A practical Microsoft 365 security checklist for law firms that need safer email, Teams, SharePoint, OneDrive, identity governance, and client-document collaboration.

Why this matters for law firms

Microsoft 365 often becomes the operational center of a law firm. It holds email, calendars, client communications, shared files, matter collaboration, internal chat, external sharing, and attorney mobile access. If Microsoft 365 is not governed, the firm may not know who can access sensitive documents, which guests still have permissions, whether administrator accounts are protected, or whether backup and recovery are adequate.

AKAVEIL uses this checklist during Microsoft 365 security reviews and broader Law Firm IT & Cybersecurity Assessments. Firms that want a guided review can begin here: https://akaveil.com/law-firm-it-assessment/.

Microsoft 365 security baseline

| Control area | What to verify | Why it matters for legal work | | --- | --- | --- | | Multi-factor authentication | MFA is required for all users, administrators, and vendor accounts. | Compromised credentials can expose privileged communications, client records, and financial instructions. | | Conditional access | Risk-based sign-in policies protect unmanaged devices, suspicious locations, and high-risk users. | Attorneys and staff often work remotely, so identity controls must replace the old office-only perimeter. | | Administrator roles | Global administrators are limited, documented, and protected with stronger controls. | Excessive admin access creates avoidable risk if a single account is compromised. | | Email authentication | SPF, DKIM, and DMARC are configured and monitored. | Law firms are common targets for impersonation, fake invoices, wire fraud, and credential phishing. | | External sharing | Guest users, anonymous links, and SharePoint sharing settings are reviewed. | Matter documents can be shared too broadly if collaboration grows without governance. | | Audit logs | Audit logging and key alerts are enabled. | The firm needs visibility if mailbox access, file sharing, or sign-ins become suspicious. | | Backup coverage | Microsoft 365 backup expectations are documented and tested. | Retention settings are not a complete substitute for a recovery strategy. |

1. Identity and access

Confirm that every user has MFA, with no emergency exceptions that remain open indefinitely. Review administrator roles and remove privileges that are no longer needed. Check whether former employees, temporary staff, vendors, and inactive users still have access. For higher-risk accounts, use stronger authentication and conditional access rules.

A mature law firm environment also needs a clear approval process for access changes. Someone should be responsible for deciding who can access a new SharePoint site, matter workspace, mailbox, billing platform, or finance folder. Without ownership, access usually expands quietly over time.

2. Email and mailbox protection

Review anti-phishing policies, impersonation protection, malware filtering, safe links, safe attachments, mailbox forwarding rules, and suspicious inbox rules. Attorneys and staff need practical protection because email is still the primary channel for client communications, opposing counsel correspondence, billing questions, and vendor requests.

The firm should also verify SPF, DKIM, and DMARC alignment. These controls help reduce spoofing and support the firm's credibility when clients, courts, and counterparties receive email from the firm's domain.

3. Teams and SharePoint governance

Teams and SharePoint can improve collaboration, but they need structure. Define how the firm creates Teams, SharePoint sites, channels, matter folders, templates, closed matter archives, and administrative workspaces. Review external sharing links and guest users on a recurring schedule.

A strong Microsoft 365 governance plan should answer four practical questions: where should matter documents live, who owns permissions, how are closed matters handled, and what happens when an attorney or paralegal leaves the firm.

4. OneDrive and endpoint sync

OneDrive sync errors can create confusion about which version of a client document is current. Review sync health, known folder move settings, device compliance, local file storage habits, and how laptops are protected. If attorneys use multiple devices, the firm should confirm that data remains encrypted, recoverable, and governed by policy.

5. Retention, deletion, and recovery

Retention should be designed carefully because law firms have operational, legal, client, and ethical considerations around data handling. Before applying broad deletion or retention rules, the firm should review matter lifecycle, closed file procedures, email retention expectations, and backup/recovery requirements.

The firm should test recovery, not merely assume it exists. Test restoring a mailbox item, a SharePoint document, a OneDrive file, and a critical administrative document. Record the recovery time and the person responsible for authorizing restores.

6. Reporting for leadership

Firm leadership should receive a Microsoft 365 security summary at least quarterly. The report should cover MFA status, administrator roles, high-risk sign-ins, external sharing, guest users, mailbox forwarding, backup status, device compliance, and unresolved recommendations. The goal is to help partners and administrators make decisions, not overwhelm them with console screenshots.

30-day Microsoft 365 action plan

| Timeline | Priority | Outcome | | --- | --- | --- | | Week 1 | Review MFA, admin roles, inactive users, and risky sign-ins. | Establish identity baseline and remove obvious exposure. | | Week 2 | Review email authentication, anti-phishing, forwarding rules, and mailbox security. | Reduce spoofing, phishing, and mailbox compromise risk. | | Week 3 | Review Teams, SharePoint, OneDrive, guest access, and external links. | Improve document access control and collaboration governance. | | Week 4 | Document backup, recovery, retention, and leadership reporting. | Create a practical roadmap for ongoing security improvement. |

Recommended next step

If your firm is unsure whether Microsoft 365 is configured securely, start with AKAVEIL's free Law Firm IT & Cybersecurity Assessment. The assessment reviews identity, email, SharePoint, OneDrive, Teams, backup, endpoint security, and operational priorities.

Request the Free Law Firm IT & Cybersecurity Assessment

Microsoft 365 Security Checklist for Law Firms