Microsoft 365 is the dominant platform for NY Metro law firms — email, document management, video conferencing, file storage. Most firms have been on it for years. Most firms are not running it securely.
The problem isn't Microsoft. M365 ships with strong security capabilities. The problem is that the default configuration prioritizes ease of use over security — and most IT providers who set up M365 for law firms never revisit those defaults. They configure email, set up Teams, and call it done.
What they leave unconfigured is where attackers live. Here are the ten settings that separate firms that get breached from firms that don't — and that we consistently find missing in law firm M365 assessments across Queens and the NYC metro.
1. Conditional Access MFA — Not Just the Default "Security Defaults"
If your firm is still running Microsoft's "Security Defaults" policy for MFA, you're using a basic blanket rule designed for organizations that can't configure Conditional Access — not a hardened policy. Security Defaults apply MFA inconsistently and don't give you control over when and how it's enforced.
What you need: Conditional Access policies in Entra ID (formerly Azure AD) that require MFA based on user location, device compliance status, and application sensitivity. At minimum, a policy requiring MFA for all users on all cloud apps, with exceptions only for compliant, Intune-managed devices on your trusted network. This is a Material difference in your exposure to credential-based attacks.
2. Block Legacy Authentication Protocols
Legacy authentication protocols — IMAP, POP3, SMTP AUTH, and basic authentication — do not support MFA. Attackers know this. If legacy protocols are enabled in your tenant, a compromised password bypasses every MFA policy you have.
⚠️ This is the most exploited gap in law firm M365 tenants. Business email compromise attacks specifically probe for tenants with legacy auth enabled — it's how stolen credentials get used even when MFA is "on." Check your Entra ID sign-in logs for legacy authentication attempts right now. If you see them, you have active exposure.
Block legacy authentication via Conditional Access policy. Test your print/scan devices and older software first — some copiers and line-of-business applications rely on SMTP AUTH. Migrate or replace those dependencies, then block everything else.
3. Enable Microsoft Defender for Office 365 — And Configure It
Most M365 Business Premium and higher plans include Defender for Office 365. Most firms that have it haven't configured the features that actually matter:
- Safe Links: Rewrites URLs in emails and Teams messages, checking them at click time against Microsoft's threat intelligence. Default is off for Teams and internal links — turn both on.
- Safe Attachments: Sandboxes email attachments before delivery. Default policy is permissive. Create a strict policy scoped to all recipients.
- Anti-phishing policies: Enable impersonation protection for your partners, senior attorneys, and firm name. Enable mailbox intelligence. Set the phishing threshold to "Aggressive" for high-value mailboxes.
4. Data Loss Prevention Policies for Client Confidential Information
Under NY Rules of Professional Conduct Rule 1.6, you are required to make "reasonable efforts" to prevent unauthorized disclosure of client information. An M365 tenant with no DLP policies configured does not satisfy that standard — and in the event of a breach, the absence of DLP is evidence of unreasonable effort.
At minimum, configure DLP policies that alert when Social Security numbers, financial account numbers, or files tagged as "Confidential" are being emailed externally or uploaded to unapproved sharing destinations. Defender for Cloud Apps extends this to third-party cloud services your staff may be using without IT authorization.
5. Enable Unified Audit Logging — And Configure Retention
Microsoft 365 Unified Audit Log captures user activity across Exchange, SharePoint, Teams, and Entra ID. It's disabled by default in older tenants and set to 90-day retention in most M365 plans.
For law firms, 90-day retention is inadequate. Many breaches aren't discovered within 90 days. Set retention to at least 180 days (available in most Business Premium plans) or export logs to an external SIEM. Without audit logs, forensic investigation after a breach is nearly impossible — and demonstrating due diligence under NY Rule 1.6 is significantly harder.
6. Separate Admin Accounts — And Protect Them With Privileged Identity Management
Your M365 Global Administrator should not be using the same account for daily email and browsing. Admin accounts with Global Admin privileges are the highest-value target in any tenant. A compromised admin account gives an attacker everything: the ability to create new accounts, disable MFA, access any mailbox, and exfiltrate the entire tenant.
Create separate cloud-only admin accounts used exclusively for administrative tasks. Protect them with phishing-resistant MFA (hardware security keys or Windows Hello, not SMS). If you have Entra ID P2, enable Privileged Identity Management so Global Admin is only active when specifically requested and approved — not standing permission.
7. Device Compliance Policies via Microsoft Intune
Your Conditional Access policies are only as strong as your device management. If your firm allows access to client files and email from any personal device with no MDM enrollment requirement, your perimeter effectively doesn't exist.
Enroll all firm-owned devices in Microsoft Intune. Configure compliance policies that require: disk encryption (BitLocker), up-to-date OS patching, antivirus running and reporting healthy, and a PIN/password. Then use Conditional Access to require device compliance as a condition of M365 access. Unmanaged devices — including a partner's personal laptop — get blocked or limited to browser-only access.
8. Restrict External SharePoint and OneDrive Sharing
The default SharePoint Online configuration allows any authenticated user — including guests — to share files externally via shareable links. In a law firm, that means a paralegal can create a sharing link for a client's settlement documents, send it to the wrong address, and you'll never know unless you have DLP running.
Set SharePoint and OneDrive external sharing to "Specific people" or "Existing guests only" at the tenant level. Require link expiration dates. Disable "Anyone with the link" sharing entirely. If you need to share client documents externally, use a managed client portal — not raw SharePoint sharing links.
9. Configure Security Alerts — And Assign Them to a Human
M365 Defender generates security alerts automatically — but by default, they accumulate in the Defender portal with no notifications going anywhere. If no one is assigned to review alerts, they might as well not exist.
Configure email alert notifications for high and medium severity events: impossible travel sign-ins, mass file deletion, mailbox rule creation by external IPs, admin privilege escalation. Route these to your IT provider or internal IT contact. An unreviewed alert of an impossible travel sign-in is a compromised account you haven't responded to yet.
10. Third-Party Backup for Exchange Online and SharePoint
Microsoft 365 is not a backup solution. Microsoft explicitly states that data protection from accidental deletion, ransomware, and malicious deletion is the customer's responsibility. The native recycle bin and retention policies have gaps — particularly for ransomware scenarios where files are encrypted or deleted systematically across your tenant.
Implement a third-party M365 backup solution (Veeam, Acronis, Spanning, Backupify) that captures daily snapshots of Exchange, SharePoint, OneDrive, and Teams. Test restoration quarterly. Without this, a ransomware event or a disgruntled employee with delete access can permanently destroy client files that Microsoft's native tools cannot recover.