When this firm got in touch, they had an SRA audit scheduled for the following month.

The first thing we did was a full Microsoft 365 tenant audit using the Admin Centre and Secure Score dashboard. What we found was pretty typical for a firm that had grown without much IT oversight: SPF was published but DKIM was unsigned, DMARC was set to p=none with no reporting configured, and three members of staff were sharing a single generic inbox login that hadn't been touched since 2019.

There were also 14 active user accounts for a firm of 12, meaning two former employees still had live credentials with full mailbox access. One of those accounts had last signed in from a location in Eastern Europe six weeks prior. We flagged this immediately and revoked both sessions within the hour.

WHAT WE DID

We worked through the remediation systematically over four days. DKIM was enabled and verified across their primary domain, DMARC was moved to p=quarantine with a RUA reporting address so they could see what was happening with their domain in the wild. The shared inbox was converted to a proper shared mailbox in Exchange Online. All 12 live accounts were enrolled in MFA using Microsoft Authenticator, with conditional access policies applied to block sign-ins from outside the UK unless explicitly approved.

We also set up Microsoft Entra ID audit logging with a 90-day retention policy, giving them a proper sign-in trail to show auditors. The practice manager received a one-page summary of everything done and everything now in place, so she could hand it directly to the auditor without us needing to be in the room.

SERVICES INVOLVED

• Microsoft 365 Management
• Email Security
• Compliance Support
• Identity & Access