Microsoft 365 Security for Law Firms: A 12-Point Configuration Checklist

Most solo and small law firms run on Microsoft 365. Exchange handles email, SharePoint and OneDrive handle documents, Teams handles client communications, and the firm’s entire operation lives inside a single Microsoft tenant. Out of the box, M365 is a capable platform with enterprise-grade security controls available to every subscription. The problem is that very few of those controls are enabled by default.

If you bought Business Basic or Business Standard and never opened the admin center, you are running a configuration that Microsoft itself considers a starting point — not a compliant deployment. This checklist walks through 12 specific settings every law firm should verify, organized by impact. The first five are high-leverage changes that take minutes. The remaining seven are configuration decisions that benefit from a deliberate review.

This is a companion piece to ABA Rule 1.6(c): What “Reasonable Efforts” Actually Means for Cybersecurity in 2026. If you have not read that post, start there — it explains the ethics framework these configuration decisions are meant to satisfy.

Identity and access — the five high-leverage changes

1. Multi-factor authentication on every account, no exceptions

MFA is the single highest-impact security control in Microsoft 365. It is also the control most commonly skipped or partially deployed. The question is not whether to enable MFA — it is how.

Good enough: Enable Security Defaults in the Entra admin center. This forces MFA on all users, blocks legacy authentication protocols, and requires MFA for admins on every sign-in. It is free, takes one click, and covers the majority of what a small firm needs.

Fully hardened: Disable Security Defaults and build a Conditional Access policy set. Conditional Access (Business Premium and above) lets you require MFA with specific methods, block authentication from countries where the firm does not practice, force re-authentication on sensitive applications, and exempt trusted devices from repeated prompts. It is more work but more flexible.

What you should never do: leave MFA off for the managing attorney “because they travel” or for shared inboxes “because they are functional accounts.” Both are the attack paths most commonly exploited.

2. Block legacy authentication protocols

Basic authentication (SMTP AUTH, IMAP, POP, older Exchange ActiveSync) does not support MFA. If any of these protocols are enabled on your tenant, an attacker with a stolen password can log in as a user without ever being challenged. Microsoft has been deprecating basic auth for years, but tenants that were provisioned before the deprecation often still have it enabled.

Check: Entra admin center → Users → User settings → Manage user feature settings, and Exchange admin center → Mail flow → Authentication policies. Block SMTP AUTH at the tenant level unless you have a documented reason for leaving it on (and a specific account that needs it).

3. Restrict external email forwarding

Business email compromise often ends with the attacker creating a mailbox rule that forwards copies of inbound messages to an external address. By the time the attorney notices, months of client communications have been exfiltrated.

Block it at the tenant level. Exchange admin center → Mail flow → Remote domains → Default → uncheck “Allow automatic forwarding.” For firms that have a legitimate need to forward specific mailboxes externally, create an allowlist exception rather than leaving it open.

4. Enable and review the audit log

Microsoft 365 audit logging is enabled by default on newer tenants but should be explicitly verified. Audit logs are what let you answer “was anything actually accessed?” after a suspected incident — which, as Formal Opinion 483 makes clear, is not an optional question for lawyers.

Verify: Microsoft Purview compliance portal → Audit → Search. If you see search results, logging is on. Set retention to at least one year (Business Premium allows longer).

Equally important: someone at the firm should be responsible for periodic review. “Monthly, by the managing attorney or an outside reviewer” is a defensible cadence for most small firms. Unreviewed logs still have evidentiary value, but reviewing them is what lets you catch a slow-burn compromise before it becomes a breach.

5. Require a session timeout on unmanaged devices

Lawyers work from coffee shops, airports, and hotel rooms. If the browser session persists indefinitely, a laptop left unattended for two minutes becomes a client confidentiality incident. Conditional Access lets you require re-authentication every N hours on devices that are not joined to your Entra tenant.

Good enough for a two-person firm: a four- to eight-hour session timeout on unmanaged devices. Fully hardened: session-based Conditional Access with device compliance requirements.

Document controls — matter-based access done right

6. Sensitivity labels for privileged content

Microsoft Purview sensitivity labels let you tag documents as, say, “Privileged — Attorney Work Product” and apply automatic protections: encryption, watermarking, restricted forwarding, and revocable access. Labels travel with the document, so even a file downloaded to a personal laptop remains protected.

