4.3/5 TrustpilotOFCOM regulated
← Back to Blog

Microsoft 365 for Solicitors UK (2026): SRA-Compliant Setup Guide

Last updated: April 2026

Law firms, legal advice centres and in-house legal teams need Microsoft 365 set up differently from a generic SMB. Client confidentiality isn't optional. The SRA takes information security seriously. Conveyancing fraud specifically targets solicitors' email. And Lexcel accreditation demands documented controls.

This is how to get it right — without spending more than you need to.

The baseline: Business Premium or nothing

For UK law firms, Microsoft 365 Business Premium (£17.75/user/month) is the right tier. It's not a "nice to have" — it's the minimum sensible plan for a firm handling client confidences.

What Premium includes that lower tiers don't:

  • Microsoft Defender for Business — endpoint protection with EDR
  • Microsoft Intune — control of every device accessing client data
  • Entra ID P1 — conditional access, enforced MFA, audit logging
  • Azure Information Protection — document labelling and encryption

A law firm on Business Standard (£10.08) saves £7.67 per user per month but loses all four of the above. If an SRA inspection asks "how do you control which devices access client files?", you can't answer. Don't do it.

The conveyancing fraud problem

Conveyancing fraud is the single biggest cyber risk for UK law firms. The pattern:

  1. Criminal compromises or spoofs a party's email account (usually the buyer's)
  2. Sends a fake "payment details changed" email just before completion
  3. Client transfers the deposit to the criminal's account
  4. Solicitor ends up in a dispute over who carries the loss

Microsoft 365's baseline (Exchange Online Protection) does not catch this. It's technically legitimate email from a real account.

What does catch it:

  • Defender for Office 365 Plan 1 (£1.72/user/month add-on): Safe Links and Safe Attachments — scans links in real time and attachments in a sandbox
  • Impersonation protection in Defender Plan 1: flags emails pretending to be from a partner or fee earner
  • External sender warnings — simple banner on every external email
  • Staff training — not optional. Bank detail changes by email are the fraud, not the exception

For conveyancing-heavy firms, Business Premium + Defender for Office 365 P1 is the floor. That's £19.47/user/month for both.

Lexcel and CQS expectations

The Law Society's Lexcel (practice management) and CQS (Conveyancing Quality Scheme) standards expect:

  • Documented information security policy — Microsoft 365 Security Centre can evidence every technical control
  • Access controls — Entra ID P1 conditional access policies (included in Premium)
  • Data classification and handling — Azure Information Protection labels (included in Premium)
  • Staff training records — out of scope for Microsoft 365; use a separate training platform
  • Incident response plan — Defender's investigation and response logs provide the technical side
  • Third-party assessments — Microsoft's SOC 2, ISO 27001, UK DSP Toolkit certifications satisfy most audits

You still need to do the work of writing policies and training staff. But Business Premium gives you the technical underpinnings to actually enforce them.

Integration with case management systems

Microsoft 365 plays well with the UK legal tech stack:

  • Clio: native integration with Outlook, Microsoft 365 Copilot, OneDrive
  • LEAP: Outlook integration for email filing, Teams calls from within LEAP
  • Actionstep: Outlook add-in for time capture and document filing
  • Quill: integrates with Outlook for email filing and Office for documents
  • SOS Connect / Visualfiles: desktop installs that sit alongside Microsoft 365; Intune can manage the Windows machines

Most case management platforms now assume the firm is on Microsoft 365 — it's the industry default.

Document management — SharePoint vs a dedicated DMS

Some firms ask whether SharePoint (included in Microsoft 365) can replace iManage / NetDocuments / SOS Connect's DMS.

Honest answer: SharePoint works for small firms, but isn't a true legal DMS. What SharePoint is good at:

  • Storing documents, spreadsheets, precedents
  • Permissions by team or client
  • Version history (automatically)
  • Searchable

What SharePoint is not good at:

  • Matter-centric foldering with automatic metadata
  • Email filing to matters (you can do it, but it's clunky without an add-in)
  • Conflict-checking and ethical walls
  • Legal-specific workflows (engagement letters, conflict checks, retention schedules)

Under 10 fee earners, SharePoint is often enough. Over 10, invest in a proper DMS (NetDocuments or iManage) that layers on top of Microsoft 365. Don't try to make SharePoint do something it's not designed for.

