A firm of forty-five lawyers is running on a Microsoft 365 tenant that was set up when the firm had eight. Nobody designed it. Somebody turned it on, added users as the firm grew, and moved on. That tenant is now the central nervous system of a business doing tens of millions in revenue, handling email, documents, client files, and identity for every system that uses single sign-on. Its configuration has not been seriously reviewed in seven years.
This is the most common Microsoft 365 story in professional services right now. Not a failed migration or a botched deployment, but a tenant that outgrew its setup and never had it revisited. The platform is so capable out of the box that the absence of governance does not produce a visible problem until something goes wrong. By the time it does, whether through a phished credential that walks into a partner’s mailbox, a client folder that turns out to be open to the whole firm, or an ex-employee whose access was never fully revoked, the cost of fixing it is materially higher than the cost of setting it up properly to begin with.
The reason this happens is that Microsoft 365 was designed to be easy to start. It is much harder to retrofit. A firm that has been on the platform for years has accumulated a layer of choices made by different people at different times, with no single person currently responsible for the result.
A properly configured Microsoft 365 environment, at the size where growing firms live, comes down to three things the tenant has to govern well: identity, data, and devices.
Identity is the front door
Every modern attack on a professional services firm starts with someone’s login. Compromise an identity and the rest of the perimeter is immaterial, as the attacker walks in as a legitimate user. Microsoft’s own Digital Defense Report 2025 found that 97% of identity attacks are password spray or brute-force attempts and that phishing-resistant multi-factor authentication (MFA) stops more than 99% of them.
MFA switched on for every account is the minimum bar, and Microsoft has now made it mandatory across its own admin portals through a phased rollout that began in late 2024. The next step up is conditional access: rules that decide whether a sign-in is allowed based on who is signing in, from where, on what device, and to what application. A partner signing in from a managed laptop in the office presents a different risk profile from the same account signing in from an unfamiliar device overseas, and the tenant should treat them differently. Most firms have MFA on some accounts but not all and no conditional access rules in place. The administrative accounts, the ones that can change anything in the tenant, are worth hardening and keeping separate from the day-to-day accounts of partners and principals.
Data is where the firm lives
A firm’s SharePoint and OneDrive estate is the modern equivalent of the filing room. The difference is that the filing room had a door; SharePoint does not. Permissions are inherited, sharing links are easy to create, and the default settings on a tenant set up years ago will not match what a fifty-person firm needs today.
The audit that needs running here is simple to describe but uncomfortable to do. Which sites exist? Who has access to which ones? How many sharing links are still live and where do they point? How many “Anyone with the link” shares are sitting on confidential client matters? Most firms have never asked. When someone finally does, the answer usually surprises them.
Email sits in the same category. It is where data leaves the firm and where most attacks try to come in. Standard inbox protection is not enough at this point. The tenant needs anti-phishing rules, attachment scanning, impersonation protection, and DKIM and DMARC properly configured for outbound mail so client systems can verify messages came from the firm.
Any conversation about Copilot also starts here. As Microsoft’s own readiness guidance points out, a Copilot deployment on top of a tenant where permissions are loose will surface things the firm did not intend to surface, like an old salary spreadsheet in a partner’s OneDrive or a client matter that an associate could open but should not. Copilot does not create the exposure; it makes the existing exposure visible.
Devices are the last mile
The firm-issued laptop, the personal phone reading work email, and the contractor’s machine on a one-month engagement: every endpoint that touches firm data is part of the tenant’s security perimeter. Mobile device management is the policy layer that decides what those devices can and cannot do.
A managed device should encrypt its disk by default, enforce a screen lock, allow the firm to wipe firm data if the device is lost, and prevent corporate documents from being copied into a personal account. The same work covers the joiner and leaver process. The most common failure mode is that HR closes the record, but IT never gets the message. An ex-employee who walked out three months ago should not still appear in the directory, have an active mailbox, or hold OneDrive access on a personal device.
Prioritizing when you can’t do everything
Most firms cannot fix all of this at once. Identity is the first place to attack. Credentials are how a breach starts, and enforcing MFA across every account, with a small set of conditional access rules, is the single highest-leverage change a firm can make. Data governance follows: an honest audit of SharePoint and OneDrive permissions, then a cleanup of the worst offenders. Devices and email security run alongside both, since neither can wait until identity and data are fully resolved. Foundational decisions need to be made deliberately, rather than left to defaults nobody chose.
A properly configured tenant is not a one-time job. The platform changes. People join and leave. Someone has to continuously monitor the configuration as it does. This is partnership work, and it’s what keeps the tenant in the shape it was just paid for.
You can’t climb on ground you haven’t checked
The starting point is an honest look at the configuration as it stands today. A Microsoft 365 environment that grows with the firm starts with a clear, current view of where the tenant sits, what risks it is carrying, and what the next twelve months need it to do. Thirty minutes with BASE Solutions will produce that view, and the quarterly cadence that follows is what keeps a properly configured tenant from drifting back into the state it started in.
