tenant policies.
Business Chat
A unified chat interface that searches across all Microsoft 365 data: email, files, meetings, chats. Ask questions about your organization and get sourced answers from your own data.
80% of your employees already use AI at work
Microsoft's 2024 Work Trend Index found that 80% of knowledge workers bring their own AI tools into the workplace. For financial institutions, that means employees are pasting member data into ChatGPT, uploading financial documents to unvetted AI services, and using browser-based tools with no audit trail. Copilot Business gives employees the AI productivity they want inside the governed, auditable environment your regulators expect. ABT deploys Copilot with DLP policies pre-configured to prevent GLBA-sensitive data types (SSN, bank account numbers, credit card numbers, ITIN) from leaving the tenant boundary.
Pricing Summary
Copilot Business standalone: $21/user/mo ($18 promo through June 30) | Business Premium + Copilot bundle: $32/user/mo (promo) | Business Premium + Copilot + Purview add-on: ~$37/user/mo for full compliance coverage.
Copilot ROI: What the data says
Source: Forrester Total Economic Impact Study, February 2025. Composite organization analysis.
For a 200-person credit union on Business Premium + Copilot at $32/user: annual Copilot cost is $43,200. At 1.5 hours saved per user per week, the institution recovers roughly 15,600 work hours annually. That translates to the equivalent of 7.5 full-time employees in recovered productivity before accounting for automation savings or legacy tool retirement.
Four pillars of the ABT-managed environment
ABT manages every layer of your Microsoft investment. Licensing, infrastructure, security, and custom products built specifically for financial services workflows. Each pillar connects to the others through a shared governance model.
Microsoft 365
The full Microsoft 365 productivity suite, licensed through ABT at Tier-1 CSP pricing. Monthly billing flexibility with no annual commitments. Scale up or down each month as your headcount changes.
- Business Basic ($6), Business Standard ($12.50), and Business Premium ($22) for organizations under 300 seats
- Enterprise E3 ($36), E5 ($57), and E7 Frontier ($99) for organizations above 300 seats or with advanced compliance needs
- Exchange Online with 50 GB (Business) or 100 GB (Enterprise) mailboxes, archive policies, and litigation hold
- SharePoint Online for document management, intranet portals, and team collaboration sites
- OneDrive for Business with 1 TB (Business) or 5 TB+ (Enterprise) per-user cloud storage
- Microsoft Teams for chat, voice, video conferencing, and shared channels
- Copilot Business ($21/user, $18 promo) or Enterprise Copilot ($30/user) as AI add-on
- Entra ID for identity management, single sign-on, and multi-factor authentication
- Intune for mobile device management, application protection, and endpoint compliance
- Monthly licensing adjustments with no termination fees or annual lock-in through ABT CSP
Azure Cloud
Azure infrastructure services managed by ABT. From virtual desktops to SQL databases, ABT architects Azure environments that meet financial services compliance requirements and connect to your Microsoft 365 tenant.
- Azure Virtual Desktop (AVD) for secure remote access to Windows 11 desktops from any device, any location
- Azure SQL for cloud-hosted databases with automatic patching, geo-replication, and built-in encryption at rest
- Entra External ID (B2C) for member-facing and borrower-facing authentication portals with custom branding
- Azure Backup and Disaster Recovery with geo-redundant storage, point-in-time restoration, and automated failover
- Site-to-site VPN and Azure ExpressRoute for private, low-latency connectivity between branch offices and Azure
- Azure Monitor for infrastructure health dashboards, alerting, and log analytics across all Azure resources
- Consumption-based pricing: pay only for the compute, storage, and bandwidth your institution actually uses each month
Guardian Security
Guardian is ABT's managed security and governance platform. It wraps around the client's Microsoft 365 tenant with policy enforcement, continuous monitoring, and compliance reporting. Guardian monitors and surfaces security issues. It does not perform forensic incident response or active threat hunting.
