Deskless Nation

How to Build a Free Professional Business Presence From Scratch

2025-11-10T00:00:00Z

You don't need to spend money to look professional online. With the right free tools — Cloudflare, Gmail, Formspree, and a password manager — you can have a complete, secure business presence in an afternoon. This guide walks through every step.

The Full Free Stack

Layer	Tool	Cost
Domain	Cloudflare Registrar (near-cost)	~$9/yr
DNS / CDN	Cloudflare	Free
Email routing	Cloudflare Email Routing	Free
Send email as domain	Gmail Send As	Free
Website hosting	Cloudflare Pages	Free
Contact form	Formspree	Free (up to 50/mo)
Password manager	Bitwarden	Free
MFA	Authenticator app	Free

The only real cost is the domain itself. Everything else is zero.

Step 1 — Register Your Domain on Cloudflare

Cloudflare Registrar sells domains at wholesale cost with no markup — you pay exactly what ICANN charges. There are no renewal surprises.

Go to dash.cloudflare.com → Domain Registration → Register a domain
Search for your name (e.g. yourcompany.com)
Add to cart and complete purchase
Your domain is now on Cloudflare's nameservers automatically

Choose wisely: .com is still the most credible TLD for business. .io, .co, and .dev are acceptable for tech. Avoid hyphens and numbers.

Step 2 — Set Up Cloudflare Email Routing

Cloudflare Email Routing lets you receive email at you@yourdomain.com and forward it to your personal Gmail — for free, instantly.

In Cloudflare Dashboard, select your domain
Go to Email → Email Routing
Click Enable Email Routing — Cloudflare auto-adds the required MX records
Click Create Address
- Custom address: hello@yourdomain.com
- Action: Send to → your personal Gmail address
Verify your Gmail address when Cloudflare sends the confirmation email

Now anyone who emails hello@yourdomain.com lands in your Gmail inbox.

Step 3 — Send Email As Your Domain in Gmail

Receiving is handled. Now configure Gmail so you can reply using your domain address:

In Gmail: Settings (gear) → See all settings → Accounts and Import
Under "Send mail as" → click Add another email address
Enter your name and hello@yourdomain.com
Keep "Treat as an alias" checked → Next Step
SMTP server: smtp.gmail.com, Port: 587
Username: your full Gmail address
Password: App password (not your regular Gmail password)

Generating an App Password:

Go to your Google Account → Security → 2-Step Verification
Scroll to App passwords at the bottom
Select app: Mail, Device: Other → type "Gmail Send As"
Copy the 16-character password → paste into Gmail's SMTP setup
Click Add Account → enter the verification code Gmail sends

From now on, when you reply to emails that came to hello@yourdomain.com, Gmail pre-selects that address as the sender.

Step 4 — Deploy Your Website on Cloudflare Pages

Cloudflare Pages is a Jamstack hosting platform. Free tier gives you unlimited bandwidth, custom domains, and HTTPS automatically.

Option A — Static HTML (Simplest)

Create a folder with an index.html file locally
Push to a GitHub repository (free account)
In Cloudflare Dashboard → Workers & Pages → Create → Pages → Connect to Git
Authorize GitHub, select your repo
Build settings: leave blank (it detects static HTML)
Click Save and Deploy

Option B — Eleventy Blog (What You're Reading Now)

The build command for Eleventy is npm run build, output directory is _site. That's exactly what powers this blog.

Connect Your Custom Domain

In your Pages project → Custom domains → Set up a custom domain
Enter www.yourdomain.com
Cloudflare auto-adds the CNAME record pointing to your Pages URL
Add a redirect rule for the apex domain (yourdomain.com → www.yourdomain.com)

Step 5 — Add a Contact Form with Formspree

Formspree gives you a backend for HTML forms — no server required. Free tier handles 50 submissions per month.

Sign up at formspree.io with your email
Click New Form → name it "Contact"
Copy your form ID (looks like xrgdkpba)

Add this to your website's contact page:

<form action="https://formspree.io/f/xrgdkpba" method="POST">
  <input type="text" name="name" placeholder="Your name" required>
  <input type="email" name="email" placeholder="Your email" required>
  <textarea name="message" placeholder="Your message" required></textarea>
  <button type="submit">Send Message</button>
</form>

Submissions arrive in your email and in the Formspree dashboard. Enable email notifications in Formspree settings.

