← Back to Blog
IT Support

Microsoft 365 Setup Guide for Small Teams (Step by Step)

24 June 2026

Most small businesses set up Microsoft 365 by buying licences, creating email accounts, and stopping there. Then six months later they wonder why their security is a mess, nobody can find shared files, and three people have Global Admin access for no reason.

Getting Microsoft 365 right from the start takes a few hours. Fixing a bad setup later takes significantly longer. Here's what to configure, in order.

10steps to a secure Microsoft 365 setup

1. Choose the Right Licence

For most small businesses with 1–30 staff, Microsoft 365 Business Premium is the right choice. It includes everything in Business Standard (Office apps, Exchange email, Teams, SharePoint, OneDrive) plus Intune device management, Defender for Business, and Conditional Access.

Business Basic and Business Standard are cheaper, but they're missing the security and device management features you'll end up needing. The cost difference is modest — the capability gap is significant.

2. Set Up Your Custom Domain

Don't use yourcompany.onmicrosoft.com for email. Add your custom domain (yourcompany.co.uk) and configure DNS records: MX for mail delivery, CNAME for autodiscover, and TXT for domain verification. Your domain registrar will have instructions, or Microsoft's admin centre walks you through it.

3. Configure Email Authentication (SPF, DKIM, DMARC)

This is the step most people skip, and it's one of the most important. These three DNS records prove that emails from your domain are legitimate and prevent attackers from spoofing your address — see our full breakdown of SPF, DKIM, and DMARC explained.

  • SPF: Tells receiving servers which mail servers are authorised to send email on behalf of your domain.
  • DKIM: Adds a cryptographic signature to your outgoing emails, proving they haven't been tampered with.
  • DMARC: Tells receiving servers what to do with emails that fail SPF and DKIM checks — quarantine them, reject them, or let them through.

Start with a DMARC policy of "none" (monitoring only), review the reports for a few weeks, then tighten to "quarantine" or "reject."

4. Lock Down Admin Access

Create a maximum of two Global Admin accounts. Everyone else gets standard user roles. If someone needs to manage users or reset passwords, give them a User Admin role — not Global Admin. Every admin account should have MFA enabled immediately.

Create a "break glass" admin account with a strong, unique password stored securely offline. This is your emergency access if the primary admins get locked out.

Never give Global Admin access to day-to-day user accounts. Use dedicated admin accounts with MFA enabled from day one.

5. Enable MFA for Everyone

Go to the Microsoft Entra admin centre and enable Security Defaults, or create a Conditional Access policy requiring MFA for all users. Don't make it optional — make it mandatory. Use the Microsoft Authenticator app, not SMS codes (SMS is vulnerable to SIM swapping).

Give people a week's notice, send clear instructions, and set a deadline. Virtually nobody will resist once they see how quick it is.

6. Set Up Conditional Access

Conditional Access policies let you control who can access what, from where, and on which devices. Start with these three policies:

  • Require MFA for all users, all apps.
  • Block sign-ins from countries you don't operate in.
  • Block legacy authentication protocols (older protocols that don't support MFA).

7. Configure OneDrive and SharePoint

Decide your file structure before people start saving files randomly. Create SharePoint sites for each department or project. Set permissions so people only access what they need. Enable OneDrive Known Folder Move to automatically back up users' Desktop, Documents, and Pictures to OneDrive.

8. Enrol Devices in Intune

If you're on Business Premium, use Intune to manage devices. Create compliance policies requiring encryption, screen lock, and up-to-date operating systems. Create configuration profiles for WiFi, VPN, and security settings. Enrol devices — either during Windows setup (Autopilot) or manually through Company Portal.

9. Turn On Microsoft Defender

Enable anti-phishing, safe attachments, and safe links policies in the Microsoft 365 Defender portal. Enable anti-malware policies with common attachment type filtering. Review and enable the preset security policies — Microsoft provides "Standard" and "Strict" presets that are good starting points.

10. Document Everything

Write down what you configured and why. Admin credentials, DNS records, licence assignments, security policies, emergency contacts. Store this securely — not in a Word doc on someone's desktop. When your setup is documented, anyone can pick it up if the person who configured it leaves or is unavailable.

Completing all ten steps typically takes 2–4 hours. A small investment that prevents weeks of cleanup down the line.

If this all sounds like more than you want to take on yourself, our IT support team handles the full setup and ongoing management for small teams across London.

Want to talk about this?

Book a free 15-minute call and we'll discuss how this applies to your business.

Book a Free Call

Get IT tips in your inbox

Practical advice for small businesses. No spam.