Most Microsoft 365 tenants get a careful setup at the start, and then nobody goes back to look. Staff turnover. Projects start and end. New features get switched on, sometimes deliberately and sometimes by accident. Permissions accumulate, guest accounts linger, and sharing links stay live well past the projects that needed them. Years later, the tenant a firm is running doesn’t resemble the one they configured at setup, and the system won’t tell you. It won’t flag permissions that have sprawled, defaults that are out of date, or features switched on years ago that are exposing data they shouldn’t. You only find out if someone goes looking.
For firms in legal, financial, accounting, and pharma, drift like this is the risk you don’t want sitting there. It rarely surfaces until something forces a proper look. Usually, it’s an audit, an incident, or a new client running due diligence.
These are the eight things we keep seeing when we survey the terrain.
1. SharePoint sites no one remembers granting access to
SharePoint sites accumulate. Every shared workspace from every past project tends to leave one behind, and permissions get added a lot more often than they get removed. We routinely find former partners and outside collaborators still able to read documents they shouldn’t have access to anymore. For a law firm, that’s a live confidentiality breach. Disabling a sign-in when someone leaves doesn’t satisfy the firm’s ongoing duty to keep client information out of the hands of people who shouldn’t still have it.
2. External sharing links that never expire
By default, Microsoft 365 doesn’t force expiration on internal “People in your organization” sharing links, and “Anyone” links only expire if an admin has set a tenant-wide policy. Microsoft’s documentation lays this out. The result is that a document shared with an external party in 2022 is, in most tenants, still reachable in 2026 by whoever has the link. You usually have no easy way to find out who that is.
3. Access that lingers long after it should have ended
Plenty of people had legitimate access to the tenant at some point. Ex-employees; paralegals from a single matter; the agency hired for last year’s brand refresh; the previous IT provider; and guest accounts left over from deals that closed years ago. A lot of them still have it. Offboarding in Microsoft 365 means more than disabling a sign-in. There’s also mailbox delegation, SharePoint group membership, OneDrive sharing, guest account status, and any third-party apps the user previously authorized. When offboarding happens in fifteen minutes between meetings, only the obvious things tend to get caught.
4. MFA that protects most users, but not the ones that matter
Most firms have MFA on for the bulk of their users. The gap is in the exceptions, typically a few senior staff who pushed back at rollout, plus the service accounts and shared mailboxes nobody got around to enabling MFA on. Microsoft’s research puts MFA’s blocking rate against account compromise at over 99.2%, which means the handful of accounts without it are doing almost all the work for the attackers.
5. Mailbox rules forwarding to addresses you don’t recognize
Inbox forwarding rules are one of the classic indicators of a compromised mailbox and one of the easiest things to overlook. When an attacker gets into an account, the standard play is a rule that watches for messages containing words like “invoice” or “wire,” forwards them to an external address, and deletes the original so the legitimate user doesn’t see it. Nobody notices anything’s wrong until a payment ends up in the wrong account, or a client mentions a reply they never got.
6. OneDrive data no one knows exists
When someone leaves, their OneDrive gets deleted automatically after 30 days. Unless whoever handled the offboarding clicked the wrong option, in which case it sits there indefinitely. We find OneDrives all the time containing payroll files, signed contracts, HR correspondence, and client documents belonging to people who haven’t been at the firm for years. None of it sits in any sanctioned backup, and a subpoena would find every file.
7. No conditional access policies at all
Conditional access is the rule layer that decides whether to allow a given sign-in based on where and how it’s coming in. Without it, a stolen password coming in from another country looks the same to Microsoft 365 as a legitimate login from the office. Most tenants we look at either have no conditional access configured at all or have one policy from the original setup that nobody’s reviewed since.
8. Copilot switched on before anyone checked what it could see
Copilot inherits the permissions of whoever’s prompting it. If the tenant has the over-sharing problems described in points 1 and 2, Copilot will surface that data on request. A paralegal asking Copilot to summarize recent work product can surface partner compensation, M&A pipeline notes, or anything else the firm assumed was off-limits but never locked down in the permission model. Turning Copilot on before reviewing permissions and sensitivity labels means every legacy access issue in the tenant becomes part of how people use the system every day.
The honest assessment
Any one of these on its own is manageable. The problem is that they pile on top of each other, and most of them stay invisible until something forces a look. A firm running Microsoft 365 without periodic review is assuming the tenant still works the way it did at setup, and it almost never does.
The first step isn’t a new tool or a bigger license. It’s looking. You can’t secure ground you haven’t surveyed. Most of the items above show up in a single properly scoped review, and what to do about them is usually clearer than it sounds. Book a consultation with BASE Solutions and we’ll give you a clear picture of what’s happening inside your Microsoft 365 tenant.