Step 6 — Security Baseline

A professional presence is worthless if it gets compromised. These three steps take 20 minutes and protect everything you just built.

6a. Password Manager — Bitwarden

Never reuse passwords. Bitwarden is open-source, free, and trusted.

Go to bitwarden.com → Get Started → create an account
Use a strong, unique master password — write it on paper and store it safely
Install the browser extension and mobile app
Save every existing account into Bitwarden with unique generated passwords
Enable Bitwarden's built-in TOTP (Time-based One-Time Passwords) in Settings → Two-step Login

6b. MFA on Every Account

For every service in your stack, enable MFA:

Cloudflare: Profile → Authentication → Two-Factor Authentication → enable TOTP with your authenticator app
GitHub: Settings → Password and Authentication → enable 2FA
Formspree: Account Settings → Security → enable 2FA
Google Account: Security → 2-Step Verification → enable with your authenticator app

Use Google Authenticator, Authy, or Ente Auth (open-source). Bitwarden also handles TOTP codes if you prefer one app.

6c. DNS Security Records

Add these DNS records in Cloudflare to prevent email spoofing:

SPF record (TXT on @):

v=spf1 include:_spf.google.com ~all

DMARC record (TXT on _dmarc):

v=DMARC1; p=quarantine; rua=mailto:hello@yourdomain.com

DKIM is handled automatically when using Gmail with an app password. If you switch to Google Workspace, DKIM keys are generated in the Admin Console.

You're Done

Your total monthly cost: $0 (plus ~$0.75/month amortized for the domain).

What you have:

A real domain you own
Professional email at that domain
A website with free CDN and HTTPS
A working contact form
A password manager
MFA on every account
Email authentication records to prevent spoofing

This is exactly the setup used to run this blog. No vendor lock-in, no monthly SaaS fees, no excuses.

Password Managers Compared: LastPass, 1Password, Bitwarden, and KeePass

2025-11-18T00:00:00Z

Using any password manager is infinitely better than reusing passwords. The question is which one fits your threat model, budget, and workflow. This guide covers the four most commonly used options with no affiliate bias.

Quick Comparison

	LastPass	1Password	Bitwarden	KeePass
Price (personal)	Free / $3/mo	$3/mo	Free / $10/yr	Free
Open source	No	No	Yes	Yes
Cloud sync	Yes	Yes	Yes (or self-host)	No (manual)
Mobile app	Yes	Yes	Yes	Third-party
MFA support	Yes	Yes	Yes (paid TOTP)	Plugin
Business plans	Yes	Yes	Yes	No
Security track record	Poor	Good	Good	Excellent

LastPass

LastPass was the most popular password manager for years. It no longer deserves that status.

Pros

Familiar interface, long history
Browser extension works across all major browsers
Emergency access feature
Free tier available

Cons

Major breaches in 2022: Attackers stole encrypted vaults. Users with weak master passwords are at risk
Free tier limits you to one device type (mobile or desktop — not both)
Owned by private equity; product quality has declined
No open-source code review possible

Verdict

Avoid LastPass for new setups. If you're currently using it, export your vault and migrate to Bitwarden or 1Password. The 2022 breach was severe enough that security professionals universally stopped recommending it.

Setup Steps (if you must)

Go to lastpass.com → Create Account
Choose a master password: 16+ characters, unique, never reused
Install the browser extension
Import existing passwords via Settings → Advanced → Import
Enable MFA: Account Settings → Multifactor Options → Google Authenticator

1Password

1Password is the premium option. It's polished, well-designed, and has an excellent security track record.