A practical starting schema for a small firm:

• Public — marketing materials, published briefs
• Internal — firm administrative documents
• Client Confidential — routine client matter documents
• Privileged — attorney work product, settlement discussions, litigation strategy

Apply the labels manually at first. Purview can auto-label based on content over time, but the firm benefits from having attorneys actively think about what category a document belongs in for the first few months.

7. Matter-based access control via Entra ID groups

The default SharePoint configuration in M365 gives all firm employees access to most firm documents. That is not what a conflicts-aware firm wants. Matter-based access control means: each matter has an Entra ID security group, document libraries for that matter grant access only to the group, and membership changes when attorneys rotate onto or off of the matter.

This takes planning to set up but eliminates an entire class of inadvertent-disclosure risk. It also gives you clean audit trails — you can answer “who had access to the Smith matter” by looking at one group’s membership history.

Firms that cannot justify the setup work should at minimum ensure that any ethical wall or lateral-hire conflict is reflected in SharePoint permissions on day one, not on a spreadsheet the IT person references someday.

8. Restrict external sharing in SharePoint and OneDrive

The SharePoint admin center lets you configure external sharing at multiple levels: tenant-wide, per-site, and per-document. The default is usually “Anyone with the link” for new sites, which is the wrong default for a law firm.

Set the tenant default to “New and existing guests” — requires the recipient to authenticate before accessing. Disable “Anyone” links at the tenant level, and allow per-site exceptions only where there is a clear business need (for example, a deal room that uses managed guest access for counterparty review).

9. Data loss prevention policies for sensitive data categories

Microsoft Purview DLP can inspect outbound email and shared documents for specific patterns — Social Security numbers, credit card numbers, medical record identifiers, bank account numbers — and either warn the user, block the send, or route the message to a legal hold queue.

For law firms, the most valuable DLP policies are usually:

• Block outbound email containing client SSNs without encryption
• Warn on outbound email containing financial account numbers
• Block sharing of documents labeled “Privileged” with external domains

DLP is not a substitute for sensitivity labels or access controls, but it catches the category of errors where an attorney means well and still hits the wrong button.

Mail, endpoints, and the remaining configuration

10. Defender for Office 365 (Safe Links and Safe Attachments)

Business Premium includes Defender for Office 365 Plan 1, which adds two specific protections over the default mail filter: Safe Links rewrites URLs so they are checked at click time (not just send time), and Safe Attachments opens attachments in a sandbox before delivery. Both materially reduce the phishing hit rate.

Verify in the Microsoft Defender portal under Email & collaboration → Policies & rules → Threat policies. Both should be set to Standard or Strict protection, not Custom with lowered thresholds.

11. Mobile device management via Intune

If attorneys read email on their phones, the firm’s data is on those phones. Intune (included with Business Premium) lets you require a PIN, encrypt the device, remotely wipe just the work data if a phone is lost, and block copy-paste from work apps into personal apps.

For small firms, App Protection Policies (application-level controls) are usually sufficient and do not require enrolling the whole device. This matters because most attorneys will not accept full device management on a personal phone, but will accept a policy that only touches Outlook and Teams.

12. Privileged Identity Management and Global Admin hygiene

The Global Administrator role in Entra can read any mailbox, grant any permission, and override any control elsewhere on this list. It should be held by as few people as possible, and ideally not used day-to-day.

For a firm with Business Premium, Privileged Identity Management (PIM) lets you configure Global Admin as a just-in-time role: the designated user requests the role, gets it for a bounded time window (say, two hours), and then loses it automatically. This dramatically reduces the blast radius of a compromised admin account.

If PIM is not available on your plan, the next-best thing is a dedicated Global Admin account used only for admin work, distinct from the managing attorney’s daily account, with its own MFA and no mailbox.

What to do once you have run the checklist

This list covers the configuration decisions. It does not cover the written policy, the vendor review, or the training program — those are the documentation side of the Rule 1.6(c) analysis discussed in the companion post.

Firms that run this checklist themselves often find the technical changes straightforward and the policy documentation the hard part. If you want a second set of eyes on the configuration, a written report mapping current state to each of these 12 items, and a draft policy you can adapt — that is what Froskr’s free 30-minute Microsoft 365 security review produces.

Microsoft 365 feature availability varies by plan. Conditional Access, Defender for Office 365, Purview DLP, Intune, and Privileged Identity Management require Business Premium or higher. Security Defaults, MFA, and audit logging are available on every paid plan.