All insights
Security · 8 min read

Microsoft 365 Security for Small Law Firms: The Seven Controls I Check First

By William Waldman · June 2026

Your firm runs on Microsoft 365. It holds privileged client data, and you carry a duty to protect it under your bar rules on technology competence and confidentiality. Most small firms have never had that environment assessed. These are the seven controls I check first, what each one prevents, and how you can tell if yours is in place.

I came up in Department of Defense SOC operations. The work was watching for the moment an account or a mailbox did something it should not. The lesson that carried over to small firms is simple. Almost every breach I saw started with a credential and an inbox, not a sophisticated exploit. The controls below are not exotic. They are the ones attackers count on you not having.

01. Multi-Factor Authentication on Every Account

A password alone is one stolen credential away from a breach. Phishing and credential reuse are how most small-firm accounts get taken over. Multi-factor authentication stops a stolen password from being enough.

The part firms miss: MFA has to be on for every account, including the partner who travels, the contract paralegal, and the shared intake mailbox. One account without it is the way in.

How to check: In the Microsoft 365 admin center, look at the per-user MFA state or the sign-in logs. If any user shows no second factor, that is a gap. Better still, enforce it through a conditional access policy rather than per user, so it cannot be skipped.

02. Conditional Access Rules

MFA tells you who is signing in. Conditional access decides whether they should be allowed to at all. It lets you block sign-ins from countries you never practice in, require a managed device for admin accounts, and step up verification when a login looks risky.

The part firms miss: Without conditional access, a valid password plus a one-time code from a phished session is often enough. Conditional access adds the context: right person, wrong place, wrong device, blocked.

How to check: Under Microsoft Entra ID, review your conditional access policies. If the list is empty, you are relying on passwords and MFA alone. At minimum, you want a policy that requires MFA for all users and one that limits sign-in location.

03. Least-Privilege Permissions

Most small firms hand out Global Administrator rights because it was easier at setup. Every account with standing admin rights is a bigger target and a bigger blast radius if it is compromised.

The part firms miss: The same applies to client matters. If everyone can see every folder, a single compromised account exposes the whole file room. Access should match the work the person actually does.

How to check: Count your Global Administrators. For a small firm, that number should be very small, and day-to-day work should never run under an admin account. Review who has access to which SharePoint sites and matter folders.

04. Email Authentication: SPF, DKIM, and DMARC

These three DNS records decide whether someone can send mail that looks like it came from your firm. Without them, an attacker can spoof your domain to your clients, opposing counsel, or your own staff, and the mail will look legitimate.

I run my own mail infrastructure on Postfix and Dovecot, so I work with these records at the protocol level. SPF lists who is allowed to send for your domain. DKIM signs your mail so it cannot be altered in transit. DMARC tells receiving servers what to do when a message fails, and reports back who is trying to spoof you.

How to check: Look up your domain's SPF, DKIM, and DMARC records. If DMARC is missing, or set to a policy of "none," spoofed mail is reaching inboxes. The goal is a DMARC policy that quarantines or rejects mail that fails.

05. External Sharing Limits

SharePoint and OneDrive make it easy to share a file with anyone, including by anonymous link. That is convenient and it is also how matter documents end up reachable by people who were never meant to see them.

The part firms miss: A link shared once can outlive the matter. Old "anyone with the link" shares sit open for years.

How to check: In the SharePoint admin center, review your external sharing settings. For a firm holding client confidences, anonymous links should be off, and external sharing should be limited to named, verified recipients.

06. Audit Logging Turned On

If an account is compromised, the first question is what it touched. Audit logging is what lets you answer that. It records sign-ins, file access, mailbox rules, and admin changes.

The part firms miss: Logging is your record after an incident, and increasingly part of showing a client or an insurer that you took reasonable care. If it was never turned on, the history you need does not exist.

How to check: Confirm unified audit logging is enabled in the Microsoft Purview compliance portal. Then check that the retention period is long enough to be useful, not the default minimum.

07. Backup and Recovery You Have Actually Tested

Microsoft keeps your service running. It does not guarantee you can recover a mailbox a paralegal deleted last quarter or files a compromised account wiped. Retention policies are not the same as backup.

The part firms miss: A backup you have never restored from is a guess. The time to find out it does not work is not the week a matter file goes missing.

How to check: Confirm you have backup covering mail, OneDrive, and SharePoint beyond Microsoft's default retention. Then test a restore. If no one can say when the last successful restore happened, treat that as a finding.

Where This Leaves Your Firm

If you read those seven and could not answer "how to check" for most of them, that is the normal starting point, not a failure. It is also exactly what the assessment is for. I go through each of these and more, document where your firm stands, and give you a written report with the fixes ranked by exposure and effort.

None of this requires new software. Every control above is already in the Microsoft 365 your firm pays for. It just has to be turned on, scoped correctly, and written down.

See where your firm actually stands

The Microsoft 365 Security & Compliance Assessment is a fixed fee of $1,500, credited toward your first retainer month if you continue within 30 days. You get a written report, not a sales call.

Book Your Security Assessment →