Pros

Beautiful, intuitive interface across all platforms
Watchtower: built-in breach monitoring and password health dashboard
Travel Mode: hide sensitive vaults when crossing borders
Business features: Teams, vaults, admin console
Strong two-person company history; security-first culture
No known major breaches
Secret Key architecture: even with your password, attackers can't decrypt your vault without your Secret Key

Cons

No free tier — $3/month (personal), $4/user/month (teams)
Closed source — you're trusting their security claims
Can't self-host

Setup Steps

Go to 1password.com → Try 1Password Free (14-day trial)
Create account → save your Emergency Kit PDF — this contains your Secret Key
Print the Emergency Kit and store it offline
Install apps on all your devices
Create vaults: Personal, Work, Financial — organize from the start
Enable 2FA: Profile → More Actions → Two-Factor Authentication → Authenticator App
Set up Watchtower: go to Watchtower → fix any flagged items
Enable Travel Mode if you cross borders with a work device

Business Setup

Go to 1password.com/teams
Start a Teams plan (14-day free)
Create vaults for each department or project
Invite team members → assign vault access per role
Enable Admin features: enforce 2FA, set password policies

Bitwarden

Bitwarden is the recommendation for most people and organizations. Open-source, affordable, and trustworthy.

Pros

Open source — code is publicly audited
Free tier is genuinely useful (unlimited passwords, unlimited devices)
$10/year premium adds TOTP (stores your 2FA codes too), encrypted file attachments, emergency access
$3/user/month for business (Organizations)
Can be self-hosted on your own server
Passed independent security audits
Works on every platform including Linux

Cons

Interface is functional but less polished than 1Password
TOTP requires paid plan
Self-hosting requires technical setup

Personal Setup Steps

Go to bitwarden.com → Create account
Choose a strong master password — 20+ characters, a passphrase works well (e.g., correct-horse-battery-staple-2025)
Write it down and store offline — there is no recovery without it
Install the browser extension (Chrome, Firefox, Safari, Edge)
Install the mobile app (iOS or Android)
Import existing passwords: Settings → Tools → Import Data → choose your current password manager's export format
Enable Two-step Login: Account Settings → Security → Two-step Login → Authenticator App
Set up emergency access: Settings → Emergency Access → Add emergency contact

Bitwarden Organizations (Business)

Create an Organization at bitwarden.com/pricing
Invite members via People tab
Create Collections (equivalent to folders) for shared credentials
Set member permissions per collection
Enable Policies: require 2FA, set master password requirements
Review the Admin Console regularly for inactive users

Self-Hosting Bitwarden (Advanced)

Bitwarden releases a Docker-based self-host package called Vaultwarden (community) or official bitwarden/self-host:

# Vaultwarden (lightweight alternative)
docker run -d \
  --name vaultwarden \
  -v /vw-data/:/data/ \
  -p 80:80 \
  vaultwarden/server:latest

You'll need a domain and HTTPS certificate. Cloudflare Tunnel is a clean way to expose it without opening firewall ports.

KeePass

KeePass is the ultimate in control. Your vault is a local file — it never touches a cloud server unless you explicitly sync it.

Pros

Completely free and open source (AGPL)
Vault is a local .kdbx file — you own it entirely
No subscription, no account, no server
Passes rigorous security audits
Excellent for high-security environments or air-gapped systems
Plugin ecosystem is extensive

Cons

No built-in sync — you manage that yourself (Dropbox, iCloud, Synology, USB)
Mobile apps are third-party (Strongbox on iOS, KeePassDX on Android)
Interface is dated (Windows-native, though cross-platform versions exist)
Requires more setup discipline than cloud-managed options

Setup Steps

Download KeePass 2.x from keepass.info (Windows) or use KeePassXC for cross-platform
Create a new database: File → New → choose save location
Set a master password + optionally a key file (two-factor locally)
Create groups: Personal, Work, Finance, Social
Start adding entries

Sync Strategy for KeePass

iCloud/Dropbox method:

Save your .kdbx file in your iCloud Drive or Dropbox folder
On iPhone: install Strongbox → Open Database → select the file from iCloud
Any save on any device syncs via the cloud provider

Self-hosted Synology/NAS method:

Store on NAS, use WebDAV to sync to KeePassXC on desktop
Strongbox on iOS supports WebDAV directly

Which One Should You Choose?

Choose Bitwarden if: you want the best balance of security, cost, and convenience. It's the Deskless Nation default recommendation for remote teams.

Choose 1Password if: you have budget and want the best polished experience, especially for a small business where non-technical users need something that just works.

Choose KeePass if: you have advanced security requirements, work in a regulated environment, or simply don't trust cloud providers with your credentials.

Avoid LastPass until they demonstrate a sustained security track record post-2022 breach. That day hasn't come yet.

