Skip to main content

Introduction

Welcome to the Shadow IT documentation — an open, non-paywalled body of knowledge on Microsoft 365, cybersecurity, and IT governance, written for businesses in regional Australia and anyone running IT to a professional standard.

This isn't a product manual or a sales brochure. It's a reference library: the runbooks, baselines, and decision frameworks I'd want a client, a peer, or my future self to have. The hard part of a library this size isn't writing it — it's organising it so you can find the one page that's actually written for you.

How the sidebar is organised

The menu on the left is built on a single idea: the core distinction isn't what the technology is — it's who owns the decision and who carries the risk. The same control (say, multi-factor authentication) reads completely differently depending on whether you're signing the cheque, delivering it as a service, or configuring it at 2am during an incident.

So the documentation is split first by audience, then by altitude.

Pick your audience

There are three top-level sections, one for each kind of reader:

  • Business Owners — You're accountable to a board or to yourself. You read in the language of risk, cost, and continuity, not CVEs. These pages frame technology as a business decision: outcomes and dollars, not configuration.
  • Managed Service Providers — You deliver IT as a service to many clients. Everything here is framed through multi-tenancy, repeatability, margin, and liability transfer.
  • Internal IT Teams — You execute and own the outcome for a single organisation. The framing is accountability, depth, and institutional knowledge — full ownership of the consequences.

Then pick your altitude

Inside each audience, the content is split into three tiers that map to time-horizon and altitude:

  • Strategyyears. Direction-setting. Where the money goes, what risk you're willing to carry, and how technology serves the wider goal.
  • Tacticalquarters. Turning strategy into plans, projects, standards, and procurement. The bridge between intent and execution.
  • Operationaldays. The hands-on run-state: runbooks, configs, cadences, and the work that keeps everything running and defensible.

Read top-to-bottom if you're new, or jump straight to your tier if you know what you're after.

The Technical Library — one source of truth

Three audiences times three tiers is nine sections, and the honest risk is duplication: an MSP's Operational runbook for hardening Microsoft 365 is nearly identical to an internal IT team's. Maintain that config in three places and the three copies will drift — different versions, different CVE responses, different "current" baselines.

To avoid that, the actual technical content — the hardening baselines, runbooks, and scripts that change over time — lives once, in the Technical Library. It's audience-neutral and authoritative. The Operational pages (and, to a lesser extent, the Tactical pages) reference it rather than repeating it. Business Owner pages almost never touch it; they're context and interpretation.

Think of the nine audience pages as lenses over a single canonical core. The lens gives you the framing appropriate to your seat; the library gives you the one true version of the thing that drifts.

A note on currency

Security guidance and Australian regulation both move. Where these pages cite specific obligations — the Privacy Act, the Essential Eight, APRA standards — they were accurate at the time of writing, but you should treat them as a starting point for your own due diligence, not as legal or compliance advice. If you spot something out of date or wrong, tell me — that's how a living repository stays honest.