Back to blog

What I Consistently Find in UK Law Firm M365 Tenants

8 min readBy Richard Ham
What I Consistently Find in UK Law Firm M365 Tenants

UK law firms run on Microsoft 365. The corporate departments use it for document management, email, file sharing; the matters move through Outlook and SharePoint; the partners’ calendars sit in Exchange. It’s the central nervous system of the firm, and the threat model around it is well understood by attackers — authentic-fraud, business-email-compromise, and targeted credential theft are routine.

What surprises me is how consistent the audit findings are. Different firms, different sizes, different IT suppliers — and largely the same gaps. None of these are exotic. All of them are fixable. But until someone with a structured eye looks at the tenant, they tend to stay where they are.

This is the list I’ve assembled over enough M365 audits in the legal space to call it a pattern. If you run a UK law firm or sit on the management committee of one, this is what your auditor or your fractional CISO is going to find when they look.

1. Legacy Authentication Still Works

This is the most common single finding and the most consequential. Legacy authentication protocols — Basic Auth on Exchange, IMAP, POP3, SMTP AUTH — don’t support modern multi-factor authentication. If they’re enabled, an attacker who phishes a username and password can sign in as that user, full stop, with no MFA challenge.

In law firms it usually persists because of an old line-of-business application: a dictation tool, a billing add-in, a niche practice-management integration. Somebody enabled the protocol years ago to make it work, and nobody has been paid to come back and turn it off.

The fix is a Conditional Access policy that blocks legacy authentication across the board, with explicit and documented exceptions for any application that genuinely still needs it. In most firms the exception list ends up being zero or one applications. Microsoft has been actively retiring these protocols for years, and there’s almost nothing legitimate left that requires them.

2. Conditional Access Is Either Absent or Performative

Most firms have MFA enabled. Far fewer have it enforced through Conditional Access policies that actually constrain where and how people can sign in.

Common patterns:

– MFA enforced for users but not for global administrators (because admins find it inconvenient)
– No location-based restrictions, so an attacker in Russia or Vietnam can hit the sign-in page directly
– No device compliance requirements, so any unmanaged device can authenticate
– Mobile email access without app protection policies, so a lost or sold phone is an unmanaged data egress

A defensible Conditional Access posture means: every user, every admin, every privileged account, with location and device controls appropriate to the role. It takes a structured deployment but it’s not technically complex, and the security delta is significant.

3. Mail Flow Authentication Is Incomplete

Almost every law firm I audit has SPF set up. Some have DKIM. Very few have DMARC at enforcement (`p=reject` or `p=quarantine` with a meaningful percentage).

The gap matters because of how legal email is targeted. Authentic-fraud — where an attacker sends a fake invoice from a supplier address, or a fake completion-funds instruction from a counterparty — relies on being able to spoof the sending domain. Without DMARC at enforcement, your domain can be spoofed. With DMARC at enforcement, it can’t.

DMARC is a journey, not a switch. You need to start at `p=none`, gather reports, identify legitimate senders that need configuring, fix them, and then move stepwise to `p=quarantine` and eventually `p=reject`. It typically takes six to ten weeks of attention, but the protection it produces — for clients, for counterparties, and for the firm’s reputation — is worth far more than the work.

4. Admin Rights Are Vastly Over-Distributed

The principle of least privilege says that admin rights should be the smallest possible set, granted to the smallest possible group, for the shortest possible time. The reality in most firms is the opposite. The IT manager is a global admin. So is their deputy. So are two engineers at the MSP. So is the partner who set up the original tenant. So is the consultant who came in to fix the email migration in 2019.

When I audit, I routinely find five or six accounts with global admin privileges. Often more. Each of those accounts is a high-value target — phishing one of them gets the attacker the keys to the entire estate.

The corrective work is straightforward but politically delicate. You need to:

– Inventory every account with privileged roles
– Remove anyone who doesn’t need the role on a daily basis
– Move the rest to Privileged Identity Management (PIM) so they hold the role only when they need it
– Separate normal-user accounts from admin accounts (so phishing the user account doesn’t compromise admin)
– Require MFA and Conditional Access on the admin accounts at a higher bar than normal users

This is one of the most impactful changes a firm can make. It takes weeks, not months. And it dramatically reduces the blast radius of any compromise.

5. Audit Logging Is Often Misconfigured

The unified audit log in M365 is invaluable when something has happened — a suspicious sign-in, a mass file download, a new mail forwarding rule on a partner’s account. But it has to be enabled, with retention long enough to be useful, and reviewed against alerts that catch the things you actually care about.

In many tenants I find:

– Unified audit logging never enabled, or enabled for only some workloads
– Retention set to the licensing default of 90 days when an investigation might need to go back a year
– No alerts configured for high-risk events (impossible-travel sign-ins, mass downloads, mailbox forwarding rules, OAuth grants to suspicious applications)

For a firm of any size, the log is your evidence base when you need to demonstrate to clients, insurers, or the SRA that you’ve understood and responded to an incident. Without it, you have stories. With it, you have evidence.

The configuration takes an afternoon. The alert tuning takes longer — but that’s where the value is.

6. SharePoint Permissions Are a Mess

This is the finding most law firms underestimate. SharePoint Online underpins the document store; in many firms it’s the de-facto matter file system, often with a document management overlay on top. Permissions in SharePoint are notoriously easy to set up incorrectly and notoriously hard to audit afterwards.

Common findings:

– Sites where “Everyone except external users” has read or edit access — meaning every employee can see every matter
– Documents shared via “anyone with the link” with no expiry, where the link has been forwarded around
– Guest access enabled on sites that should be internal-only
– Inherited permissions broken in places that nobody documented
– Former employees still appearing in permission groups long after their accounts were disabled

The corrective work is unglamorous: a structured permissions review, retirement of broad-access shares, replacement of “anyone with the link” sharing with proper guest access, and access reviews scheduled into the calendar. It’s an ongoing discipline, not a one-off project. But the principle is non-negotiable for a law firm — confidentiality obligations don’t allow for a permissions model where anyone can see anything.

What This Adds Up To

None of these findings are exotic. None of them require expensive tooling beyond what’s already in your M365 licensing. What they require is somebody with a structured eye to look at the tenant, identify the gaps, and have the institutional weight to actually drive the corrective work to completion.

That’s almost always the gap. The IT manager or the MSP knows about most of these issues — they live with the symptoms — but they don’t have the time, the seniority, or the air-cover to push through the work. A fractional CISO engagement gives you that. A structured audit gives you the prioritised list.

If you run a UK firm, the question worth answering this quarter is: when did somebody actually look at the tenant? If the answer is more than a year ago or never, this is the work that pays back fastest.

If you’d like a structured M365 audit for your firm, the work sits inside the Security & Compliance Strategy service, and the legal-sector page covers how I scope this for law firms specifically. Or just get in touch for a 30-minute conversation about where your tenant stands.

Get new posts in your inbox

Occasional, practical writing on fractional CISO and IT-leadership work for UK businesses. No mailing-list churn — typically one email per new post.

Email goes to Richard directly. Unsubscribe by replying.