Migration Tips

Moving from one password manager to another is straightforward:

Export from your current manager (CSV or proprietary format)
Review the export file — delete old/dead entries before importing
Import into the new manager
Verify a sample of entries opened correctly
Delete the export CSV file immediately — it's unencrypted

Never leave a password export file sitting in your Downloads folder.

How to Enable MFA on Every Portal Your Business Uses

2025-11-25T00:00:00Z

A stolen password alone should not be enough to compromise your account. That's the entire promise of multi-factor authentication (MFA). Despite being widely supported, it remains the most commonly skipped security step.

This guide covers every major platform that remote IT workers touch, with exact steps for each.

Before You Start

Get an authenticator app first. You'll need it for most of these:

Ente Auth — open-source, encrypted backup, recommended
Google Authenticator — simple, works, no backup (risk)
Authy — cloud backup, multi-device
Bitwarden — handles TOTP codes alongside passwords (premium plan)

Key concepts:

TOTP — Time-based One-Time Password. A 6-digit code that refreshes every 30 seconds. Generated by your authenticator app.
FIDO2/Passkey — Phishing-resistant hardware or software key. Strongest option where available.
SMS — One-time codes sent by text. Weakest option, but better than nothing.

Always use TOTP or hardware keys over SMS when available.

Gmail / Google Account

Google is often the root account for everything else. Protecting it is critical.

Go to myaccount.google.com → Security
Under "How you sign in to Google," click 2-Step Verification
Click Get started
You'll be asked to verify your identity first
Scroll past "Google prompts" and click Authenticator app
Click Set up authenticator → scan the QR code with your authenticator app
Enter the 6-digit code to verify
Click Turn on

Additional hardening:

Go back to 2-Step Verification → scroll to Backup codes → generate and save these offline
Consider adding a physical security key (YubiKey) as a second method
Under Advanced Protection: if you're high-risk, enroll in Google's Advanced Protection Program

Cloudflare

Cloudflare controls your DNS — if compromised, an attacker can redirect your entire domain.

Log into dash.cloudflare.com
Click your profile picture (top right) → My Profile
Click Authentication in the left sidebar
Under Two-Factor Authentication, click Enable
You'll see a QR code — scan it with your authenticator app
Enter the 6-digit code and click Verify Code
Save your backup codes — download or copy them to your password manager

Account security settings (also do these):

Profile → Sessions → review active sessions, terminate unknown ones
If using an API token in any app, go to My Profile → API Tokens → audit what exists

GitHub

GitHub hosts your code. An attacker with access can push malicious code or wipe repositories.

Go to github.com → click your avatar → Settings
In the left sidebar: Password and authentication
Under "Two-factor authentication," click Enable two-factor authentication
Choose Authenticator app (recommended over SMS)
Scan the QR code with your authenticator app
Enter the 6-digit code → Continue
Download your recovery codes → save them in your password manager and a secure offline location
Click I have saved my recovery codes → confirm

Additional GitHub security:

Settings → SSH and GPG keys → review what's authorized; remove unknown keys
Settings → Applications → review OAuth apps; revoke anything unrecognized
For organizations: Org Settings → Authentication security → require 2FA for all members

Formspree

Formspree handles your contact form submissions — worth securing.

Log into formspree.io
Click your email/avatar → Account Settings
Find the Security or Two-Factor Authentication section
Enable TOTP-based 2FA
Scan QR code, enter verification code
Save backup codes

Microsoft 365

Microsoft 365 is often the most business-critical account in any remote team. MFA here is non-negotiable.

For Individual Users

Go to mysignins.microsoft.com → Security info
Click + Add sign-in method
Select Authenticator app
Click Add → choose "Use a different authenticator app" if not using Microsoft Authenticator
Scan QR code with your app → click Next
Enter the code shown → Next → Done

For Microsoft 365 Admins (Enabling for Everyone)

Modern method — Conditional Access (recommended for M365 Business Premium and above):

Go to admin.microsoft.com → Security → Conditional Access
Create a new policy requiring MFA for all users
Set it to report-only first, then enforce after reviewing

Legacy method — Per-user MFA:

admin.microsoft.com → Users → Active users
Click Multi-factor authentication in the top menu
Select all users → Enable
Users will be prompted to set up MFA on next sign-in

Security Defaults (simplest for small orgs):

Azure AD (Entra ID) → Properties → Manage Security Defaults
Toggle to Enabled → Save
This automatically enables MFA for all users and blocks legacy auth protocols

Apple ID

Apple ID controls device management, iCloud backup, Find My, and App Store purchases.

