Microsoft 365 Security for CPA and Accounting Firms

Most CPA firms running Microsoft 365 have the same problem: the license is active, email works, and nobody’s touched the security settings since setup. That’s not a configuration — it’s an open door. Here’s what’s actually at risk in a typical accounting firm’s M365 tenant, and what you should fix first.

Why Accounting Firms Are a High-Value Target

Your firm handles tax returns, financial statements, payroll data, and entity structures for dozens — maybe hundreds — of clients. That’s a concentrated goldmine for attackers. A single compromised inbox gives them access to bank account numbers, Social Security numbers, and enough personal financial detail to run wire fraud or identity theft at scale.

The IRS and state tax agencies have flagged accounting firms as repeat targets for business email compromise (BEC). The attack pattern is almost always the same: phish one staff member’s credentials, sit quietly in the inbox reading email threads, then send a convincing wire transfer or ACH change request at exactly the right moment.

Microsoft 365’s default settings won’t stop this. Here’s what will.

1. Multi-Factor Authentication Is Not Optional — And “Enabled” Isn’t Enough

Most firms turn on MFA at some point. What they don’t realize is that “enabled” in Entra ID isn’t the same as “enforced.” If users can still authenticate without completing MFA — because legacy authentication protocols like IMAP or SMTP AUTH are still open — MFA is decoration, not protection.

What to check:

• Go to Entra ID → Security → Authentication Methods and confirm MFA is enforced, not just enabled
• Block legacy authentication via a Conditional Access policy: Entra ID → Security → Conditional Access → New Policy → Cloud Apps: All → Conditions: Client Apps → Legacy Authentication Clients → Grant: Block
• Disable SMTP AUTH for any mailbox that doesn’t need it:

Set-CASMailbox -Identity [email protected] -SmtpClientAuthenticationDisabled $true

If you’re still using Security Defaults instead of Conditional Access policies, you’ve outgrown them. Security Defaults are a starting point for organizations with no IT — not the right tool for a firm with client data obligations.

2. Your Former Employees Probably Still Have Access

Staff turnover in accounting firms is real — tax season contractors, seasonal hires, staff who left mid-year. If your offboarding process is “disable the account and move on,” you’re leaving SharePoint access, shared mailbox permissions, and delegated calendar rights in place for accounts that are technically disabled but not fully revoked.

Run this audit in PowerShell:

# Find all disabled accounts that still have active licenses
Get-MgUser -Filter "accountEnabled eq false" -Property DisplayName,UserPrincipalName,AssignedLicenses |
  Where-Object { $_.AssignedLicenses.Count -gt 0 } |
  Select-Object DisplayName, UserPrincipalName

Also check shared mailboxes. In most firms, a shared mailbox like admin@ or payroll@ has five or six people with full access — and nobody’s reviewed that list in years.

# List all members with FullAccess to a shared mailbox
Get-MailboxPermission -Identity "[email protected]" | Where-Object { $_.AccessRights -eq "FullAccess" }

3. SharePoint and OneDrive Sharing Is Wide Open

Microsoft 365’s default sharing settings allow users to share files with anyone via a link — no sign-in required. For a firm handling client tax documents, that’s a data exposure waiting to happen.

Where to tighten this:

• SharePoint Admin Center → Policies → Sharing: Set external sharing to Existing guests only or Only people in your organization
• Set the default link type to Specific people instead of Anyone
• Review the Sharing tab on your top-level SharePoint sites — you may find client-facing sites with “Anyone with the link” still active from a one-time file share that never got cleaned up

This is also relevant for compliance. If your firm handles data for clients in regulated industries, uncontrolled external sharing is a liability regardless of which framework applies.

4. No Unified Audit Log Means No Forensics

If something goes wrong — a compromised account, a data leak, an unauthorized login — the first thing you need is logs. Microsoft 365’s Unified Audit Log is where all of that lives. It’s not enabled by default on all license tiers, and even where it is, most firms have never verified it’s actually running.

