This is a hypothetical scenario. The firm is fictional. But the gaps mentioned are the kind we see at real firms across Northern Virginia, Maryland, and Washington D.C.
It’s mid-November at a 35-person accounting firm in Vienna, Virginia. The partners are six weeks out from tax season. The Microsoft 365 environment has been running quietly for years. Nothing is broken. Nobody is complaining. To the managing partner, that looks like a stable IT setup.
That’s usually when something goes wrong.
The firm asks BASE Solutions to look at their tenant before client work ramps up. Their professional liability carrier has started asking pointed questions about access controls and multi-factor authentication, and the firm’s insurance renewal lands in February. They want to know where they stand.
This is base camp work. Before anyone moves up the mountain, you check the ground you’re standing on.
What an assessment uncovers
A proper review of a neglected M365 tenant rarely produces one big finding. It produces a stack of small ones, each manageable in isolation, but together describe a firm that has lost track of who can see what.
A review of this kind tends to surface five issues:
First, external sharing is wide open on several client folders in SharePoint. A folder shared with a client’s personal Gmail address two years ago is still active. The person who set up the share has since left the firm, but nobody has reviewed the link.
Second, two former employees still have active accounts. They were offboarded informally during busy weeks. The accounts are dormant, but still licensed, still capable of receiving mail, and still accessible to anyone with the password.
Third, multi-factor authentication is enforced for some users and not others. A few staff turned it off on their phones during a busy week because the prompts kept interrupting them, and nobody noticed.
Fourth, there are no Conditional Access policies. Anyone with valid credentials can sign in from anywhere, on any device, at any time of day, and the tenant will let them through.
Fifth, some senior staff routinely save client tax workpapers to their personal OneDrive folders rather than the shared SharePoint library, because that’s where they’ve always worked. Those folders sit outside the firm’s retention policy. They aren’t covered by audit logs. And when those staff retire, the workpapers retire with them.
The cost of loose ground
The temptation, reading a list like that, is to treat it as five separate items to tick off. That misses the point.
The FTC’s Safeguards Rule, which has applied to tax preparers and accounting firms since June 2023, requires firms to implement multi-factor authentication for anyone accessing customer information and to maintain access controls that limit data to staff who genuinely need it. The IRS, in Publication 4557, expects firms to maintain a written security plan and to review who has access to taxpayer data on a regular basis.
The firm, as drawn, fails on both counts because nobody owns the tenant.
If a client folder were exposed because of a forgotten share, the firm would be looking at breach notification obligations, a federal regulator that doesn’t accept ignorance as a defense, and a difficult conversation with every affected client. The technical fix is the cheap part.
What securing the ground looks like
Start with an access review. Every account in the tenant gets accounted for: active staff, inactive staff, service accounts, and guests. Anyone who shouldn’t be there comes out.
Roll out Conditional Access, the Microsoft Entra policy framework that decides who can sign in, from where, on what kind of device, and under what conditions. For a DMV-based firm, that means blocking sign-ins from outside the United States by default, enforcing MFA on every sign-in, and requiring a compliant device for access to client data.
Restrict external sharing on client folders. SharePoint’s defaults are designed to make sharing easy, which is the right setting for a marketing team and the wrong one for a firm holding regulated client data. Sharing gets locked down to named recipients, with expiry dates, and a quarterly review of any link still active.
Build an offboarding checklist that includes IT every time. When somebody leaves, their account is disabled the same day, their data is preserved per the firm’s retention policy, and their licenses are reclaimed.
Move personal OneDrive workpapers back into the shared SharePoint library, and put a policy in place that says client data lives there and nowhere else.
Then commit to a quarterly tenant review rather than an annual one. New apps get added. New people join. Permissions accumulate. A standing 90-day review keeps the picture clean.
What a well-governed tenant delivers
By tax season, the picture has changed. Access is clean. There’s a verifiable record of who can see what, and an audit trail if anyone asks. External sharing no longer happens by accident. Insurance renewal becomes easier because the firm has answers rather than apologies.
More importantly, the partners stop being surprised. They know what’s in their environment. They know when something changes. They know who to call when they have a question, and the answer doesn’t take a week. That’s what securing the ground looks like before the climb continues.
If you’re not sure who that is for your firm yet, that’s the conversation worth having before tax season. BASE Solutions runs a Microsoft 365 security posture review for DMV firms wanting an honest read on the terrain. Thirty minutes, no decisions until you’ve seen the picture.
