Client Install: Securing a Microsoft 365 tenancy for a law firm

This week David worked with a legal client to secure their Microsoft 365 tenancy after an access breach.

A Microsoft 365 tenancy is basically a dedicated instance of the services of Microsoft 365 and your businesses data, this is your emails, SharePoint/OneDrive, Teams, Azure Active Directory (Azure AD) tenant for administering user accounts and groups for instance. It is a critical space where the security of your businesses data can be controlled from and also subsequently accessed.

After reaching out to FortiTech the company sat with David to discuss their recent breach and work through a plan to secure their Microsoft 365 tenancy and educate staff on cybersecurity.

With the risk of cyberattacks increasing daily, it is critically important that all businesses take proactive steps to secure their data, with more than 155 million active users every month, Microsoft 365 (formally Office 365) is a prime target for hackers.

Knowing that it is a big target for hackers Microsoft has also taken upon itself to provide "Secure Scores" for a number of products including:

  • Microsoft 365 (including Exchange Online)
  • Azure Active Directory
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Cloud App Security
  • Microsoft Teams

We have already had a number of businesses approach us after having their Microsoft 365 tenancy breached and in some cases they have lost over $100,000 through fraudulent transactions.

FortiTech cannot stress enough how important it is to ensure your technology is secure.  It takes on average 60 days for a business to identify that they have had a breach and one unlucky company took a whopping 1320 days!

Assessment Time

An assessment of the clients tenancy identified a number of areas for improvement, working with our security checklist and our 32-page Microsoft 365 Security Guide we focused on these areas:


Our client has multiple offices around Australia along with remote offices in the Philippines and Vanuatu, so we ensured that all countries were included in the Conditional Access rules for login location, meaning that only users from Australia, the Philippines and Vanuatu could log into the clients Microsoft 365, this is a great way to prevent hackers from China (the #1 location for hackers) trying to log in to a Microsoft account belonging to our client even if they had all of the other credentials for instance. 

In addition, our client has booked David in for a Security Awareness Training session for their staff with the overseas teams joining via Teams. 

How can Security Awareness Training help?


Spam filters and network protection such as firewalls can stop the majority of attempted attacks before they reach your organisation, but as 67% of current malware is zero day, this means that the filters aren’t even aware the threat exists and therefore cannot mitigate it. This is where your next best line of defence is your staff.

Investing in Security Awareness Training (SAT) for your organisation on a monthly basis can reduce the risk of an attack, computer-based training is by far the most popular way to deliver it to staff with 79% of organisations using this delivery method.   Training can be anything from a questionnaire to an in-person training session and is best led from the top, we encourage our clients  hold regular discussions within the business about cyber security and to have an open door policy allow anyone to raise issues or report a breach without fear of repercussions.

At FortiTech, we also recommend augmenting SAT with simulated phishing attacks to test the effectiveness of training and allow you to tailor it further.   

Looking to secure your Microsoft 365 Tenancy?


Just give us a call on 1300 778 078 and we can provide you with a quote.

We can also implement other data security measures including:

  • Backups for Microsoft 365
  • Email Antispam
  • Computer Maintenance and Security
  • Penetration Testing and Firewalls.

Reach out today, we will help get you on the right path.