A single compromised mailbox can expose sensitive tax returns, payroll data, bank details, and years of client history in minutes. For accounting firms, Microsoft 365 is the central hub where much of your cloud security risk lives every day.
Busy periods make security drift easy. One broad sharing link, one unmanaged laptop, or one partner with too much admin access can create a bigger problem than anyone expects. A practical Microsoft 365 security checklist helps you lock down the basics before the next phishing email lands.
Key Takeaways
- Identity is the primary defense: Prioritize enforcing multi-factor authentication (MFA) for every user and limiting Global Administrator roles to prevent large-scale account compromises.
- Shared responsibility: Recognize that Microsoft secures the cloud infrastructure, but the firm is solely responsible for configuring settings, managing access, and protecting data within the tenant.
- Control device access: Use Microsoft Intune and Conditional Access to ensure only compliant, managed devices can reach sensitive files and client email data.
- Secure email and sharing: Implement Defender for Office 365, configure SPF/DKIM/DMARC records, and restrict external sharing links to prevent phishing and unauthorized data leakage.
- Maintain visibility: Proactively monitor audit logs, configure security alerts, and keep a tested incident response plan ready to ensure the firm can react quickly during high-pressure periods like tax season.
Set a baseline before the busy season starts
Most firms do not run into trouble because they picked the wrong platform. Instead, they struggle because they overlook the shared responsibility model, which dictates that while Microsoft secures the cloud infrastructure, the firm remains responsible for managing its own security settings. Default configurations often stay in place even as the firm grows, adds remote staff, or brings on seasonal users.
Establishing a secure tenant configuration acts as your minimum baseline for protection:
| Area | Minimum control | Why it matters | | | | | | Identity | MFA for every account, with stronger methods for admins | Stops many common account takeover attempts | | Access | Conditional Access for risky sign-ins, admin access, and unmanaged devices | Reduces exposure from bad logins and weak endpoints | | Admin roles | Separate admin accounts, few Global Admins, role-based access | Limits damage if one admin account is hit | | Email | Defender for Office 365, anti-phishing, Safe Links, Safe Attachments | Cuts down phishing, malware, and spoofing risk | | Devices | Intune compliance, encryption, patching, Defender | Keeps weak or lost devices from exposing data | | Data | DLP, sensitivity labels, tighter sharing defaults | Protects client records from leaks or oversharing | | Visibility | Audit logging, alerts, Secure Score reviews, incident plan | Helps you spot and contain issues faster |
This baseline fits well with broader IT compliance requirements for accounting firms, where encryption, backup, risk review, and data protection all sit side by side.
Most accounting firms do not need every premium feature on day one. They do need consistent controls, clear ownership, and regular review. During tax season, adhering to these security best practices matters even more because rushed approvals and after-hours work create more chances for mistakes.
Lock down identity and admin access first
If you only fix one area this quarter, start with identity. Attackers still go after passwords because they work when firms leave gaps around multi-factor authentication, legacy protocols, and admin access. Prioritizing identity protection is the most effective way to secure your firm against unauthorized entry.
Require multi-factor authentication for every user
Turn on multi-factor authentication for all accounts, not only for partners and finance staff. Client service teams, reception, and shared process owners all handle sensitive information. A weak account in one corner of the firm can still lead to mailbox rules, internal phishing, or file theft.
Where possible, move users toward stronger methods such as Microsoft Authenticator with number matching, passkeys, or FIDO2 security keys. Keep SMS and voice as fallback options only if you must. For admins, use the strongest method you can support and train.
Conditional Access should then back up multi-factor authentication with context. Require multi-factor authentication for all cloud apps, block legacy authentication, and demand compliant or managed devices for admin tasks and sensitive data. If your licensing supports risk-based policies, block or challenge risky sign-ins instead of letting them pass by default.
Cut down admin sprawl and secure admin accounts
Separate day-to-day user accounts from admin accounts. Nobody should read email, browse the web, and manage the tenant from the same identity.
Limit Global Administrator to a very small group. In many firms, two to four named people is enough. Then use role-based access control such as Exchange Administrator, SharePoint Administrator, Teams Administrator, or User Administrator. That keeps the blast radius smaller when a password is stolen or a mistake happens.
If every partner has Global Administrator, one stolen password can become a firm-wide incident.
If you have Microsoft Entra ID P2, which was formerly known as Azure Active Directory, use Privileged Identity Management for just-in-time privileged access. If you do not, use a manual approval process and review admin roles every month. Remove stale admin rights fast, especially after projects, mergers, or staff changes.
