The Microsoft 365 Security Settings Most Law Firms Miss
The Short Answer For The IT Committee
Most small law firms do not get breached because Microsoft 365 lacks security controls. They get breached because the tenant is left close to default, exceptions accumulate, and no one periodically proves that the risky paths are closed.
For an LA law firm, the highest-value Microsoft 365 security work is not a vague hardening project. It is a defined set of configurations that reduce the exact paths attackers use: stolen passwords, consented malicious apps, mailbox forwarding, weak admin access, fake invoice email, unmanaged devices, excessive sharing, and missing logs.
The business reason is straightforward. The FBI reported internet-crime losses exceeding $16 billion from 859,532 complaints, a 33% increase from the prior year, in its latest annual IC3 summary FBI 2024 Internet Crime Report announcement. Law firms are especially exposed because email carries privileged communications, settlement discussions, wiring instructions, production data, and executive approvals. Attackers do not need to encrypt the whole network if they can quietly control one partner mailbox.
The settings below are the ones small-to-midsize firms most often miss, listed in the order an IT committee should evaluate them.
Start With Identity: Require Strong MFA Everywhere It Matters
The first gap to close is inconsistent MFA. Many firms turn on MFA for attorneys but leave gaps for shared mailboxes, service accounts, legacy protocols, break-glass accounts, remote access tools, or new users who are temporarily exempted and never revisited.
Microsoft says MFA can block more than 99.2% of account compromise attacks Microsoft Entra mandatory MFA guidance. That does not mean all MFA is equal. SMS codes and push prompts are better than passwords alone, but they are weaker than phishing-resistant methods because an adversary-in-the-middle phishing page can trick a user into approving access.
For a law firm, the practical target state is:
- Require MFA for every human user, including partners, associates, paralegals, accounting, outside consultants, and temporary staff.
- Require phishing-resistant MFA for administrators, finance users, managing partners, and anyone who can access broad matter repositories.
- Remove standing MFA exclusions except documented break-glass accounts.
- Review break-glass accounts on a recurring schedule and keep them cloud-only, tightly monitored, and excluded only where necessary.
- Disable legacy authentication so attackers cannot bypass MFA through older protocols.
The common committee mistake is treating MFA as a completed project once users can sign in with an authenticator app. The better question is: which accounts can still authenticate with a password, a weak method, a stale exception, or an unmonitored protocol?
Use Conditional Access As Policy, Not Decoration
Conditional Access is where Microsoft 365 security becomes enforceable business policy. It decides who can access what, from where, on which device, under what risk conditions.
Small firms often underuse it in one of two ways. Either they rely on security defaults and never define firm-specific rules, or they create one broad policy that is too blunt to handle real legal workflows. Neither is decision-grade security.
A practical law-firm Conditional Access baseline should include:
- Block legacy authentication.
- Require MFA for all cloud apps.
- Require stronger authentication for admin portals.
- Require compliant or trusted devices for SharePoint, OneDrive, Teams, and Exchange access where feasible.
- Block or restrict access from countries where the firm has no business need.
- Require reauthentication for risky sign-ins.
- Separate policies for attorneys, finance, administrative staff, guests, and administrators.
CISA’s Microsoft 365 Secure Configuration Baselines are a useful reference point because they convert broad cloud-security goals into specific Microsoft 365 configuration expectations CISA Microsoft Entra ID baseline. A private law firm does not need to copy a federal baseline blindly, but it should be able to explain where it intentionally differs.
For Southern California firms with attorneys working from court, client sites, home offices, airports, and production offices, Conditional Access should not simply block all mobility. It should distinguish normal remote work from risky access: unmanaged devices, impossible travel, unfamiliar locations, anonymous networks, and admin access outside approved workflows.
Lock Down Administrator Roles Before Attackers Find Them
The most dangerous Microsoft 365 accounts are not always the named partners. They are the accounts with permissions to reset passwords, create transport rules, grant mailbox access, approve applications, change retention, or disable security controls.
Common gaps include too many Global Administrators, day-to-day use of admin accounts for email, former vendor accounts that still have privileges, and help desk accounts with broader rights than needed.
For a small law firm, the right pattern is:
- Use separate admin accounts, not normal email accounts, for privileged work.
