Why they called
The client had spent fourteen months with a Big-4 firm and ended with a slide deck, a CAF maturity score, and zero deployed infrastructure. The internal CISO needed a deployed Azure landing zone and a Defender XDR baseline that the next HIPAA audit cycle could sign off on, in a quarter, not a year.
They had Azure subscriptions in three management groups, an Entra ID tenant with conditional access already in place, and a spread of workloads landed wherever individual teams chose. No central logging, no policy-as-code, no documented network topology.
What we shipped
Week one through three: management-group hierarchy, hub-and-spoke topology with Azure Firewall in the hub, central Log Analytics workspace, Defender for Cloud baseline assignments, Azure Policy library mapped to HIPAA control families.
Week four through six: Entra ID PIM rollout to twelve privileged role groups, Defender for Endpoint deployment across the existing Intune-managed fleet, Defender for Identity sensor coverage, MMA-to-AMA migration for the legacy VM fleet.
Week seven through eight: HIPAA evidence pipeline writing to long-retention storage, runbook for the three most common audit asks, handoff session with the in-house infrastructure team. We left the Bicep modules in their repo, the ADR in their wiki, and a one-page on-call card on every workstation.
What the auditor saw
Six weeks after handoff the client ran a HIPAA assessment with their existing auditor. The auditor signed off on the cloud-controls section in a single pass, citing the evidence pipeline by name. Previous assessment cycles had averaged three follow-up rounds.