The default configuration of any cloud productivity tenant — Microsoft 365 or Google Workspace — is a starting point, not a finished state. Hardening it against the specific threats law firms face is one of the highest-leverage security investments available, and one of the most consistently under-executed.
Turn on what you already own
Most firms have licensed security features they haven't fully enabled. An honest baseline review usually finds two or three that could be turned on today at no additional cost. This is the single fastest win in most tenant-hardening engagements.
Restrict external sharing intentionally
Default open sharing is convenient and dangerous. Firms should make external sharing a deliberate decision, logged and reviewable, rather than the frictionless default it becomes without explicit configuration.
Watch admin activity like a hawk
Global-admin and super-admin actions should trigger alerts and be reviewed weekly. Attacker access to those roles is game-over otherwise, and the difference between catching that access in an hour and catching it in a week is often the difference between a contained incident and a breach.
Document the baseline
A written, versioned tenant baseline is what makes the difference between 'we think it's secure' and 'we can prove it's secure' at the next client audit or insurance renewal. Undocumented configurations are unauditable configurations.
Test the baseline periodically
Baselines drift. Firms that run quarterly configuration reviews catch drift early; firms that run annual ones catch it after it has caused problems. The frequency should match the pace of change in the tenant.
The identity plane comes first
Every other tenant control assumes a strong identity foundation. Firms that harden other surfaces before consolidating identity build on sand. Fix identity first; everything else follows more easily.
We harden tenants for firms every week. Talk to us, or subscribe below for our next security-baseline update.



