For most UK law firms and accountancy practices, Microsoft 365 now holds the majority of client data. Email, document storage, case notes, financial information and client communications all live inside the same tenant. That makes Microsoft 365 one of the most attractive targets for attackers, and one of the most scrutinised areas in any SRA, FCA or ICAEW review.
Yet many firms still run their tenants on default settings, with users assuming "it must be configured properly" because it was set up some time ago. In practice, the gap between an "installed" Microsoft 365 environment and a properly configured one is significant.
Why default Microsoft 365 is no longer good enough
Microsoft 365 is a powerful platform, but it is shipped with sensible defaults rather than regulated-sector defaults. For a law firm or accountancy practice, that typically leaves several common gaps:
- Multi-factor authentication enforced inconsistently, especially for partners and admins
- Conditional access policies that allow logins from anywhere in the world
- Email forwarding rules that can be set by attackers without alerting anyone
- Sharing settings that allow external links to client documents by default
- Audit logs that are switched on but never reviewed
- Backup assumptions that confuse "in the cloud" with "fully recoverable"
None of these are difficult to fix. They are simply not fixed by accident.
What a properly configured tenant looks like
For an MD, managing partner or FD, a properly configured Microsoft 365 environment for a regulated firm should include:
- Enforced multi-factor authentication for every user, with no exceptions for senior staff
- Conditional access policies that restrict logins to expected locations and devices
- Hardened email rules that prevent silent forwarding and impersonation
- Controlled external sharing, with logging and review of links to client documents
-
Active monitoring of sign-ins, suspicious activity and admin actions
-
A separate, tested backup of Microsoft 365 data, not just reliance on the platform
This is not a one-off project. It is a documented baseline that should be reviewed at least annually as both the threat landscape and the regulators' expectations move on.
Treating Microsoft 365 as a regulated environment
For law firms and accountancy practices, Microsoft 365 should be treated with the same seriousness as case management or practice management systems. If your insurer, regulator or client asked for evidence of how it is configured and monitored, the answer should be a documented baseline, not a shrug.
EPX IT works with regulated firms to harden Microsoft 365 against current SRA, FCA, ICAEW and insurer expectations. If you would like a plain-English review of your tenant, our team would welcome the conversation.