Go to appleid.apple.com or Settings on iPhone → [Your Name]
Tap Sign-In & Security
Tap Two-Factor Authentication → Turn On
Follow the prompts to verify a trusted phone number
Apple sends verification codes to trusted devices — no separate authenticator app needed for basic use

For stronger Apple ID security:

Settings → [Your Name] → Sign-In & Security → Account Recovery → set a recovery contact
Use a strong, unique password (Bitwarden can generate this)
Review trusted devices regularly: appleid.apple.com → Devices

Bank Accounts

Every bank does this differently, but the pattern is the same.

Log into your bank's website → find Settings, Security, or Profile
Look for: Two-factor authentication, Two-step verification, Login verification
Enable TOTP (app-based) if available — many banks still only offer SMS
If SMS is the only option, use it — it's still better than nothing
Note the backup phone/email recovery options and keep them current

Banks that offer app-based TOTP: Check your bank's security settings. Large US banks (Chase, Bank of America, Wells Fargo) mostly use proprietary apps or SMS. Credit unions often support TOTP via third-party apps.

If your bank only supports SMS: that's their limitation. Use a dedicated phone number for banking SMS that isn't shared anywhere else.

Your Password Manager

This is the most important one — your password manager holds everything.

Bitwarden

bitwarden.com → My Account → Security → Two-step Login
Click Manage next to Authenticator App
Scan QR code with your authenticator app
Enter the 6-digit code → Enable
Copy recovery code → store it somewhere separate from Bitwarden (written on paper, or in a truly offline location)

1Password

Profile → More Actions → Two-Factor Authentication
Click Set Up App → scan QR code
Enter code → Confirm
Remember: 1Password already requires your Secret Key, which functions as a second factor at the account level

KeePass

KeePass doesn't have cloud authentication — it uses a local key file as a second factor:

File → Change Master Key
Check "Key file / provider" → Create
Save the key file to a different location than your database (e.g., a USB drive)

After Enabling MFA Everywhere

Test your recovery codes. Don't assume they work — actually test one on an account where you have a backup method.

Store backup codes properly:

Print and store in a fireproof location, OR
Store in your password manager in an encrypted note (not ideal if you're locked out of the password manager too), OR
Use a second device as a recovery authenticator

The critical scenario: If you lose your phone and your only MFA device, can you still get in? Make sure the answer is yes before you need it.

Recommended MFA hierarchy:

FIDO2 hardware key (YubiKey) — most secure, phishing-proof
TOTP authenticator app — strong, widely supported
Email-based OTP — acceptable fallback
SMS — use only when nothing else is available

Enabling MFA on everything in this list takes about two hours. It's the highest-ROI security work you can do today.

Getting Started with Microsoft 365: Tenant Setup, Custom Domain, and First 30 Days

2025-12-02T00:00:00Z

Microsoft 365 is the backbone of most remote-first organizations. Getting the setup right from day one prevents months of pain later. This guide covers everything from plan selection through first-30-day hardening.

Choosing the Right Plan

Microsoft's plan naming is deliberately confusing. Here's what actually matters:

Plan	Monthly (per user)	Key Features
M365 Business Basic	$6	Web/mobile Office apps, 1TB OneDrive, Exchange, Teams
M365 Business Standard	$12.50	Desktop Office apps + everything in Basic
M365 Business Premium	$22	Everything in Standard + Intune MDM, Defender, Entra ID P1

For most remote teams of 1-10: Start with Business Basic ($6/user). You can use Office apps in the browser, and most remote workers primarily use browser-based tools anyway.

Step up to Business Standard when: your team regularly creates complex documents locally, needs offline access consistently, or uses Teams live events/webinars.

Business Premium is worth it when: you have compliance requirements, need device management (Intune), or want the advanced security features (Defender for Business, Conditional Access via Entra ID P1).

The most common mistake: buying Business Premium immediately "to be safe" and then not using any of its advanced features. Start lean and upgrade deliberately.

