Microsoft 365 & Azure

Microsoft 365 already has the controls. The gap is configuration and evidence.

Most SEC-registered advisers run on Microsoft 365, and most of the controls a firm needs to meet its cybersecurity obligations are already included in the licenses it pays for. The gap is rarely a missing tool. It is configuration that was never finished, logging that was never turned on, and the space between what the MSP set up and what the CCO can prove.

How RIAs Should Configure Microsoft for SEC Exams →

Identity & Access · Regulation S-P, NYDFS 500.12

Identity is the first control they ask about

The expectation is multi-factor authentication for every user — enforced and evidenced, not merely enabled. "We have MFA" is not the same as "here are 90 days of sign-in logs showing MFA was enforced on every login." The second is the answer that survives an exam.

MFA for all users, with Entra ID sign-in logs confirming enforcement for every authentication event over the review period.
Conditional Access policies blocking sign-in from unmanaged devices and untrusted locations, applying risk-based authentication.
Role-based access via Entra ID groups with least-privilege provisioning and quarterly access reviews.

Audit Logging & Retention · Rule 204-2, Rule 206(4)-7

A control that produces no record is invisible to an examiner

Logging is what turns posture into evidence. The annual Rule 206(4)-7 review is far easier to defend when the configuration baseline and drift reports are sitting in the evidence file, dated.

Audit logging enabled in Microsoft Purview with a defined retention period that meets the firm's recordkeeping obligations.
A documented baseline configuration for Entra ID, Exchange Online, SharePoint, and Intune, with scheduled drift reports comparing the live tenant to that baseline.

Data Protection · Regulation S-P Safeguards

Safeguarding, detection, and response are now written requirements

The 2024 Regulation S-P amendments made safeguarding, detection, and response explicit, written, testable requirements.

Encryption of customer data at rest in SharePoint, OneDrive, and Exchange, and in transit via Conditional Access.
Microsoft Purview Data Loss Prevention (DLP) policies that detect and block transmission of customer PII — with policy-match reports proving they are actually working, not DLP in name only.
Sensitivity labels applied to documents containing customer information.

The New SEC Regulation S-P Amendments: What Every RIA Needs to Know →

Detection, Email & the Endpoint

Where configuration meets the real attack surface

Microsoft Defender XDR (or equivalent EDR) producing alerts that feed a documented triage process — tuned, not left at defaults.
Email authentication — SPF, DKIM, and DMARC — where the real weakness is inconsistent enforcement across providers, not the records themselves. Read more →
Endpoint and BYOD — Intune device compliance and the often-overlooked path from a personal device to the corporate network. Read more →

Recurring Findings

The mistakes we find almost every time

Across RIA assessments the same five recur: half-enabled MFA, DLP configured but not enforcing, audit logs never reviewed, Defender left untuned, and exposed Azure workloads. Each is a configuration-and-evidence problem, not a licensing one — and each maps to a specific obligation.

Microsoft 365 and Azure for RIAs: The Deployment Mistakes I Find Almost Every Time →

How MTradecraft Audits and Proves It

A benchmark scan mapped to the rules

The Microsoft 365 / Azure Configuration Audit is a benchmark scan of the tenant with pass/fail results mapped to SEC-relevant controls — Regulation S-P, Rule 206(4)-7, Rule 204-2 — delivered as a written report with a screenshot for every finding, regulatory mapping for every failure, and a prioritized remediation roadmap. It is available as a one-time engagement or as the recurring Q1/Q3 component of the annual programs.

Review the Services

Common Questions

Frequently asked questions

Does Microsoft 365 meet SEC cybersecurity requirements?

The controls exist in Microsoft 365; meeting the requirements depends on configuring them correctly and producing evidence they are in force. SEC obligations are satisfied by demonstrable controls — enforced MFA, audit logging, DLP, encryption, access reviews — not by the presence of a license.

What Microsoft 365 logs does the SEC expect an RIA to keep?

Audit logs enabled in Microsoft Purview with a retention period that meets Rule 204-2 recordkeeping obligations, plus Entra ID sign-in logs that evidence MFA enforcement across the review period.

Is MFA enough for Regulation S-P?

MFA is foundational but not sufficient. Regulation S-P also requires data loss prevention, encryption, role-based access with periodic reviews, a written incident response program, and service-provider oversight — all of which an RIA must be able to evidence.

Next Step

If an insurer, custodian, or examiner has asked how your Microsoft 365 environment is secured — give them the documented answer.

A configuration audit produces the report, the regulatory mapping, and the remediation roadmap. The first call is twenty minutes and there is no obligation on either side.

Click here to start a conversation →