Case Study Β· Professional Services
Microsoft 365 Security Hardening for an Asheville Professional Services Firm
A small firm with ten-plus years on Microsoft 365 had never had their tenant reviewed. The security gaps were not dramatic β they were just accumulated. We fixed them before something went wrong.
Industry
Professional Services
Location
Asheville, NC
Platform
Microsoft 365
Status
Complete
The situation
A ten-person professional services firm in Asheville had been running Microsoft 365 since the early days of the platform. It worked. Email went out, files lived in SharePoint, Teams handled internal communication. Nobody had complaints.
When they brought us in for a general IT review, we started with the Microsoft 365 tenant because it almost always tells the full story. What we found was a textbook example of accumulated risk: not a single catastrophic mistake, but years of small decisions that individually seemed fine and collectively created real exposure.
Three former employees still had active accounts. Two people were global admins who did not need to be. MFA was turned on for some users but not enforced. Email forwarding rules that nobody had set intentionally existed on two mailboxes. And Microsoft 365 data had never been backed up outside the platform.
None of this had caused a problem yet. That was not evidence that everything was fine. It was evidence that they had been lucky.
What we found in the tenant audit
Former employees with active accounts
Unnecessary global admin accounts
MFA enabled but not enforced
Unknown inbox forwarding rules on two mailboxes
No Microsoft 365 backup outside the platform
No email filtering or anti-phishing policy configured
Shared mailboxes accessible to more users than needed
What we did
Account cleanup
Disabled and documented all accounts belonging to former employees. Reviewed access logs to confirm the accounts had not been used recently. Removed stale licenses to reduce cost and exposure.
Admin role audit
Reduced global admin accounts to one dedicated admin account used only for administrative tasks. Reassigned users with appropriate lesser roles. Set up monitoring for any future global admin role changes.
MFA enforcement
Moved the tenant from MFA available to MFA required using Conditional Access policies. Walked each user through the enrollment process and made sure authenticator apps were configured rather than relying on SMS.
Inbox rule review
Reviewed all inbox and forwarding rules across every mailbox. Found two rules that were silently forwarding copies of inbound email to external addresses. Removed both, changed the affected passwords, and audited recent sign-in activity.
Email security hardening
Enabled Microsoft Defender anti-phishing and anti-spoofing policies. Configured Safe Links and Safe Attachments. Verified SPF, DKIM, and DMARC records were correctly published and enforcing.
Cloud backup
Added a third-party Microsoft 365 backup solution covering Exchange, SharePoint, OneDrive, and Teams. Ran an initial full backup and verified restore capability before signing off on the engagement.
The outcome
In the span of a single project engagement, this firm went from a tenant that had not been meaningfully reviewed in years to one with tight access controls, enforced multi-factor authentication, clean admin roles, active email threat protection, and a real recovery option if something ever went wrong.
The inbox forwarding rules were the most significant find. They had been there for an unknown length of time. Whether they were placed intentionally by an attacker or were a misconfiguration, the risk was real β email from multiple mailboxes had been quietly leaving the organization.
The firm's leadership appreciated the straightforwardness of the process. We explained what we found, why it mattered, and what we were doing to fix it. No alarm, no upsell theater. Just a clear picture of where things stood and what it would take to get them right.
Former employee accounts disabled and documented
Global admin accounts reduced to minimum needed
MFA enforced across all users via Conditional Access
Unknown forwarding rules removed, affected accounts secured
Anti-phishing, Safe Links, and Safe Attachments active
SPF, DKIM, and DMARC correctly configured
Microsoft 365 backup active with verified restore capability
Related services
Microsoft 365 Administration
Ongoing Microsoft 365 management, security hardening, and role governance.
Cybersecurity & Endpoint Protection
Layered protection for email threats, endpoints, and account compromise.
Cloud Backup & Disaster Recovery
Microsoft 365 backup with real restore capability β not just an export button.