Step 1 — Create Your Tenant

Go to microsoft.com/en-us/microsoft-365/business → click Try for free or Buy now
Click Set up → "Set up for your business"
Enter your email (doesn't have to be Microsoft yet), name, company name, country
Choose a yourcompany.onmicrosoft.com subdomain — this becomes your permanent tenant ID and cannot be changed
Complete payment or free trial

Choose the onmicrosoft subdomain carefully. While your users will eventually log in with @yourdomain.com, the .onmicrosoft.com subdomain persists in internal logs, Teams URLs, and SharePoint addresses. Make it clean and professional (contoso.onmicrosoft.com, not contoso2024ltd.onmicrosoft.com).

Step 2 — Add Your Custom Domain

In the Microsoft 365 Admin Center (admin.microsoft.com) → Settings → Domains → Add domain
Type your domain name → Use this domain
Microsoft will ask you to verify domain ownership. Choose Add a TXT record
Log into Cloudflare → DNS → Add record:
- Type: TXT
- Name: @
- Value: the verification code Microsoft gives you
- TTL: Auto
Back in the Admin Center, click Verify — may take 1-5 minutes

Step 3 — Configure MX Records for Email

After domain verification, Microsoft walks you through adding DNS records. Add all three:

MX Record (routes your email to Microsoft):

Type: MX
Name: @
Mail server: yourcompany-com.mail.protection.outlook.com
Priority: 0

Autodiscover (Outlook auto-configuration):

Type: CNAME
Name: autodiscover
Target: autodiscover.outlook.com

At this point, email sent to @yourdomain.com will arrive in Exchange Online.

Step 4 — SPF, DKIM, and DMARC

These three records authenticate your outbound email and protect your domain from spoofing. Skip them and your email will land in spam.

SPF

Tells receiving mail servers which servers are allowed to send email from your domain.

Add a TXT record:

Name: @
Value: v=spf1 include:spf.protection.outlook.com -all

DKIM

Cryptographically signs outbound email from your domain. Requires setup in the Admin Center.

Admin Center → Settings → Domains → select your domain
Or go directly to: security.microsoft.com → Email & Collaboration → Policies & Rules → Threat Policies → Email Authentication Settings → DKIM
Select your domain → toggle to Enabled
Microsoft will show you two CNAME records to add in Cloudflare:
- selector1._domainkey → selector1-yourdomain-com._domainkey.yourcompany.onmicrosoft.com
- selector2._domainkey → selector2-yourdomain-com._domainkey.yourcompany.onmicrosoft.com
Add both in Cloudflare → return to Microsoft → click Enable again

DMARC

Tells receiving servers what to do with email that fails SPF/DKIM. Start in monitor mode.

Add a TXT record:

Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

After confirming your legitimate email passes checks (use mail-tester.com), change p=none to p=quarantine then eventually p=reject.

Step 5 — Enable MFA for All Users

The fastest way (Security Defaults):

Admin Center → Azure Active Directory (Entra ID) → Properties
Click Manage Security Defaults (at the bottom)
Toggle Enable Security Defaults to Yes → Save

This enables MFA for all users, blocks legacy authentication protocols, and requires MFA for all admin actions. It's appropriate for most organizations.

For more control (Conditional Access — requires Entra ID P1 / Business Premium):

security.microsoft.com → Conditional Access → New Policy
Name: "Require MFA for all users"
Users: All users
Cloud apps: All cloud apps
Grant: Require multi-factor authentication
Enable the policy (start in Report-only mode first)

Step 6 — OneDrive Setup

OneDrive is included with every M365 plan. Ensure all users have it configured:

Desktop sync client:

Download from microsoft.com/en-us/microsoft-365/onedrive/download
Sign in with M365 account
Choose folders to sync locally
Important: Redirect Desktop, Documents, and Pictures to OneDrive (Files On-Demand)

Admin settings (Admin Center → SharePoint → Sharing):

External sharing: Set to New and existing guests (not "Anyone") for security
Require authentication for all shared links
Set link expiration: 30 days for anonymous links if you allow them

Step 7 — Microsoft Teams Basics

Teams is included with Business Basic and above. First-time admin setup:

In Teams (teams.microsoft.com or desktop app) → click the ... next to "Teams" → Create team
Suggested structure for small orgs:
- General (whole company)
- IT & Security
- One team per major project or department

Teams admin settings (admin.teams.microsoft.com):

Messaging policies: Disable Giphy if you have compliance requirements
Meeting policies: Decide whether external users can join without lobby
External access: Federate with other Teams organizations if needed

Common Mistakes to Avoid

Mistake 1: Not setting up SPF/DKIM/DMARC Your email will be flagged as spam or spoofed. Do this in the first week.