Keep two emergency access accounts, often called break-glass accounts. Store their credentials offline in a controlled way, test them twice a year, and monitor any sign-in closely. Document which Conditional Access exclusions they need, and keep those exclusions tight.
Harden email before the next phishing wave
Email remains the easiest path into most firms because it mixes urgency, trust, and financial data. Attackers know accounting teams move quickly, especially around payroll runs, BAS deadlines, audit requests, and tax season.
Turn on Microsoft Defender for Office 365 if your plan includes it. Safe Links rewrites and checks URLs at click time, while Safe Attachments acts as a critical layer of anti-malware to help block malicious files before users open them. You should also configure robust phishing protection and threat protection policies to secure your highest-risk users, such as partners, payroll staff, and team members who approve payments.
Tighten impersonation protection for your own domain, your key vendors, and your leadership team. In addition, disable external auto-forwarding unless a real business case exists and someone approves it. Auto-forward rules are a common sign of mailbox compromise, and they quietly move client data out of your control.
Your domain also needs SPF, DKIM, and DMARC. Those records make spoofing harder and help receiving systems decide whether to trust messages sent in your name. If DMARC is not in place yet, move carefully from monitoring to quarantine, then to reject once you know all legitimate senders are covered.
Finally, review old mail protocols. Block legacy authentication, and disable POP, IMAP, or SMTP AUTH unless a system still needs them. Where a system does need one of those methods, isolate it, protect it with a dedicated account, and plan its replacement. That small cleanup can close one of the oldest holes in Microsoft 365.
Require healthy devices before they reach client data
A protected tenant still has a weak spot if unmanaged devices can open mail, sync files, and store client documents locally. That matters more now because many firms split work across office desks, home offices, and client sites.
Microsoft Intune gives you a practical way to manage this risk through robust mobile device management. Set compliance policies for supported operating systems, encryption, screen lock, patch levels, and endpoint protection. Then, use Conditional Access to ensure that only compliant or approved devices can reach Exchange Online, SharePoint, Teams, and other sensitive apps. This approach aligns with a Zero Trust strategy, where you verify the health of every device before granting access, regardless of where your staff members are located.
For firm-owned devices, push standard builds, require BitLocker or FileVault, restrict local admin rights, and keep Microsoft Defender active. If your licensing supports Defender for Endpoint or Defender for Business, connect that posture back into device compliance and threat response.
Bring-your-own-device needs a different approach. Rather than full device control, many firms use app protection policies for Outlook, Teams, and OneDrive. That lets you require a PIN, block copy and paste into personal apps, stop downloads to unmanaged storage, and wipe firm data from the app without erasing personal content.
This approach lines up with the broader need for secure remote access and device management for accounting firms, especially when staff work across home, office, and client locations.
Do not forget shared devices and temporary staff. Kiosk-style setups, tax-season contractors, and meeting-room laptops often slip past normal controls. Put them in scope, or they will become the exception that creates the incident.
Protect files in SharePoint, OneDrive, and Teams
Email gets attention, but many firms now store their most sensitive work in SharePoint, OneDrive, and Teams. That includes workpapers, financial statements, engagement files, identity documents, and client correspondence. If sharing is too open, those records can spread far beyond the intended people.
Tighten external sharing and link settings
Start with the default external sharing experience. For most accounting firms, the safest default is “Specific people” rather than anonymous or broad anyone links. Expiration dates on external links should be standard, and download access should be limited where viewing is enough.
Review guest access in Teams and SharePoint. Ask whether each guest still needs access, whether the site still needs external sharing, and whether ownership is clear. In many firms, a site owner has left, the client project has ended, and the sharing links remain live.
Also, look at OneDrive. Staff often share directly from their personal workspace because it is quick. That is fine for draft collaboration, but client-facing final files usually belong in a controlled SharePoint site where ownership survives staff leave, permissions are easier to review, and retention is easier to apply.
During tax season, consider stricter controls for high-risk teams. Some firms require approval for new external sharing on tax sites or payroll libraries. Others block sharing to personal email domains altogether. The right setting depends on how you work, but the default should never be open unless someone remembers to tighten it.
Use Microsoft Purview for Data Loss Prevention and labeling
Microsoft Purview provides the unified platform for the security features needed to protect client records. Sensitivity labels add structure to file handling. A simple label set often works best, such as Internal, Confidential Client, and Restricted Finance. Apply sensitivity labels to documents and emails so users can classify content without guessing. If your rollout is mature enough, add auto-labeling for well-known patterns.
