The 2026 Microsoft 365 Security Baseline for Professional Services Firms

Most professional services firms run their world on Microsoft 365 now. Email, documents, meetings, calendars, client files. It is the closest thing you have to an operating system for the firm.

The problem is that many tenants are still in the state they were the day someone first clicked “Next” during setup. A few things turned on, a few things ignored, and then everyone got busy and moved on.

If you hold client data, that is not good enough anymore.

You do not need to turn every knob Microsoft gives you. You do need a clear baseline. A set of non-negotiables that keep people productive and keep your risk where it belongs.

This is what that baseline looks like for a 10-to-100-person professional services firm.

What “good enough” actually means

A secure Microsoft 365 environment for a firm like yours is not perfect. It is consistent.

At a minimum, it should:

• Protect accounts even if passwords are stolen

• Protect firm data on laptops and phones, including personal devices

• Limit what happens if one account is compromised

• Make offboarding clean and predictable

• Give you basic visibility into what is happening

If your current setup cannot honestly claim those things, you have work to do. The good news is that most of it is configuration, not buying more tools.

1. Identity first: accounts, MFA and sign in rules

If someone can log in as you, nothing else matters.

Start here.

Use one account per person

Every person should have:

• One named account

• The right license

• A role that matches their job

Shared mailboxes are fine. Shared user accounts are not.

Enforce multi factor authentication for everyone

Not “everyone except partners” or “everyone except the one legacy thing.” Everyone.

Use:

• Authenticator app or hardware keys where possible

• SMS only as a last resort

Turn on “number matching” in the authenticator so people cannot just blindly tap “Approve.”

Use Conditional Access to set basic sign in rules

You do not need to start with 20 policies. Start with a few clear ones, such as:

• Block sign ins from countries where you have no staff or clients

• Require MFA on any risky sign in

• Require compliant or protected devices for sensitive apps

The goal is simple. Good users get through with a small amount of friction. Suspicious activity gets slowed down or stopped.

2. Devices: keep firm data safe on laptops and phones

Most of the risk in a firm lives on devices. Lost laptops. Personal phones. Old machines that never get updates.

You cannot fix that with a memo. You fix it with policy and tooling.

Manage firm owned devices

If the device is owned by the firm, you should:

• Enroll it in Intune or your management tool of choice

• Require disk encryption

• Push regular updates

• Standardize basic settings

People should not be local admins by default. If they need admin rights, grant them in a controlled way.

Use app protection on personal devices

If you allow BYOD, do not try to manage the whole phone. Protect the apps that hold firm data.

For example:

• Require a PIN or biometric to open Outlook and other work apps

• Block saving work files to personal storage

• Block copy and paste from work apps into personal apps

• Be able to wipe firm data from those apps without touching personal content

This is how you protect client information without creeping into people’s private lives.

Require screen locks and encryption

This is simple but often missed.

• All laptops and phones that access firm data must have a PIN or password

• Laptops must be encrypted

• Devices that do not meet these rules should not be allowed to connect to firm data

Write it down in a short BYOD and device policy. Then enforce it with technology.

3. Data: keep client information from leaking out

Professional services firms live and die by how they handle client information. In Microsoft 365, that mostly means email, OneDrive and SharePoint.

Standardize where client data lives

Make some decisions:

• Use SharePoint sites and Teams for client and matter folders

• Use OneDrive for personal work in progress

• Do not store firm data in random personal storage accounts

If you do not decide this, everyone will make their own decision and you will end up with files everywhere.

Turn on basic Data Loss Prevention

You do not need to start with heavy classification projects.

Start with a small number of simple rules, for example:

• Alert or block when someone tries to email sensitive information outside the firm

• Alert when large volumes of data are downloaded or shared externally

• Monitor external sharing links, and set sensible expiration defaults

You want guardrails, not constant noise. Tune the rules over time.

Use retention and legal hold where it matters

Some information should be kept for a defined period. Some should be removable quickly. Some may need legal hold.

Use retention policies to:

• Keep email and documents long enough to meet your legal and client obligations

• Avoid keeping everything forever by default

Again, this does not have to be complex. Start with a small number of clear rules.

4. Email: raise the bar for attackers

Email is still where a lot of incidents start, especially for firms whose entire client relationship runs through it.

You will get phished. You will get spoofed. You will have staff who are tired and in a hurry.

Your job is to give them better default protection and make sure someone is watching the environment when things slip through.

Key elements:

• Enforce MFA for everyone

• Turn on the recommended phishing and malware protections in Exchange Online

• Use Safe Links and Safe Attachments if your license supports them

• Publish and correctly configure SPF, DKIM and DMARC for your domains

• Train people regularly on how to report suspicious messages

• Make sure you have real monitoring in place, ideally a 24/7 SOC that can respond when an alert is more than just noise

None of this will stop every attack. It will push most of them away or blunt the impact. The SOC piece simply closes the gap between a good configuration and a fast response when something slips past it.

5. Access and offboarding: control who has what

Firms are very good at getting new people access to things. They are less consistent about taking that access away.

This is where a lot of hidden risk lives.

Use groups for access, not individual assignments

Set up groups that map to roles. For example:

• Partners

• Associates

• Finance

• Operations

• External contractors

Assign permissions to the group. Add or remove people from groups as their role changes. This keeps your access model understandable.

Have a clear offboarding checklist

When someone leaves:

• Disable their sign in

• Remove their licenses when appropriate

• Transfer their OneDrive content to a manager or archive

• Turn their mailbox into a shared mailbox and give their manager access to it

• Remove them from all groups

• Reassign any shared mailboxes or calendar access

Do this the same way every time. This is one of the simplest and most effective controls you can put in place.

6. Monitoring and visibility: know what is happening

You do not need an in-house security operations center, but you do need some level of awareness.

At a minimum:

• Turn on unified audit logging

• Review sign in risk and security alerts regularly, or have a managed provider do it

• Check Secure Score and use it as a guide, not a scoreboard

If you work with an MSP or security partner, be clear about who is watching what, how often, how they will contact you if something needs attention, and what proactive actions they’ll take on your behalf if they see a security incident in action.

7. A simple way to start

If this feels like a lot, break it into stages.

For example:

Month 1

• Enforce MFA

• Clean up user accounts

• Start using groups for access

Month 2

• Enroll firm owned devices

• Turn on basic app protection for mobile

• Require screen locks and encryption

Month 3

• Standardize where client data lives

• Turn on a small set of DLP and email protection rules

• Document and tighten your offboarding process

You do not have to do everything at once. You do have to start.

The payoff

A good Microsoft 365 baseline does not feel dramatic. The ideal outcome is that nothing exciting happens.

You do not see strange logins from eastern Europe at midnight.
You do not spend a week recovering from a lost laptop.
You do not discover that someone who left six months ago still has access to client folders.

People log in. They do their work. Systems behave in predictable ways. You sleep a little better.

That is what a baseline is for. It is not decoration. It is the floor you refuse to fall through.

If you want help getting your firm to that floor, that is the kind of work we do every day at Athencia.