- Microsoft Secure Score optimization targeting 90%+ across 161 tracked controls
- Conditional Access policies enforcing MFA, device compliance, location restrictions, and session controls
- DLP policies detecting four GLBA-sensitive data types: SSN, bank account numbers, credit card numbers, and ITIN
- Security Insights: monthly executive report on Secure Score trends, external sharing exposure, and sign-in anomalies
- Productivity Insights: application adoption, Copilot usage metrics, and license utilization tracking
- Zero-tolerance response automation: all sign-in sessions revoked on any identity risk detection, 24/7
- GLBA Safeguards Rule mapping: 62 of 77 Guardian policies map directly to 16 CFR Section 314.4 subsections
- Entra ID Protection for user risk scoring, conditional access integration, and compromised credential detection
- DLP behavior: alert-and-encrypt on sensitive data detection. Guardian never blocks users or prevents file access.
Exclusive ABT Products
ABT builds and maintains custom software products designed specifically for financial services workflows. These products integrate with Microsoft 365 and Azure, run inside the client's governed environment, and solve problems that off-the-shelf software does not address.
- DocumentGuardian: encrypted file sharing for regulated documents. White-labeled LiquidFiles deployment with ABT-managed infrastructure and compliance configuration.
- MortgageExchange: multi-company mortgage platform connecting correspondent lenders, investors, and warehouse lines through a single exchange.
- Mortgage BI: Power BI analytics dashboards built for mortgage production, pipeline, lock desk, and secondary marketing teams.
- App Pilot: low-code application framework that connects Power Apps, Power Automate, and Dataverse to existing line-of-business systems.
- Smart Signatures: centrally managed email signature templates deployed through Exchange transport rules with branding, legal disclaimers, and campaign banners.
- PointCentral: consolidated administration portal for managing Microsoft 365 tenant settings, license assignments, and user provisioning across multiple entities.
Azure services built for financial institutions
ABT architects Azure environments that connect to your Microsoft 365 tenant, meet GLBA and FFIEC compliance requirements, and scale with your institution. Every deployment follows a security-first design pattern with encryption at rest, encryption in transit, and role-based access control.
Azure Virtual Desktop
AVD gives every employee a full Windows 11 desktop accessible from any device, anywhere. Loan officers working from home, branch employees on thin clients, and seasonal contractors who need temporary access all connect through the same managed virtual desktop infrastructure.
ABT configures AVD with host pools segmented by department and role. Conditional Access policies enforce MFA on every session. Session timeout rules disconnect inactive users after the period your compliance team specifies. Screen capture is disabled by policy for sessions that access sensitive applications.
Data never leaves the Azure environment. Users interact with applications through a remote display protocol while actual files and processing remain in your Azure subscription. For mortgage companies with remote loan officers, this means borrower documents stay in the cloud, not on personal laptops.
Azure SQL
Cloud-hosted SQL databases with automatic patching, built-in encryption (TDE), and geo-replication. ABT migrates on-premises SQL Server workloads to Azure SQL with minimal downtime using the Azure Database Migration Service.
For financial institutions, Azure SQL provides the HIPAA and SOC 2 compliance attestations that auditors verify during IT examinations. Transparent Data Encryption protects data at rest. Always Encrypted keeps sensitive columns encrypted even from database administrators.
ABT configures automated backups with point-in-time restoration up to 35 days. Long-term retention policies store weekly backups for up to 10 years, meeting the retention requirements that NCUA and OCC examiners reference during examinations.
Entra External ID (B2C)
Member-facing and borrower-facing authentication portals with your institution's branding. Entra External ID replaces the practice of building custom login systems or embedding credentials in web applications.
Credit unions use External ID for online banking portals, member account management, and self-service applications. Mortgage companies use it for borrower portals where applicants upload documents and track loan status. ABT configures the authentication flows with MFA, fraud detection, and session management.
External ID integrates with your internal Entra ID tenant, allowing staff and external users to authenticate through a unified identity platform while maintaining complete separation of access permissions and data boundaries.
Backup and Disaster Recovery
Azure Backup protects virtual machines, SQL databases, file shares, and Azure Blob storage with geo-redundant copies stored in a separate Azure region. If your primary region goes offline, your backups are available in the paired region.
ABT configures recovery time objectives (RTO) and recovery point objectives (RPO) based on the tolerances your business continuity plan specifies. Mission-critical workloads get continuous replication with near-zero RPO. Standard workloads get daily backups with retention policies aligned to regulatory requirements.
