Microsoft 365 for law firms: the configuration decisions that matter

Microsoft 365 is the dominant productivity platform for UK law firms — and for most firms it’s a sound choice. But out-of-the-box M365 is not M365 configured for a regulated professional-services firm. Default settings prioritise frictionless usability, often at the cost of confidentiality, auditability, and SRA-grade controls.

This article covers the ten configuration decisions that matter most for a UK law firm. None of them is technically advanced. All of them are routinely missed.

01. MFA on every account, no exceptions

The default for new Microsoft 365 tenants is “MFA optional unless the security defaults are on.” Many tenants — particularly older ones, set up before 2020 — have the option but no enforcement. A spot-check in any law firm’s tenant will usually find at least one account without MFA enabled. Often, that account belongs to a partner.

The fix is conditional access policies that require MFA on every account, every login, with no per-user exclusions. Yes, partners too. Yes, the receptionist’s account. Yes, service accounts (which should be moved to managed identities or workload-specific authentication where possible).

02. Conditional access scoped to context

MFA alone is no longer enough. Modern attackers phish MFA tokens routinely. The next layer of defence is conditional access — policies that block or restrict access based on:

• Whether the device is enrolled in Intune
• Whether the device is compliant with security baselines
• The country the connection is from
• The application being accessed
• The risk score Microsoft assigns to the sign-in attempt

A baseline conditional access stack for a UK law firm:

• Block legacy authentication
• Require MFA from outside the UK
• Require compliant device for sensitive applications (M365 admin, finance, HR)
• Block unknown countries entirely
• Apply elevated risk thresholds for partners and finance staff

Configuring this takes about a day. Most firms haven’t done it.

03. External sharing locked down by default

Default M365 settings allow OneDrive and SharePoint files to be shared with anyone, with anonymous links, with no expiration. For a law firm, this is wrong.

Sensible defaults:

• External sharing limited to specified domains (your clients, opposing counsel, expert witnesses)
• Anonymous links disabled or restricted to specific document libraries with explicit approval
• Sharing links expire after 30 days by default
• Sharing audit logs reviewed monthly

The setting changes are five clicks each. Skip them and you have a confidentiality leak waiting to happen.

04. Audit logging enabled and retained

The Microsoft 365 audit log captures who accessed what, from where, when, and what they did. Default retention is 90 days for Business plans (180 days for E3, 365 days for E5). For a law firm, 90 days is not enough — particularly when an SRA file review may go back further.

Enable Purview Audit (Premium) for E5 tenants. For Business Premium tenants, configure log shipping to a SIEM or to a long-term storage account. The cost is modest; the payoff at audit time is enormous.

05. Defender for Business or Defender for Endpoint

Built-in Microsoft Defender Antivirus is not the same as Defender for Business / for Endpoint. The latter adds:

• Endpoint detection and response (EDR)
• Threat hunting
• Automated investigation and remediation
• Vulnerability management
• Attack surface reduction rules

Defender for Business is included in Business Premium. Most firms don’t have it deployed, despite paying for the licence.

06. Intune device management

Intune is what makes most security controls actually enforceable. Without it:

• You can’t require encrypted devices
• You can’t enforce screen lock
• You can’t push security baselines
• You can’t remote-wipe a stolen laptop or phone
• You can’t restrict which devices access M365

Enrolling devices in Intune takes hours, not days, but it requires deliberate planning around partner laptops, BYOD, and personal phones used for email. Most firms half-do it, or don’t do it at all.

07. SharePoint structure that matches the firm

Default SharePoint creates a single-team-site mess that doesn’t reflect how a law firm actually works. A sensible structure:

• One site per major business function (Litigation, Corporate, Property, etc.)
• Matter-specific sites or document libraries — usually integrated with the practice management system
• A separate restricted site for HR, finance, partners-only documents
• Permission scoping that follows matter boundaries

Without this, fee-earners default to OneDrive for matter files (see #10) and the firm loses control of the document estate.

08. Email retention, not just deletion

Default Exchange retention is “keep forever or until the user deletes.” For a law firm, this is wrong both ways. The right model:

• Active mailbox retention until matter close + N years (per your firm’s retention policy)
• Litigation hold capability for live matters
• Archive mailboxes for older content
• Deletion policies that fire automatically at retention-period end

Implementing this in Microsoft Purview takes a project, not an afternoon. But running without it leaves you exposed at retention audits and creates needless eDiscovery cost.

09. Phishing protection beyond defaults

Microsoft Defender for Office 365 includes anti-phishing protection — but the default policies are tuned for general business, not for a law firm. Specifically:

• Configure impersonation protection for partner email addresses (a common spear-phishing target)
• Enable user-impersonation alerts
• Tune Safe Links and Safe Attachments for legal-document workflows
• Set up DMARC for your firm’s domain (and enforce p=reject once you’ve confirmed it’s safe)

Combined, these reduce successful phishing attempts by an order of magnitude.

10. OneDrive is personal storage, not matter storage

The single most common configuration mistake we see: fee-earners using OneDrive as their primary working folder, including for matter documents.

When that fee-earner leaves the firm, two things happen. Either (a) the firm scrambles to extract matter files before the OneDrive is deleted, or (b) the firm continues to pay for the leaver’s licence indefinitely to avoid losing access. Both are wrong; both are common.

The fix is structural, not technical: matter files belong in SharePoint sites, document management systems, or practice management systems that are scoped to the matter and visible to the team. OneDrive is for drafts and personal working copies. Make that policy clear, give fee-earners somewhere to actually save matter files that’s as easy as OneDrive, and the problem largely goes away.

---

None of these ten changes requires enterprise-grade Microsoft licensing. All of them are within Business Premium. The work is configuration, not procurement — which means the gap between a well-run M365 tenant and a poorly-run one is smaller than most firms assume, and easier to close than they fear.