Your firm spent the afternoon migrating to Microsoft 365. Email works, Teams is running, and everyone can access SharePoint from home. You’re done, right? Not quite - because Microsoft 365 ships with default settings optimized for convenience, not for a firm that handles W-2s, trust accounts, and audit-ready financial records.

The Problem: “Good Enough” Setup Is a Compliance Liability

When small accounting firms move to Microsoft 365, the typical process looks like this: create accounts, assign licenses, turn on MFA, and move on. It works. Until it doesn’t.

The platform’s out-of-the-box configuration assumes a general business user, not a CPA firm with obligations under the Gramm-Leach-Bliley Act (GLBA) and IRS Publication 4557, which requires tax preparers to implement a written information security plan (WISP). Those standards demand active, documented controls. Microsoft 365’s defaults don’t get you there automatically.

Here’s what’s often still enabled after a standard setup:

  • Legacy authentication protocols like Basic Auth, which don’t support MFA and are a primary attack vector for credential stuffing
  • External sharing in SharePoint and OneDrive set to “Anyone with a link” - meaning a shared document link forwarded to the wrong person grants access immediately
  • Guest access in Microsoft Teams enabled globally, allowing outside users to join channels where client discussions happen
  • App permissions that let third-party applications access your tenant data without admin review
  • No session timeout policies, so a logged-in browser session stays active indefinitely on an unattended machine

None of these are exotic vulnerabilities. They’re all sitting in your admin center right now - and most firms don’t know they’re there.

Why This Matters for CPA Firms

Accounting firms are unusually attractive targets. You hold tax records, financial statements, payroll data, and estate documents - often for dozens or hundreds of clients at once. That concentration of sensitive information is exactly what threat actors hunt for.

Regulatory pressure makes this more than a best-practice conversation. The IRS requires all tax preparers to maintain a WISP under Publication 4557 and the Safeguards Rule under GLBA. California firms operate under the California Consumer Privacy Act (CCPA), which grants clients rights over their personal financial data and creates liability for firms that can’t demonstrate reasonable security controls.

A breach isn’t just an IT incident. It’s a notification obligation, a potential state attorney general investigation, and a serious reputational hit in a profession where client trust is everything.

The American Institute of Certified Public Accountants (AICPA) has been explicit: cybersecurity is now a professional responsibility issue, not just an operational one. Your peer review, your engagement letters, and your standard of care all hinge on showing that client data was protected with deliberate, documented controls.

MFA alone doesn’t satisfy those obligations. It’s necessary but not sufficient. The real security lives in conditional access policies, sharing permissions, and session controls.

How to Fix the Settings That Matter Most

You don’t need a dedicated IT team to make meaningful progress. What you need is a structured audit and the willingness to act on what you find.

Start with Microsoft Secure Score. Log into the Microsoft 365 Defender portal and find your Secure Score dashboard. This tool scores your tenant’s configuration against Microsoft’s recommended baseline and gives you a prioritized list of improvements. It’s not perfect, but it’s the fastest honest assessment of where you stand.

Disable legacy authentication. This is one of the highest-impact changes you can make. In the Azure Active Directory admin center (now called Microsoft Entra ID), use Conditional Access to block legacy authentication protocols. Microsoft’s own data shows that more than 99% of password spray attacks use legacy auth. Block it and that entire attack category disappears.

Audit your SharePoint and OneDrive sharing settings. Go to the SharePoint admin center and review your external sharing policy. For most CPA firms, the right setting is “Only people in your organization” or, at most, “New and existing guests” with expiring access links. “Anyone with a link” should be off.

Review guest access in Teams. In the Teams admin center, you can restrict guest access at the org level and, more granularly, by individual team. Review which Teams channels handle client matters and ensure guests can’t join without explicit admin approval.

Set up Conditional Access policies. MFA is a start. Conditional Access lets you enforce MFA only when conditions are met (new device, new location) and block access entirely when conditions are suspicious (unusual country, unmanaged device). At minimum, require MFA for all users, block legacy auth, and require compliant devices for access to sensitive SharePoint sites.

Review app permissions in the Entra ID portal. Under Enterprise Applications, look at what third-party apps have been granted access to your tenant and what permissions they hold. Revoke anything your firm didn’t explicitly approve. This is often the most surprising finding in a security audit.

Enable Unified Audit Logging. If something goes wrong, you need a record of what happened. Unified Audit Logging in the Microsoft Purview compliance portal captures sign-in activity, file access, sharing events, and admin changes. It’s not enabled by default in all license tiers. Turn it on.

None of these changes require writing code or purchasing additional tools. They require knowing where to look and having someone in the room who asks whether the defaults actually match your firm’s risk profile.

What to Look for in an IT Partner

When you’re evaluating an IT provider to help with Microsoft 365 security configuration, ask these specific questions:

Do you have experience with CPA firms or professional services firms? General IT support and compliance-aware IT support are different disciplines. A provider who understands Publication 4557 and the GLBA Safeguards Rule will configure your environment differently than one who doesn’t.

Can you produce a report of our current Microsoft Secure Score and a remediation plan? Any qualified provider should do this in an initial assessment. If they can’t, keep looking.

How do you handle external sharing and guest access reviews on an ongoing basis? Configuration drift is real. Security settings that were correct in January can change by accident six months later. Ask about ongoing monitoring, not just initial setup.

Do you document the security controls you implement? Your WISP requires it. Your IT partner should make documentation a standard deliverable, not an afterthought.

The Bottom Line

Microsoft 365 is a capable, secure platform when it’s configured correctly. The defaults aren’t designed for firms with your compliance obligations. Disabling legacy authentication, locking down external sharing, implementing Conditional Access, and auditing app permissions are specific, achievable steps that meaningfully reduce your exposure. Start with your Secure Score. Then fix what it finds.

Frequently Asked Questions

What Microsoft 365 security settings should a CPA firm prioritize first?

The highest-impact starting points are disabling legacy authentication protocols, reviewing SharePoint and OneDrive external sharing settings, and enabling Conditional Access policies that enforce MFA for all users. These three changes address the most common attack vectors for small professional services firms without requiring advanced technical expertise.

Does turning on MFA mean my Microsoft 365 environment is secure?

MFA significantly reduces the risk of unauthorized account access, but it’s not a complete security solution. Legacy authentication protocols can bypass MFA entirely, and misconfigured sharing settings or guest access policies can expose client data regardless of how strong your authentication controls are. Think of MFA as one layer in a multi-layered configuration.

What is Microsoft Secure Score and how does it help accounting firms?

Microsoft Secure Score is a dashboard inside the Microsoft 365 Defender portal that measures your tenant’s security configuration against a recommended baseline. It assigns a numeric score and provides a prioritized list of specific actions to improve your posture. For CPA firms, it’s a practical starting point for identifying gaps without needing to manually audit every setting.

Are CPA firms required to secure their Microsoft 365 environment under IRS rules?

Yes. IRS Publication 4557 requires all tax preparers to implement and maintain a written information security plan (WISP) that includes administrative, technical, and physical safeguards for client data. The Federal Trade Commission’s (FTC) GLBA Safeguards Rule, which also applies to tax preparers, specifies access controls, encryption, and monitoring requirements - all of which map directly to Microsoft 365 configuration decisions.

If you’re working through Microsoft 365 security settings challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area—we know your world.