Check and enable:

# Verify audit log status
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

# Enable if it's off
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Audit log retention defaults to 90 days on most business licenses. If you’re on Microsoft 365 Business Premium, you get 180 days. For a firm that might not discover a breach for weeks, 90 days can be the difference between a full forensic picture and nothing.

5. Microsoft Defender for Business Is Sitting Unused

If your firm is on Microsoft 365 Business Premium, you have Microsoft Defender for Business included — endpoint detection and response (EDR), automated investigation, and attack surface reduction rules. Most firms have never activated it.

This isn’t basic antivirus. Defender for Business monitors process behavior, flags lateral movement, and can automatically isolate a compromised machine before ransomware spreads to the file server where your client documents live.

To activate: go to security.microsoft.com → Assets → Devices and onboard your endpoints. If you’re managing devices through Intune, push the onboarding package via a configuration profile. If you’re not using Intune yet, the local script onboarding method works fine for smaller firms.

6. Client Documents Are Going Out Unencrypted

Accountants routinely email tax returns, W-2s, and financial statements. Most of those emails go out unencrypted, which creates exposure both in transit and if a client’s inbox is ever compromised.

Microsoft Purview Message Encryption (included in Business Premium) lets you send encrypted email that recipients can open via a one-time passcode — no special software required on their end.

Set up a mail flow rule in Exchange Admin Center → Mail Flow → Rules to automatically encrypt outbound messages containing keywords like “tax return,” “W-2,” “SSN,” or “routing number.” It takes 20 minutes to configure and covers a meaningful slice of your compliance exposure.

What This Looks Like in Practice

A typical accounting firm audit turns up some version of the same findings: MFA enabled but not enforced, two or three former employee accounts with active licenses, SharePoint sharing set to “Anyone,” audit logging off, and Defender for Business never touched. None of it requires enterprise-tier licensing to fix — most of it is already included in what the firm is paying for.

The gap isn’t budget. It’s that nobody’s gone through the tenant with a security-first lens since the original setup.

Schedule a free IT assessment — we’ll go through your M365 tenant configuration and give you a written summary of what’s exposed and what to fix first.

FAQ

Does my CPA firm need to be HIPAA compliant? Not unless you handle protected health information — for example, if you do accounting for medical practices and receive PHI as part of that engagement. However, IRS Publication 4557 (Safeguarding Taxpayer Data) and most state privacy laws impose their own requirements on how firms protect client data. The security controls above address most of those regardless of which regulation applies.

What Microsoft 365 license do accounting firms actually need? Microsoft 365 Business Premium is the right tier for most firms. It includes Defender for Business, Intune, Entra ID P1 (for Conditional Access), and Purview Message Encryption. Business Basic and Business Standard are missing most of the security tooling — they’re email and productivity licenses, not security licenses.

How do I know if our M365 tenant has already been compromised? Start with the Unified Audit Log in the Microsoft Purview compliance portal. Filter for sign-in events from unfamiliar locations or unusual hours. Also check Entra ID → Sign-in Logs for authentication attempts that succeeded from unfamiliar IP addresses. If you find something suspicious, preserve the logs before revoking access — you want a forensic picture before you start cleaning things up.

Is Microsoft 365 backup included with the license? No. Microsoft’s service agreement explicitly states that data protection and backup are the customer’s responsibility. M365 has recycle bins and version history, but those aren’t backups — they won’t protect you against a ransomware attack that syncs encrypted files to OneDrive before you notice. A third-party backup solution covering Exchange, SharePoint, and OneDrive is table stakes for any firm with client data obligations.

How long does it take to secure an existing M365 tenant? For a firm of 5–25 users with no prior hardening, a focused security configuration engagement typically takes one to two days of work spread over a week — audit first, then implement in a controlled sequence. Most changes are non-disruptive; the ones that can affect users (like blocking legacy auth) get tested and communicated in advance.

Related Posts

• Microsoft 365 Security Baselines for Small Businesses
• The Offboarding Checklist That Prevents Your Ex-Employee From Walking Out With Your Data
• Your Employees Are Working From Coffee Shops. Here’s Why That Should Terrify You.