Disaster recovery runbooks document the exact steps to fail over each workload. ABT tests failover procedures twice annually and provides documentation that satisfies FFIEC business continuity examination requirements.
Hybrid Connectivity
Site-to-site VPN tunnels connect your branch offices to Azure over encrypted IPSec connections. For institutions with latency-sensitive workloads or high bandwidth requirements, Azure ExpressRoute provides a private, dedicated circuit that bypasses the public internet entirely.
ABT designs network topologies with hub-and-spoke architectures. The hub virtual network hosts shared services (DNS, firewall, monitoring) while spoke networks isolate workloads by environment (production, staging, development) or business unit.
Network Security Groups and Azure Firewall enforce east-west traffic rules between subnets. ABT configures just-in-time VM access for administrative sessions, eliminating always-open management ports that FFIEC examiners flag as findings.
Azure Monitor
Centralized monitoring for every Azure resource in your subscription. Azure Monitor collects metrics, logs, and traces from virtual machines, databases, networking, and application services into a single analytics workspace.
ABT configures alerting rules that notify your team and ABT engineers when CPU utilization, memory pressure, disk IOPS, or error rates cross defined thresholds. Alerts route through Microsoft Teams channels, email, and SMS based on severity level.
Log Analytics workspaces retain logs for the period your compliance policy requires. ABT builds custom Kusto (KQL) queries and workbooks that surface security events, performance trends, and capacity projections in a format your IT team and auditors can review during examinations.
Guardian: managed security across the tenant lifecycle
Guardian is not a product you install. It is a managed security operating model that ABT applies to every client tenant. Four phases, continuous monitoring, and monthly reporting give your institution the security posture that satisfies regulators and protects members.
Hardening
80 JSON policy templates deployed across 11 categories. Conditional Access, DLP, information protection, and audit logging configured to financial services standards during onboarding.
Monitoring
Continuous tracking of 161 Microsoft Secure Score controls. Compliance drift detection flags configuration changes within hours. Zero-tolerance automation revokes all sessions on identity risk detection, 24/7.
Insights
Monthly Security Insights report for executives: Secure Score trends, external sharing exposure, sign-in anomalies, and risk events. Monthly Productivity Insights: app adoption, Copilot usage, and license utilization.
Response
Guardian surfaces and escalates security events. Zero-tolerance automation revokes compromised sessions immediately. Suspicious sign-ins, impossible travel, and leaked credentials trigger automatic account containment.
Policy Coverage: 80 Templates, 11 Categories
Every Guardian deployment applies the same policy baseline, customized for the institution's size, structure, and regulatory requirements. The 80 templates cover:
- Identity and Access Management (Conditional Access, MFA enrollment, passwordless options)
- Email Security (anti-phishing, anti-spam, Safe Links, Safe Attachments)
- Data Loss Prevention (GLBA-sensitive types: SSN, bank account, credit card, ITIN)
- Information Protection (sensitivity labels, encryption, rights management)
- SharePoint and OneDrive Governance (external sharing controls, anonymous link expiration)
- Teams Governance (guest access, meeting policies, channel permissions)
- Endpoint Management (Intune compliance policies, BitLocker, Windows Update rings)
- Audit and Logging (unified audit log, mailbox auditing, admin activity tracking)
- Defender Configuration (anti-malware, exploit guard, attack surface reduction)
- Mobile Device Management (app protection policies, device compliance, remote wipe)
- Secure Score Optimization (prioritized control activation, automated remediation)
Secure Score Monitoring: 161 Controls
Microsoft Secure Score measures your tenant's security posture across identity, data, device, and application controls. ABT targets 90%+ Secure Score for every Guardian client and maintains it through continuous monitoring.
Guardian tracks compliance drift by comparing the current configuration state against the baseline. When a setting changes (an admin disables MFA for a test account, a DLP policy gets modified, an external sharing setting opens up), Guardian flags the drift within hours and surfaces it in the next Security Insights report.
The GLBA mapping connects 62 of 77 Guardian policies to specific subsections of 16 CFR Section 314.4, the FTC Safeguards Rule. Each mapping includes the policy name, the safeguard subsection it addresses, a relevance explanation, and whether the policy is applied automatically or requires institution-specific configuration.
