Almost every law firm we speak to is already paying for Microsoft 365. Far fewer are using it in a way that actually supports the way solicitors work - matter-centric, confidential by default, and defensible under SRA and UK GDPR scrutiny. This guide walks through the setup we recommend when we bring a legal firm onto our IT support.
1. Get the licensing right
Most firms benefit from Microsoft 365 Business Premium up to 300 users - it bundles the productivity apps with Intune device management, Defender for Business, Azure AD Premium P1 and information protection. Above 300 seats, or where you need advanced eDiscovery and Purview, you're into Microsoft 365 E3 or E5. Don't mix and match randomly - it creates gaps that only show up during an incident.
2. Lock down identity before anything else
Enable security defaults or, better, Conditional Access policies that require MFA for every user, block legacy authentication, and step up authentication when a sign-in looks risky. Turn on self-service password reset. Restrict global admin rights to two named people with separate admin accounts. This is 80% of the security value most firms will ever get from Microsoft 365.
3. Build SharePoint around matters, not departments
Set up a hub site for the firm, then a site per practice group. Matters live as document libraries or dedicated sites inside the relevant group, with permissions scoped to the fee-earners and support staff on that matter. Version history is on by default - use it. Sensitivity labels applied at the site level make sure client-confidential material is encrypted and can't be forwarded outside the firm without a business reason.
4. Make Teams the day-to-day workspace
Teams should mirror your matter and practice-group structure. Private channels for restricted matters. External access controlled - a partner sharing a Teams meeting link with a client is fine; open federation to any tenant on the internet is not. Recording and transcription policies configured with retention that matches your file retention schedule.
5. Turn on the compliance tools you're paying for
Microsoft Purview Data Loss Prevention (DLP) can stop client data being emailed to personal addresses. Retention policies expire matter files in line with SRA and Lexcel guidance. The unified audit log tells you who accessed what and when - the Legal Ombudsman and ICO both expect this to be available. These are included in most legal licences but rarely switched on until an incident forces the issue.
6. Manage devices with Intune
Every laptop and phone accessing client data should be enrolled in Intune - firm-owned devices fully managed, BYOD phones with app-level containment. That way, when a fee-earner loses a phone in a taxi, you can wipe the client data without touching their personal photos.
7. Back up Microsoft 365 - Microsoft won't
Microsoft protects the platform, not your data. Use a third-party Microsoft 365 backup solution to cover Exchange, SharePoint, OneDrive and Teams. Test restores twice a year. If a fee-earner deletes a matter folder in month three and you notice in month seven, you'll want more than the native recycle bin to fall back on.
Where firms get stuck
The two biggest traps are treating Microsoft 365 as "just email" and rolling out every feature at once. The right sequence is identity and security first, then SharePoint and Teams structure, then compliance controls, then Copilot and the productivity layer on top.
Our IT support for law firms includes Microsoft 365 setup, hardening and ongoing management. Get in touch if you'd like us to review your current tenant.