- Reduce Global Administrator membership to the smallest practical group.
- Use role-specific admin rights instead of broad rights where possible.
- Require phishing-resistant MFA for privileged accounts.
- Block admin portal access from unmanaged devices and unexpected locations.
- Alert on new admin-role assignments, mailbox delegation changes, and changes to Conditional Access.
- Keep at least one emergency account, but monitor it closely and test access under controlled conditions.
The committee should ask for a privilege inventory, not a verbal assurance. A useful inventory names every privileged account, who owns it, what role it has, when it last signed in, what MFA method it uses, and why the role is still required.
Turn On Defender Email Protections Firms Assume Are Already On
Email is still the main operating system of legal work. That is why Microsoft 365 email protections deserve more attention than most firms give them.
Many tenants have basic Exchange Online Protection but have not configured Microsoft Defender for Office 365 policies well. Microsoft recommends preset security policies as the easier way to apply recommended anti-phishing, anti-spam, anti-malware, Safe Links, and Safe Attachments settings Microsoft Defender preset security policies.
For law firms, the most important email controls are:
- Enable Standard or Strict preset security policies for users, with stricter treatment for partners, finance, and firm leadership.
- Configure anti-phishing protection for impersonated users and firm domains.
- Turn on Safe Links so malicious URLs can be checked at time of click, not only at delivery.
- Turn on Safe Attachments so suspicious files are detonated before delivery.
- Add external sender tagging, but do not rely on banners as a primary defense.
- Review allowed senders, allowed domains, and user-reported false positives so exceptions do not become a bypass list.
- Protect shared mailboxes used for intake, accounting, recruiting, and matter administration.
The key buyer question is not whether the firm has Microsoft 365 email security. It is whether the protection is actually applied to every mailbox that handles money, privileged information, credentials, or client instructions.
Stop Mailbox Forwarding And Hidden Inbox Rules
Mailbox forwarding is one of the quietest and most damaging Microsoft 365 attack paths. An attacker compromises an account, creates a forwarding rule to an external address, hides or deletes messages, and watches client communications until there is an opportunity to redirect funds or steal privileged information.
Microsoft provides controls for automatic external forwarding through outbound spam filter policies, including specific policy options for external forwarding Microsoft external forwarding controls. Law firms should treat external forwarding as denied by default, with exceptions approved like any other legal-data transfer.
Recommended configuration:
- Block automatic external forwarding by default.
- Create documented exceptions only for approved business workflows.
- Alert on new forwarding rules, inbox rules that delete or move messages, and mailbox delegation changes.
- Review transport rules for anything that redirects, blinds copies, modifies recipients, or bypasses filtering.
- Check whether former employees, vendors, or shared mailboxes still forward messages externally.
This setting matters in Los Angeles because many firms work with entertainment, real estate, finance, and professional-services clients where urgent email instructions are normal. Attackers use that normal urgency. The defense is not telling attorneys to slow down; it is removing the invisible mailbox mechanisms attackers use after compromise.
Protect SharePoint, OneDrive, And Teams From Accidental Data Exposure
For many small firms, the document management system is no longer just a document management system. Matter files, drafts, productions, closing binders, expert reports, HR files, and client collaboration all move through SharePoint, OneDrive, and Teams.
The most common Microsoft 365 data gaps are oversharing, guest sprawl, anonymous links, uncontrolled sync, and old Teams that still expose matter data long after a case or transaction closes.
A practical configuration standard should cover:
- Disable anonymous sharing unless the firm has a specific, documented reason to allow it.
- Prefer specific-people links over anyone-with-the-link access.
- Set link expiration and download restrictions where appropriate.
- Restrict external sharing by site sensitivity, not one global setting for the whole firm.
- Require owner approval for new guests in matter workspaces.
- Review guest access at matter close and remove guests who no longer need access.
- Use sensitivity labels for confidential, privileged, HR, finance, and client-restricted material.
- Control OneDrive sync to managed devices where feasible.
The IT committee should ask for a report showing externally shared files, active guest users, anonymous links if any are permitted, and sites with the broadest sharing settings. This is where a firm often discovers that the risk is not a dramatic breach. It is years of small convenience decisions that were never reviewed together.