DLP behavior is alert-and-encrypt: when a user shares or emails content containing GLBA-sensitive data types, Guardian applies encryption and generates an alert for the security team. Guardian never blocks file access, email delivery, or user workflows. The philosophy is visibility and protection, not obstruction.
Built to satisfy the frameworks your examiners reference
Financial institutions do not choose their compliance frameworks. Regulators do. ABT configures Microsoft 365 and Azure to produce the evidence and controls that each framework requires, so your IT examination starts with documentation already in place.
GLBA
Gramm-Leach-Bliley Act (Safeguards Rule)
The FTC Safeguards Rule (16 CFR Section 314.4) requires financial institutions to develop, implement, and maintain a written information security program. Guardian maps 62 of 77 policies directly to Safeguards Rule subsections.
ABT configures DLP policies that detect and protect the four GLBA-sensitive data types (SSN, bank account numbers, credit card numbers, ITIN) across Exchange, SharePoint, OneDrive, and Teams. Sensitivity labels classify documents by confidentiality level, and encryption policies protect files at rest and in transit.
FFIEC
Federal Financial Institutions Examination Council
FFIEC IT examination handbooks guide how regulators evaluate a financial institution's technology risk management. The Cybersecurity Assessment Tool (CAT) maps controls across five maturity domains. ABT aligns Conditional Access, MFA, audit logging, and incident response configurations to FFIEC baseline controls.
During IT examinations, examiners request specific evidence: multi-factor authentication logs, access review reports, vulnerability scan results, and business continuity documentation. ABT pre-configures the Microsoft 365 and Azure features that produce these artifacts, reducing examination preparation from weeks to days.
NIST CSF 2.0
National Institute of Standards and Technology Cybersecurity Framework
NIST CSF 2.0 organizes security controls into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Many financial institution boards and management teams adopt NIST CSF as their primary security framework because FFIEC examiners reference it as a baseline standard.
ABT maps Guardian policies and Microsoft 365 configurations to NIST CSF subcategories. Conditional Access aligns to Protect (PR.AC). Defender aligns to Detect (DE.CM). Azure Backup aligns to Recover (RC.RP). The mapping gives management a framework-level view of which controls are in place and which gaps need attention.
SOC 2 Type II
Service Organization Control 2
SOC 2 Type II audits evaluate the operating effectiveness of controls over a period of time, not just their design. Financial institutions often require SOC 2 Type II reports from their technology vendors. ABT holds a SOC 2 Type II attestation covering the security, availability, and confidentiality trust service criteria.
For institutions pursuing their own SOC 2 compliance, ABT provides the Microsoft 365 and Azure configurations that map to trust service criteria: access controls, change management, system monitoring, incident response, and data protection. Your auditor can reference ABT's SOC 2 report as complementary user entity controls.
NCUA / OCC
National Credit Union Administration / Office of the Comptroller of the Currency
NCUA examines federally insured credit unions. OCC examines national banks and federal savings associations. Both agencies reference FFIEC handbooks and issue institution-specific guidance on technology risk, vendor management, and cybersecurity.
ABT's experience with 750+ financial institutions means we have seen the specific findings and recommendations that NCUA and OCC examiners issue. Common items (MFA enforcement, privileged access management, email authentication, audit log retention) are pre-configured in every Guardian deployment.
FTC Safeguards
Federal Trade Commission Safeguards Rule (Revised 2023)
The revised FTC Safeguards Rule (effective June 2023) applies to non-banking financial institutions including mortgage companies, insurance firms, and auto dealers. The rule requires specific controls: encryption, MFA, access controls, continuous monitoring, and incident response plans.
For mortgage companies and non-bank lenders, ABT configures Microsoft 365 with the specific technical controls the revised Safeguards Rule mandates. Guardian's policy mapping documents which controls address which sections, giving your compliance team a traceable connection between your technology configuration and your regulatory obligation.
Your next IT examination starts with evidence already in place
Guardian maps 62 of 77 policies directly to GLBA Safeguards Rule subsections. Security Insights gives your board a monthly report on Secure Score, external sharing, and sign-in risk. When the examiner arrives, the documentation is already there.
