A solo practitioner in San Jose sets up Microsoft 365 Business Standard on a Friday afternoon. By Monday, the firm is running email, Teams, and SharePoint. It feels secure - it has Microsoft’s name on it, after all. But the default configuration that came out of the box? It’s optimized for convenience, not for protecting privileged attorney-client communications.
This is one of the most common and most invisible security gaps we see at small law firms across the Bay Area.
The Problem: “Out of the Box” Isn’t “Secure”
Microsoft 365 is a powerful platform. It’s also one that ships with default settings designed to get organizations up and running fast - not to satisfy the security requirements of a law firm handling sensitive client matters.
That distinction matters more than most attorneys realize.
When your IT vendor (or a well-meaning associate) spins up a Microsoft 365 tenant and hands over the login credentials, several settings that should be locked down are wide open by default. External sharing in SharePoint and OneDrive is often enabled for anyone with a link - not just verified recipients. Legacy authentication protocols, which are older sign-in methods that don’t support MFA, frequently remain active. Audit logging, which you’d need to reconstruct any incident, isn’t turned on automatically in all license tiers.
None of this is Microsoft’s fault in a moral sense. They’re building a platform for millions of organizations with wildly different needs. But your firm has specific needs - confidentiality obligations, professional conduct rules, and clients who trust you with some of the most sensitive information in their lives.
The gap between “deployed” and “secured” is exactly where breaches happen. And for law firms, a breach isn’t just an IT problem. It’s a bar complaint, a malpractice exposure, and a client relationship that may not survive.
Why This Matters for Law Firms
California attorneys operate under the Rules of Professional Conduct, which require reasonable measures to protect client information. Rule 1.6 on confidentiality isn’t optional, and the State Bar of California has been explicit that cybersecurity competence is part of what “competent” representation means.
Beyond the rules, consider the exposure. If client files stored in SharePoint are accidentally shared via a public link - which is entirely possible with default settings - that’s a potential breach. If a credential-stuffing attack succeeds because legacy authentication bypassed MFA, that’s a potential breach. If you can’t tell the State Bar what data was accessed during an incident because audit logs weren’t enabled, that’s a problem with no clean solution.
The California Consumer Privacy Act (CCPA) may also apply if your firm handles data about California residents in certain capacities. Meanwhile, firms that work in specialized areas - immigration, healthcare litigation, financial services - may face overlapping obligations under federal frameworks.
The common thread is this: regulatory and ethical obligations assume you have visibility and control over your data environment. Microsoft 365’s defaults give you neither automatically. You have to configure your way to compliance. That’s not a vendor failure - it’s just the reality of deploying any enterprise platform without hardening it first.
How to Lock Down the Settings That Matter Most
You don’t need a full-time IT team to do this. You need the right admin permissions and about two to three focused hours. Here are the specific areas to address.
1. Restrict External Sharing in SharePoint and OneDrive
Go to the SharePoint admin center and find the sharing settings. By default, many tenants allow sharing with “Anyone” - meaning someone can generate a link that any person on the internet can open, no sign-in required. Change this to “New and existing guests” at most, and ideally to “Only people in your organization” for internal document libraries containing client files. Review each SharePoint site individually, too - site-level settings can override tenant-level settings.
2. Block Legacy Authentication
Legacy authentication protocols like basic authentication and older versions of Exchange ActiveSync don’t support MFA. Attackers know this. They specifically target these protocols because a stolen password is all they need.
In the Microsoft Entra ID (formerly Azure Active Directory) admin center, create a Conditional Access policy that blocks legacy authentication for all users. If you’re on Microsoft 365 Business Basic or Standard, you may need to use Security Defaults instead - which Microsoft has improved considerably and which handles this automatically. Just make sure it’s actually enabled for your tenant.