Data Loss Prevention policies then give you a backstop. Build policies for bank account details, credit card data, tax file numbers, Social Security numbers, and passport details where relevant. Tune the rules before you enforce hard blocks. Otherwise, you may frustrate staff and get bypass behaviour instead of better security.
Good Data Loss Prevention policies do not only block. They also warn, justify, and log. That matters because many accounting workflows are legitimate but sensitive. A payroll officer may need to send protected data, but the firm should know it happened, wrap it in the right controls, and keep the event traceable. This approach also supports insider risk management, ensuring the firm maintains oversight of how sensitive data moves through the organization.
Retention also needs attention, although retention is not a backup plan. Keep the records you must keep, delete what you no longer need, and make file restore paths part of your incident planning.
Watch the logs and rehearse your response
Many firms learn they had a problem only after a client calls about a strange email or a file is encrypted. By then, time is already lost. Visibility shortens that gap.
Verify that audit logs are enabled and that your retention period fits your risk profile. Review mailbox activity, admin role changes, file sharing events, and unusual sign-ins. If you license Purview Audit features with longer retention or deeper detail, use these audit logs for higher-risk teams and key admins.
Alerting also matters. Configure alerts for suspicious inbox rules, impossible travel patterns, unusual admin activity, large file downloads, and risky sign-ins. In Defender, review incidents and automate the first steps where it makes sense, such as isolating a device or forcing a password reset after confirmed compromise.
Microsoft Secure Score is useful here, not as a vanity number, but as a review tool. Check it monthly, sort by impact, and fix the items that match your real risks. A higher score does not make you safe on its own, but it does help stop drift.
Every firm also needs a short, tested incident plan for Microsoft 365. Write down who can disable an account, revoke sessions, remove malicious inbox rules, review message trace, isolate a device, and contact affected clients. Keep after-hours contacts current. Then rehearse the plan before peak season, not during it.
If your team uses Microsoft Sentinel or another SIEM, feed Microsoft 365 alerts into it so email, identity, and endpoint events appear in one place. Even a small firm benefits from faster triage when signals connect.
Train staff and tighten seasonal workflows
The best tenant settings still depend on people making good calls under pressure. That is why security awareness in accounting firms should focus on real scenarios, not generic slides.
Run phishing simulations that match the firm’s risk. Use fake client requests, payroll changes, tax refund lures, and urgent document-sharing prompts to improve your phishing protection. Then coach staff on what to report and how quickly. Make reporting simple inside Outlook so people do not have to guess where to send suspicious mail.
Seasonal workflows also need guardrails. Give temporary staff named accounts, short access windows, and only the permissions they need. Do not use shared logins for interns, contractors, or offshore processing teams. Shared accounts erase accountability and make investigations harder.
Payment changes, bank detail updates, and payroll amendments should always require out-of-band verification. Microsoft 365 settings help, but process control combined with technology is the key to effective security best practices that stop fraud attempts.
Frequently Asked Questions
Why is MFA not enough to secure my firm’s Microsoft 365 account?
While MFA is a critical baseline, attackers are increasingly using sophisticated methods to bypass it. You should complement MFA with Conditional Access policies that verify device health and sign-in context to ensure that even with a valid password, an attacker cannot access data from an unrecognized or unmanaged device.
Should seasonal tax staff have their own accounts?
Yes, every user—including contractors and temporary help—must have a unique account. Using shared logins prevents you from identifying who performed an action, destroys your audit trail, and makes it impossible to effectively revoke access once a contract ends.
What is the purpose of ‘break-glass’ accounts?
Break-glass accounts are highly privileged emergency accounts that bypass standard multi-factor authentication or conditional access rules that might otherwise lock you out of your tenant. These accounts serve as a safety net if your primary authentication service fails or if your main admin accounts are compromised, and they should be stored securely offline.
Does Microsoft 365 backup our data automatically?
No, Microsoft 365 is not a backup service; it is a high-availability service that focuses on uptime rather than historical data recovery. You are responsible for ensuring that you have a separate, independent backup strategy to recover files or mailboxes in the event of accidental deletion, ransomware, or malicious insider activity.
Conclusion
One compromised account can still expose a year’s worth of client work. Accounting firms reduce that risk when they treat Microsoft 365 security as a set of working controls, not a once-a-year project.
Start with identity and email, because those changes stop a large share of real attacks. When you prioritize cloud security as an ongoing commitment rather than a static checkbox, you ensure that your firm can spot trouble early and contain it fast. A solid Microsoft 365 security checklist is not long for the sake of it, as it remains disciplined where client trust matters most.