A boutique registered investment advisor (RIA) firm finishes onboarding Microsoft 365, gets everyone set up with email, and moves on. Eighteen months later, a Securities and Exchange Commission (SEC) exam request comes in - and the firm discovers it has no compliant email archive, external link sharing has been open the entire time, and there’s no audit trail of who accessed what. The platform was running fine. The configuration was not.
The Problem: “Set Up” and “Properly Configured” Are Not the Same Thing
Microsoft 365 is genuinely excellent software for small financial advisory firms. It covers email, document storage, video calls, and collaboration in one platform, and the price point works for a 10-person RIA that can’t justify enterprise-grade infrastructure. That’s exactly why so many firms choose it.
The problem is what happens after the initial setup.
Most small firms—or the general IT consultant they hired for the day—get through the basics: create user accounts, set up Outlook, connect OneDrive, maybe enable MFA. Then the project gets marked done.
What doesn’t happen is a deliberate review of Microsoft 365’s default security and compliance settings. And those defaults were not designed for a firm handling discretionary investment accounts and sensitive client financial data under SEC or Financial Industry Regulatory Authority (FINRA) oversight. They were designed for general business use.
The gaps this creates aren’t theoretical. They show up repeatedly at small advisory firms: documents that could have been shared with anyone who had a link, email that was never retained for the required period, logins from unmanaged personal devices that no one flagged, and administrators who had no idea Microsoft quietly changed a default setting in a quarterly update.
None of these firms intended to be out of compliance. They just didn’t know what they didn’t know.
Why This Matters for Financial Advisory Firms
Financial advisory firms operate under some of the most specific recordkeeping and data security requirements in professional services. The details matter.
If your firm is SEC-registered, SEC Rule 17a-4 governs how long you retain electronic records and how those records must be stored—in a non-rewritable, non-erasable format, accessible for examination. FINRA Rule 4511 imposes similar obligations on broker-dealers. Many state-registered RIAs face parallel requirements under their state securities regulator. These aren’t suggestions.
A misconfigured Microsoft 365 tenant can put you in violation without any malicious action on your part. If retention policies aren’t configured correctly, emails and files may be auto-deleted before the required retention window closes. If archive mailboxes aren’t enabled and linked to a compliant retention policy, you can’t produce records during an exam or litigation hold.
Beyond recordkeeping, there’s the data security dimension. The SEC’s Regulation S-P requires firms to have written policies and procedures protecting client financial information. A SharePoint site that allows anonymous external link sharing—which is on by default in many Microsoft 365 tenants—is a direct conflict with that obligation. So is a tenant where conditional access policies aren’t enforced and a compromised credential can be used from any device, anywhere in the world.
The financial exposure here is real. SEC and FINRA enforcement actions related to recordkeeping failures have resulted in significant fines even for small firms. And a data breach involving client financial information carries both regulatory and reputational consequences that are hard to recover from.
How to Address the Most Common Microsoft 365 Gaps at Advisory Firms
Here’s where small financial firms typically need to focus their attention—not a generic hardening checklist, but the specific issues that show up most often.
License tier: make sure you have the right one. Many firms land on Microsoft 365 Business Basic or Business Standard because they’re affordable. But compliance and security features—Microsoft Purview for information governance, Microsoft Defender for Business, advanced audit logging, and litigation hold—require Business Premium or a specific add-on. If you’re running a standard-tier license and relying on M365 for compliance, you may not have the tools you think you have. Audit your license tier first.
External sharing in SharePoint and OneDrive. Go into your SharePoint admin center and look at your sharing settings. Microsoft’s default allows sharing with “anyone with the link”—no login required. For a firm with client documents on SharePoint or in OneDrive, this is a significant exposure. Set external sharing to “Only people in your organization” or, at minimum, “Existing guests only.” Apply this at both the tenant level and individual site level.