Not all Microsoft licensing partners are the same
There are three ways to buy Microsoft 365 licenses. Each comes with different pricing, different support models, and different levels of control over your tenant. The differences add up to tens of thousands of dollars annually for a mid-size financial institution.
Buy Direct from Microsoft
Purchase licenses at full retail price through Microsoft's online portal. Self-service management with standard Microsoft support.
- Full retail pricing, no volume discounts
- Self-service tenant administration
- Standard Microsoft support queues
- No tenant hardening or security configuration
- No compliance reporting or policy management
- No dedicated account engineer
- Annual commitment required for most plans
Tier-2 Reseller
Purchase through a local MSP or IT provider who buys from a distributor (Pax8, Ingram, Sherweb). Two markup layers between you and Microsoft.
- Distributor margin + reseller margin on top of Microsoft price
- Managed services often available, but generic (not FI-specific)
- Support quality varies by provider
- Microsoft escalations go through the distributor's queue
- Limited visibility into Microsoft roadmap changes
- Compliance configuration may be basic or ad-hoc
- May require annual contracts with early termination fees
ABT (Tier-1 CSP)
Purchase directly from ABT at Tier-1 pricing. One partner, zero middlemen, with managed security and financial services specialization included.
- Tier-1 pricing: ABT buys direct from Microsoft, no distributor margin
- Guardian security hardening included for every managed tenant
- Financial services specialization: GLBA, FFIEC, NCUA, OCC, FTC
- Direct Microsoft escalation paths for critical issues
- Dedicated ABT engineer who knows your tenant
- Monthly billing flexibility, no annual lock-in
- Quarterly license optimization reviews to right-size your mix
- Security Insights + Productivity Insights reports
- Copilot deployment with pre-configured governance
Real-world cost comparison: 200-person credit union
Business Premium ($22) + Copilot Business ($18 promo) = $40/user/month
Savings estimate based on 200 users on Business Premium ($22) + Copilot Business ($18 promo). Direct pricing uses Microsoft retail rates ($22 + $21 = $43/user). ABT pricing reflects Tier-1 CSP rates at $32/user during the promotional window. Actual savings depend on your institution's seat count, plan mix, and current provider pricing.
From first conversation to managed environment in weeks
ABT follows a six-step deployment process refined over 25+ years and 750+ financial institution engagements. Each step has defined deliverables, timelines, and verification checkpoints.
Assessment and Discovery
ABT reviews your current Microsoft 365 environment, existing licenses, security configuration, and compliance requirements. This includes a Secure Score audit, license utilization analysis, and gap assessment against GLBA and FFIEC baselines. Delivered within the first week.
License Transfer
Your Microsoft 365 billing authority transfers from your current provider to ABT through the CSP channel. No data moves. No settings change. Your users keep working without interruption. The transfer process typically completes within 48 hours. If you are currently on direct billing or an EA, ABT coordinates the transition timeline with Microsoft.
Guardian Hardening
ABT deploys 80 JSON policy templates across 11 categories. Conditional Access policies, DLP rules, sensitivity labels, audit logging, and Defender configurations are applied to match your institution's regulatory requirements. Secure Score optimization begins, targeting 90%+ across 161 controls. Hardening completes within 2 to 3 weeks for most tenants.
License Optimization
ABT analyzes license utilization data to right-size your subscription mix. If 40 of your 200 users only need email and Teams, ABT moves them from Business Premium to Business Basic and reallocates the savings. Optimization reviews typically identify 15-20% in annual savings on the existing license spend.
Copilot Deployment
For institutions adding Copilot, ABT runs a pre-deployment security assessment that verifies DLP policies, sensitivity labels, and file sharing permissions are in place before AI goes live. A 30-day adoption sprint includes role-based training, department-specific use cases, and weekly check-ins to measure adoption. Copilot Studio custom agents are scoped and deployed after the initial rollout stabilizes.
Ongoing Managed Services
Your designated ABT engineer monitors Secure Score, tracks policy drift, reviews license utilization quarterly, and proactively addresses Microsoft configuration changes that affect your tenant. Security Insights and Productivity Insights reports deliver monthly. Direct escalation paths to Microsoft engineering are available for critical issues.