Email retention

The SRA Code of Conduct and client care rules expect you to retain client communications for at least 6 years (longer for wills, trusts, etc.). Microsoft 365 Business Premium includes:

  • Exchange Online Archiving — unlimited-growth archive mailbox per user
  • Retention policies — automatic hold on emails matching a pattern (for example, all emails containing "will" retained 99 years)
  • eDiscovery — search across all mailboxes for a specific matter or client

These are settings, not products — they're already there, they need configuring. Most firms don't bother, then scramble when a complaint or professional indemnity claim requires evidence.

Backup — still needed

Microsoft does not protect against:

  • Accidental deletion by staff
  • Ransomware that bypasses Defender
  • Malicious insiders
  • Bulk deletion at employee exit

For any legal practice, third-party Microsoft 365 backup (SpinBackup, Datto SaaS, Acronis) is mandatory. Budget £3-4/user/month. Without it, you're relying on noticing problems within Microsoft's 30-day default retention, which for solicitors is unacceptable.

Typical setups

Sole practitioner

  • 1 × Business Premium (£17.75)
  • 1 × Defender for Office 365 P1 (£1.72)
  • 1 × Microsoft 365 backup (~£3.50)
  • ~£23/month Microsoft stack

Small firm (6 fee earners + 2 support)

  • 8 × Business Premium (£142)
  • 8 × Defender for Office 365 P1 (£13.76)
  • 8 × backup (£28)
  • £184/month Microsoft stack (£2,200/year)

Mid-sized firm (25 fee earners)

  • 25 × Business Premium (£444)
  • 25 × Defender for Office 365 P1 (£43)
  • 25 × backup (£87.50)
  • Optionally 10 × Copilot for partners and seniors (£242.60)
  • VoIP with call recording for regulated calls (~£300-400/month for 25 extensions)
  • ~£575-820/month Microsoft stack depending on Copilot

Why bundle with CTN

Most firms we work with juggle:

  • Microsoft 365 through an IT reseller or MSP
  • VoIP or landline via a separate phone company
  • Mobiles through a network or reseller
  • Separate antivirus

Bundling through CTN gets you:

  • 10% off Microsoft 365 licences when you also take CTN VoIP
  • Call recording on your VoIP for regulated calls (often Lexcel/CQS expectation)
  • One UK account manager, based in Shropshire
  • Aligned renewal dates so you have one annual conversation, not three

FAQs

Does Microsoft 365 meet SRA information security expectations?

Microsoft 365 Business Premium, configured correctly, gives you the technical controls needed to demonstrate compliance with SRA expectations and Lexcel/CQS requirements. The underlying Microsoft infrastructure carries ISO 27001, SOC 2 and UK DSP Toolkit certifications. Business Standard and lower tiers do not — don't try to meet SRA expectations on those tiers.

Is SharePoint enough as a document management system for a law firm?

For sole practitioners and firms under 10 fee earners, usually yes. Above that, a purpose-built legal DMS (NetDocuments, iManage) layered on Microsoft 365 is the norm. SharePoint doesn't do matter-centric foldering, conflict-checking or ethical walls out of the box.

What do I do about conveyancing fraud?

Three things: (1) add Microsoft Defender for Office 365 Plan 1 for Safe Links and impersonation protection, (2) train every fee earner and support staff member to never accept bank detail changes via email, (3) put a bank detail policy in your engagement letters stating how details will be confirmed (in person, by phone callback to a known number). Technology alone won't catch every attack.

Can Microsoft 365 encrypt emails to clients?

Yes — Azure Information Protection (included in Business Premium) lets you label and encrypt specific emails or all emails containing certain patterns. Client-side decryption is browser-based, so clients don't need special software.

What about the cloud sovereignty question?

Microsoft 365 UK tenants store data in the UK and Republic of Ireland data centres by default. Microsoft's EU Data Boundary initiative (now in force) ensures data processing stays within the EU/UK. For almost all UK law firms, Microsoft 365 meets data sovereignty expectations.

Microsoft 365 + VoIP for your law firm

We'll scope licences around your firm's size, case management platform, and SRA / Lexcel / CQS requirements. Bundle with VoIP (with call recording) for 10% off.

Get your firm quote

Microsoft 365 for UK law firms

Authorised UK CSP reseller. Bundle with call-recording VoIP and save 10%.

Get your quote