Choose The Right Operating Model For Ongoing Configuration Drift
Microsoft 365 security is not a one-time checklist. Microsoft changes portals, attackers change techniques, vendors request exceptions, attorneys change workflows, and new matters create new collaboration spaces. The operating model matters as much as the initial configuration.
| Option | What It Handles Well | Where It Commonly Fails | Best Fit |
|---|---|---|---|
| Internal generalist | Fast local context and direct attorney support | Hard to keep up with Microsoft 365 security, compliance, endpoint, identity, and incident response at the same time | Firms with mature internal IT leadership and outside escalation |
| Break-fix support | Isolated repairs and urgent troubleshooting | Weak fit for policy enforcement, monitoring, drift control, and security documentation | Low-risk environments with limited cloud exposure |
| Managed IT provider | Recurring administration, monitoring, policy review, endpoint management, and escalation | Requires clear scope, reporting, and decision ownership from the firm | Small-to-midsize firms that need consistent security operations without building a full internal team |
| Security-only consultant | Deep assessment and remediation guidance | May not own day-to-day user changes, exceptions, and follow-through | Firms that already have strong IT operations but need independent validation |
For an LA law firm, the decision is usually not whether someone can configure a setting once. The decision is who will notice when a new partner is excluded from MFA, a vendor creates a risky app consent, a Teams site becomes externally shared, or a forwarding exception survives after the business need is gone.
Audit Logging Is Evidence, Not A Checkbox
When a suspected compromise occurs, the firm needs to answer concrete questions: Which account signed in? From where? What mailbox rules changed? What files were accessed? Which messages were sent? Which admin settings changed? Which guests were added?
That requires audit logging, retention, permissions, and a practiced investigation workflow. Microsoft notes that Audit Standard retains records for 180 days and that Audit Premium can support longer audit retention policies up to 10 years, depending on licensing and configuration Microsoft Purview auditing overview. The point for an IT committee is not to memorize Microsoft licensing. The point is to decide how much history the firm needs for legal, insurance, client, and incident-response obligations, then configure retention and export accordingly.
At minimum, the firm should verify:
- Audit logging is enabled and searchable.
- The right people have audit-search permissions.
- Logs cover Exchange, SharePoint, OneDrive, Teams, Entra ID, admin activity, and mailbox activity.
- Alerts exist for impossible travel, risky sign-ins, new inbox rules, external forwarding, privilege changes, and suspicious OAuth consent.
- Logs are retained long enough for the firm’s incident-response, insurance, and client-notification needs.
- Someone tests the process before an incident, not during one.
This is also where cybersecurity and professional responsibility meet. If a client asks what happened, the firm needs more than a statement that Microsoft 365 was in use. It needs evidence.
A Practical Remediation Order For A Small Law Firm
If the committee wants to move from discussion to action, use this order. It closes the most abused paths first while limiting disruption.
First, inventory the tenant: users, administrators, guests, mailboxes, shared mailboxes, forwarding rules, transport rules, external sharing, app consents, devices, and current Conditional Access policies.
Second, fix identity: require MFA, remove stale exceptions, block legacy authentication, separate admin accounts, and strengthen authentication for privileged and finance users. Microsoft’s current authentication guidance recommends phishing-resistant methods such as Windows Hello for Business, passkeys based on FIDO2, and certificate-based authentication for the strongest sign-in experience Microsoft Entra authentication overview.
Third, fix email: enable appropriate Defender presets, configure impersonation protection, review allow lists, block automatic external forwarding, and alert on suspicious inbox rules.
Fourth, fix collaboration: reduce anonymous sharing, classify sensitive sites, clean up guests, and define how matter workspaces are opened and closed.
Fifth, fix visibility: enable and test audit search, define alert ownership, document incident steps, and make sure logs are retained in line with the firm’s obligations.
Finally, create a recurring review cadence. The committee should receive a short Microsoft 365 security posture report that shows what changed, what exceptions exist, what risks remain, and which decisions require partner-level approval. Security that cannot be explained to firm leadership will not survive real-world pressure.
We Solve Problems is a Los Angeles MSP serving small and mid-size Southern California businesses, with particular depth in entertainment-law and professional-services environments. If your firm wants a practical Microsoft 365 security review that turns these settings into an actionable remediation plan, request a consultation through /contact.