What financial institutions achieve with ABT
These numbers come from ABT's managed client base across credit unions, community banks, and mortgage companies. Every metric reflects production environments, not pilot programs or lab tests.
Credit Unions and Community Banks
ABT manages Microsoft 365 and Azure for hundreds of credit unions and community banks ranging from 20 to 500+ employees. These institutions share common requirements: NCUA or OCC examination readiness, GLBA compliance documentation, and member data protection that meets board-level expectations.
Typical outcomes for credit unions and banks moving to ABT include Secure Score improvement from the 40-60% range to 90%+, elimination of shadow IT through governed Copilot deployment, and quarterly license reviews that identify unused licenses and overpaid tiers. One common finding: institutions paying E3 rates for users who only need Business Basic, resulting in annual overspend of $360 per affected user.
For credit unions with multiple branches, ABT configures Azure site-to-site VPN or ExpressRoute connectivity, centralized admin through PointCentral, and branch-level Conditional Access policies that enforce location-aware authentication.
Mortgage Companies and Non-Bank Lenders
Mortgage companies face unique technology challenges: remote loan officers who need secure access to origination systems, borrower document management with regulatory retention requirements, and FTC Safeguards Rule compliance since the revised rule took effect in June 2023.
ABT serves mortgage companies with MortgageExchange for multi-company loan exchange operations, Mortgage BI for Power BI dashboards built around production and pipeline data, and Azure Virtual Desktop for remote loan officers who need access to Encompass, loan origination systems, and borrower files without storing data on personal devices.
DocumentGuardian provides encrypted file sharing for loan documents, investor packages, and compliance artifacts. Smart Signatures deploy consistent email branding with NMLS disclosures across every loan officer, processor, and underwriter in the organization.
Latest on Microsoft 365 and financial services
Deep dives into licensing strategy, Copilot deployment, and the regulatory landscape that shapes how financial institutions use Microsoft technology.
The Connected Workflow: How Microsoft 365 Ties Together Every Department
How Exchange, Teams, SharePoint, and OneDrive work together as a single platform for credit unions and banks. From loan processing to board reporting, the connected workflow eliminates the silos that slow financial institutions down.
E7 Frontier vs. E5 + Copilot: Which Bundle Makes Sense for Your Institution?
Microsoft's new E7 Frontier license bundles E5, Copilot, Agent 365, and Entra Suite at $99 per user. We break down when E7 saves money, when E5 + Copilot is the better buy, and what the GA timeline means for financial institutions.
April 15 Copilot Changes: What Credit Unions and Banks Need to Know
Microsoft updated Copilot's agent capabilities and data grounding behavior on April 15. What changed, what it means for financial institutions running Copilot Business, and what ABT recommends for governance settings.
Microsoft 365 licensing and services FAQ
Common questions from IT directors, CFOs, and compliance officers at credit unions, banks, and mortgage companies considering ABT for Microsoft 365 and Azure.
A Tier-1 CSP buys Microsoft licenses directly from Microsoft with no distributor in between. ABT was one of the first 15 Tier-1 CSPs globally when Microsoft launched the CSP program. This means ABT sets pricing without a distributor margin, gets direct escalation paths to Microsoft engineering for critical issues, and has early access to new product announcements and promotional pricing. Tier-2 resellers buy through distributors like Pax8 or Ingram Micro, which adds a margin layer and routes support through the distributor's queue before reaching Microsoft.
No. A CSP license transfer is a billing change, not a data migration. Your tenant, users, email, files, calendar, Teams channels, SharePoint sites, and all settings remain exactly where they are. ABT assumes billing authority through the CSP channel while your team continues working without interruption. The transfer process typically completes within 48 hours. ABT has completed hundreds of license transfers for financial institutions with zero downtime incidents.
ABT offers every commercial Microsoft 365 plan: Business Basic ($6/user/month), Business Standard ($12.50), Business Premium ($22), Enterprise E3 ($36), Enterprise E5 ($57), and the new E7 Frontier ($99). Business plans have a 300-seat maximum. Enterprise plans have no seat limit. ABT recommends Business Premium for most financial institutions under 300 seats because it includes Intune, Defender for Business, Conditional Access, DLP, and Information Protection at the best price point. Copilot Business ($21/user, currently $18 during the promotional period through June 30, 2026) can be added to any plan.