3. Enable Unified Audit Logging
This one is often overlooked and genuinely consequential. In the Microsoft Purview compliance portal, navigate to Audit and confirm that audit logging is turned on. Some license tiers don’t enable it automatically. Once enabled, log data is retained for 90 days on most plans (one year on Microsoft 365 E3 and above).
Why does this matter? If something goes wrong - a phishing email that led to unauthorized access, a former employee downloading files before leaving - audit logs are how you reconstruct what happened. Without them, you’re guessing.
4. Configure MFA for Every Account
This should be non-negotiable. Enable MFA through Security Defaults if you don’t have Entra ID P1 licensing for Conditional Access. Require it for every user, including administrative accounts. Consider disabling the authenticator app’s “number matching” workaround that some users enable to speed up approvals - that shortcut defeats the purpose.
5. Review Admin Role Assignments
In the Microsoft 365 admin center, check who has Global Administrator access. In small firms, it’s common to see multiple users - sometimes including people who left the firm - carrying Global Admin privileges. Apply the principle of least privilege: most users need no admin role at all, and even your IT contact likely only needs specific scoped roles.
What to Look for in an IT Partner
If you’re evaluating a managed IT services provider to handle your Microsoft 365 environment, ask specific questions. Vague assurances about security don’t protect you.
Ask: Do you perform a Microsoft Secure Score baseline assessment when you onboard a new client? Microsoft provides a built-in score that grades your tenant’s configuration - any competent provider should be starting there.
Ask: Do you configure Conditional Access policies as part of your standard setup, or is that an add-on?
Ask: How do you handle audit log retention for firms with bar-mandated incident response obligations?
Ask: What’s your process when a terminated employee’s account needs to be offboarded? Account deprovisioning is where a surprising number of breaches originate.
A good IT partner won’t just hand you a working Microsoft 365 tenant. They’ll document what they configured, why, and what your ongoing obligations are to maintain that posture.
The Bottom Line
Microsoft 365 is one of the best productivity platforms available for small law firms. But “available” and “secure” aren’t the same thing. The default settings prioritize getting you running quickly - not protecting your clients’ privileged communications. A handful of targeted changes in the admin center can close the most significant gaps without requiring an enterprise IT budget. The question isn’t whether your firm can afford to do this. It’s whether you can afford not to.
Frequently Asked Questions
Is Microsoft 365 secure enough for law firms without any extra configuration?
No - not without intentional hardening. Microsoft 365 ships with settings optimized for broad usability, which means several configurations that create real security risks are enabled by default. Law firms specifically need to address external sharing permissions, legacy authentication protocols, MFA enforcement, and audit logging before the platform meets even a basic security standard for handling privileged client data.
What is legacy authentication and why is it dangerous for law firms?
Legacy authentication refers to older sign-in protocols - like basic authentication used by older email clients - that don’t support modern security features like MFA. Because these protocols can’t process a second factor, an attacker who obtains a password through phishing or a data breach can access an account directly, bypassing MFA entirely. Microsoft has been disabling basic authentication across many services, but depending on your tenant’s configuration and license tier, some legacy pathways may still be active.
Does Microsoft 365 automatically keep logs of user activity in my law firm’s tenant?
Not always. Unified audit logging must be explicitly enabled in the Microsoft Purview compliance portal, and it isn’t turned on by default in all license tiers. Without it, you have no record of who accessed which files, when emails were forwarded, or what actions a compromised account took. For law firms with state bar incident response obligations, this gap can make it impossible to fulfill your reporting duties after a breach.
How does Microsoft Secure Score help a law firm assess its Microsoft 365 security?
Microsoft Secure Score is a built-in dashboard in the Microsoft 365 Defender portal that evaluates your tenant’s configuration against a set of security best practices and assigns a numerical score. It identifies specific recommended actions - like enabling MFA or restricting external sharing - and explains the potential impact of each. It’s not a comprehensive security audit, but it’s a practical starting point for any firm that wants to understand where its configuration falls short.
If you’re working through Microsoft 365 security settings challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.
