It’s mid-February at a Tysons Corner law firm. The professional liability carrier has asked for evidence that client data is properly controlled in Microsoft 365, with a two-week deadline. The managing partner forwards the request to IT before her first meeting of the day. By mid-afternoon she has the picture back from her IT partner, with a current access list, the firm’s external sharing inventory, MFA coverage status for every account in the directory, and confirmation that the conditional access rules they put in place two years ago are still doing their job. Three years ago, this request would have meant a two-week scramble and a lot of caveats. The firm has spent the time since then getting the tenant into a shape that answers that sort of question on demand.
Most firms can’t quite picture this destination, because they’ve only ever lived in the tenant that drifted. That’s the one where who has access to which client folder takes a week to nail down, and where the answer comes back with caveats. The picture on the other side of that work is worth being specific about, because it’s what makes the cleanup feel worth doing.
The firm reads its own tenant
Ask any partner who has access to the Smith matter folder, and the firm can have a definitive answer by lunchtime. Microsoft Entra access reviews cycle through every group, mailbox, and shared site on a quarterly schedule. Reviewers get notified at the start of each cycle, and every decision is logged for audit. Guest accounts come with expiry dates baked into the invite. When somebody walks out the door, their access goes with them across the full footprint, including the obscure corners like third-party app authorizations and mailbox delegations that informal offboarding tends to leave behind.
External sharing carries the same discipline. There are no zombie links from 2021 still pointing at live client files. Every external link in the tenant was created for a current purpose with an expiry date attached at the moment it was made because tenant policy doesn’t permit “Anyone” links to live forever. SharePoint sites holding client matters use named-recipient sharing with quarterly link reviews. Most firms can’t answer the basic question of how many active external links they currently have, let alone what those links expose. A well-governed tenant has the answer ready.
The partner who originally refused MFA now uses it
The senior partner who refused MFA at the original rollout has it now. So does the service account used twice a year. The shared mailbox the litigation team runs has it too. No exceptions are left for an attacker to pick at. Conditional access does the second-layer work. A sign-in from the Tysons office gets treated differently from a sign-in from an unfamiliar IP in another country, and the latter gets challenged at the door. Inbox forwarding rules pointing at external addresses the firm doesn’t recognize don’t survive the daily scan. Anti-phishing and anti-spoofing protections run continuously. When something looks wrong, IT sees the alert before the client receives the suspicious reply.
Copilot only sees what it should
Copilot got switched on second. The access cleanup came first. The order matters, because Copilot inherits the permissions of whoever is prompting it. A tenant with sprawled access produces a Copilot that surfaces things nobody wanted surfaced. With permissions cleaned and Microsoft Purview sensitivity labels reflecting the firm’s data classification, that risk falls away. A paralegal asking for a summary of recent matters gets the summary they should get. The managing partner’s compensation file stays where it belongs.
Drift doesn’t get a foothold
The schedule covers access, permissions, sharing links, MFA coverage, guest accounts, and inbox rules. Each gets looked at deliberately rather than turned up by accident. The reviews don’t take long because the baseline stays clean. New joiners and new client engagements run through the same setup every time, so drift never gets a chance to accumulate. The firm’s IT partner runs the audit and brings findings to the managing partner before anything turns into a problem.
An audit becomes an inbox task
For a firm working under HIPAA, SOC 2, state bar audit obligations, or client due diligence pressure, the governance work pays for itself the first time scrutiny arrives. Access logs are clean. Sharing policies are documented. MFA is enforced firmwide. Sensitivity labels reflect the firm’s data classification. The auditor or the client asks how regulated information is controlled, and the answer takes hours to put together. Firms that haven’t done the governance work spend weeks producing the same evidence, when they can produce it at all.
What the summit takes
The tools are already in the tenant the firm pays for. What most firms are short on is the bandwidth to do the cleanup and a partner to hold the line afterward. The destination is undramatic. It looks like the managing partner in the opening, answering the carrier’s request by mid-afternoon, with no scramble and no caveats.
If you haven’t yet had that level of clarity over your own firm’s tenant, that is the conversation worth starting. Thirty minutes with our CEO, Atul, gives you a clear read on where your Microsoft 365 stands, what’s drifted, and what putting it right would take. Our vCIO team keeps a clean tenant from drifting back.