Email retention and archiving. Don’t assume Microsoft 365 retains your email. By default, deleted items are purged, and there is no automatic archive for SEC or FINRA compliance purposes. You need to configure retention policies through Microsoft Purview that map to your specific regulatory requirements—including enabling archive mailboxes for all users and setting retention labels that align with your recordkeeping schedule. This requires deliberate configuration by someone who understands both the platform and your regulatory obligations.
Conditional access policies. Conditional access is one of the most effective controls against account takeover, and it’s rarely enabled at small firms. These policies let you require that logins come from compliant, enrolled devices, block access from high-risk locations or IP ranges, and force MFA based on specific conditions. Enabling baseline conditional access policies—even a handful of them—dramatically reduces your exposure to credential-based attacks.
Treat tenant review as a recurring task. Microsoft updates its platform continuously. Default settings change. New features roll out with permissions that can inadvertently open gaps. Assign someone—internally or through your IT partner—to review your tenant configuration on a regular cadence. Quarterly is reasonable for most firms. An annual snapshot isn’t enough.
What to Look for in an IT Partner for M365 Configuration
Not every IT provider understands the compliance obligations that financial advisory firms carry. When you’re evaluating an IT partner for Microsoft 365 setup and management, ask specific questions.
Ask whether they’ve configured M365 for SEC- or FINRA-regulated firms before. Ask how they approach retention policy configuration and whether they work with your compliance consultant or DIY compliance tooling. Ask what their process is for reviewing tenant configuration changes after Microsoft platform updates.
Ask specifically whether they know what license tier your firm needs to access Purview audit logs and litigation hold. If they can’t answer that without looking it up, that’s informative.
Look for a provider who connects the dots between your IT configuration and your regulatory obligations. Those two things aren’t separate conversations at a financial advisory firm.
The Bottom Line
Microsoft 365 is a strong platform for financial advisory firms—but only if it’s configured to match the way regulated firms actually operate. Wrong license tier, open sharing settings, missing retention policies, and no conditional access aren’t minor oversights. They’re compliance gaps with real consequences. Getting the setup right the first time, and reviewing it regularly, is the work.
Frequently Asked Questions
What Microsoft 365 license does a small financial advisory firm actually need?
Most financial advisory firms handling client data under SEC or FINRA oversight need at least Microsoft 365 Business Premium to access the compliance and security features that matter—including Microsoft Purview, advanced audit logging, litigation hold, and Microsoft Defender for Business. Business Basic and Business Standard lack these features, which means firms on those tiers may be missing critical compliance tooling. If your firm has specific archiving requirements, some Microsoft 365 add-on plans can also provide compliant email archiving functionality.
Does Microsoft 365 automatically retain emails for SEC Rule 17a-4 compliance?
No. Microsoft 365 doesn’t automatically retain emails in a compliant format for SEC Rule 17a-4 purposes. Firms must configure retention policies through Microsoft Purview, enable archive mailboxes, and—depending on their specific obligations—may need a third-party archiving solution that meets the non-rewritable, non-erasable storage requirements of Rule 17a-4(f). Default email deletion settings in Microsoft 365 will remove messages before regulatory retention periods expire if no policy is in place.
What is conditional access in Microsoft 365 and why does it matter for RIAs?
Conditional access is a feature in Microsoft Entra ID (formerly Azure Active Directory) that controls login access based on conditions you define—such as whether the device is enrolled and compliant, the user’s location, or the assessed risk level of the sign-in. For registered investment advisors, it’s a key control against account takeover attacks, where a compromised password alone is not enough to gain access. Conditional access policies require at least Microsoft 365 Business Premium or an Entra ID P1 license.
How often should a financial advisory firm review its Microsoft 365 configuration?
At minimum, quarterly. Microsoft regularly updates default settings, introduces new features, and adjusts platform behaviors—any of which can create unintended gaps in a previously secure configuration. Firms should also review their tenant configuration after any significant Microsoft update, after adding new users or changing roles, and following any security incident. Many firms benefit from having a managed IT provider conduct a formal tenant security review on a scheduled basis rather than relying on internal staff to catch changes.
If you’re working through Microsoft 365 setup and compliance challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area—we know your world.