ABT applies Guardian, its managed security and governance platform, to every client tenant. Guardian deploys 80 JSON policy templates across 11 categories during onboarding: Conditional Access, DLP, email security, information protection, endpoint management, and more. Guardian monitors 161 Microsoft Secure Score controls continuously, flags compliance drift within hours, and automates zero-tolerance response (revoking all sessions on identity risk detection, 24/7). Guardian monitors and surfaces security issues. It does not perform forensic incident response or active threat hunting. Monthly Security Insights reports give executives visibility into Secure Score trends, external sharing, and sign-in anomalies.
ABT manages Azure Virtual Desktop (AVD) for secure remote desktops, Azure SQL for cloud-hosted databases, Entra External ID (B2C) for member-facing and borrower-facing authentication portals, Azure Backup and Disaster Recovery with geo-redundant storage, site-to-site VPN and ExpressRoute for branch connectivity, and Azure Monitor for infrastructure health and alerting. All Azure deployments follow a security-first design with encryption at rest, encryption in transit, and role-based access control. Azure services are consumption-based, meaning you pay only for what you use.
Copilot Business is the SMB-tier AI assistant at $21 per user per month (currently $18 during the promotional period). It is available to organizations with 300 seats or fewer and works inside Word, Excel, PowerPoint, Outlook, Teams, and Business Chat. Copilot Enterprise is the larger-organization product at $30 per user per month, requiring an E3 or E5 foundation. Enterprise Copilot adds higher capacity limits, enterprise-grade data grounding, and Microsoft Graph customization options. For most financial institutions under 300 seats, Copilot Business bundled with Business Premium ($32/user total during the promo) provides the best value.
ABT aligns Microsoft 365 and Azure configurations to GLBA (Gramm-Leach-Bliley Act Safeguards Rule), FFIEC IT examination handbooks and the Cybersecurity Assessment Tool (CAT), NIST Cybersecurity Framework 2.0, SOC 2 Type II trust service criteria, NCUA/OCC examination requirements, and the revised FTC Safeguards Rule (effective June 2023). Guardian maps 62 of 77 policies directly to GLBA Safeguards Rule subsections (16 CFR Section 314.4). ABT holds its own SOC 2 Type II attestation covering security, availability, and confidentiality.
Microsoft confirmed pricing increases for several plan tiers effective July 1, 2026. Business Basic increases from $6 to $6.60 (+10%). Business Standard increases from $12.50 to $14 (+12%). Enterprise E3 increases from $36 to $40 (+11%). Enterprise E5 increases from $57 to $61 (+7%). Business Premium holds at $22 with no change. E7 Frontier holds at $99 with no change. Copilot pricing (both Business and Enterprise) also holds. Institutions that lock in licensing through ABT before July keep their current rates through the billing cycle.
E7 Frontier is Microsoft's new top-tier enterprise bundle, launching in May 2026 at $99 per user per month. It includes everything in E5 ($57) plus Copilot (normally $30 as an add-on), Agent 365 for governing AI agents across the tenant, and the full Entra Suite (Verified ID, Entra Internet Access, Entra Private Access). Agent 365 manages and governs AI agents built with Copilot Studio. It does not deploy or execute agents itself. For institutions that would otherwise buy E5 + Copilot + Entra Suite separately, E7 consolidates those costs into a single license with a net savings compared to buying the components individually.
The initial assessment and license transfer typically complete within the first two weeks. Guardian hardening takes an additional two to three weeks depending on tenant size and complexity. Copilot deployment adds a 30-day adoption sprint on top of the hardening phase. Most institutions are fully onboarded within 60 days from the first conversation. The license transfer itself is a 48-hour process during which your users experience no interruption. ABT coordinates the timeline around your institution's calendar to avoid conflicts with board meetings, examinations, or system maintenance windows.
Ready to Optimize Your
Microsoft Licensing?
Get a free license assessment from ABT. We review your current Microsoft 365 environment, identify savings opportunities, and show you exactly what a governed, Copilot-ready tenant looks like for your institution.