Mistake 2: Leaving Security Defaults or Conditional Access disabled Every admin account without MFA is a breach waiting to happen.

Mistake 3: Sharing everything via "Anyone with the link" This is how sensitive documents leak. Set the default sharing level to "People in your organization."

Mistake 4: Not assigning a secondary Global Admin If the primary admin loses access to their account, recovery is painful. Have at least two Global Admin accounts — keep one as a break-glass account that isn't used for daily work.

Mistake 5: Using the Global Admin account for daily tasks Create a separate standard user account for daily work. Reserve admin credentials for admin tasks only.

Mistake 6: Ignoring the Microsoft 365 admin mobile app The M365 Admin app (iOS/Android) lets you manage users and review alerts from your phone. It's free and essential for remote IT admins.

30-Day Checklist

Week 1:

[ ] Tenant created with clean onmicrosoft subdomain
[ ] Custom domain added and verified
[ ] MX records set, test email received
[ ] SPF record added
[ ] DKIM enabled and DNS records added
[ ] DMARC record added (p=none to start)

Week 2:

[ ] All users created with correct licenses
[ ] MFA enabled (Security Defaults or Conditional Access)
[ ] All users prompted and completed MFA setup
[ ] OneDrive configured on all devices

Week 3:

[ ] Teams structure created
[ ] External sharing settings reviewed
[ ] DMARC changed to p=quarantine after confirming clean email flow

Week 4:

[ ] Break-glass admin account created and credentials stored securely offline
[ ] Microsoft Secure Score reviewed (security.microsoft.com → Secure Score)
[ ] Review sign-in logs for any suspicious activity

Microsoft 365 is a significant investment. Setting it up correctly at the start means you spend the next years using it instead of fixing it.

Remote-Friendly Companies vs Aggressive RTO Mandates in 2026

2026-01-14T00:00:00Z

The pandemic-era experiment with remote work ended differently than either side predicted. Rather than everyone returning to the office, the workforce has split: remote-friendly companies are selectively hiring and retaining distributed talent, while aggressive return-to-office mandates have triggered waves of voluntary attrition at companies that can least afford to lose their best people.

Here's where things stand in 2026.

What the Productivity Data Actually Shows

The debate about remote productivity is largely settled among researchers, even if executives continue to debate it in earnings calls.

Key findings from major studies (2023-2025):

Stanford / Nicholas Bloom (2024): Hybrid work (2-3 days in office) showed no measurable productivity loss compared to full-time office work for knowledge workers. Full remote showed mixed results, varying significantly by role and management quality.
Microsoft Work Trend Index (2025): 85% of managers say they trust their remote teams to be productive. The 15% who don't correlate with teams that also underperform in-office — a management problem, not a location problem.
Harvard Business School (2024): Software engineers at firms with remote flexibility produced 13% more code commits per week than peers at strict in-office firms, controlling for company size and sector.
Tracking productivity loss from RTO: Multiple studies document significant voluntary attrition (often 10-25%) immediately following RTO announcements. The workers most likely to leave are top performers with the most outside options.

The uncomfortable truth for RTO advocates: Mandates don't solve collaboration problems — they redistribute them. Workers who stayed often report lower morale, longer commutes reducing effective working hours, and resentment that productivity data shows is real and measurable.

Companies Committed to Remote Work in 2026

These companies have made structural commitments to remote-first or remote-friendly policies, not just verbal support:

Fully Remote / Remote-First

GitLab Flagship example of all-remote done right. Thousands of employees across 60+ countries. Their public handbook documents every policy, meeting structure, and cultural norm. Hiring actively.

Automattic (WordPress.com) Fully distributed since founding. Annual Grand Meetups replace daily office time. Strong asynchronous culture, no headquarters.

Zapier All-remote with intentional async culture. Known for detailed documentation and hiring globally without geographic restrictions.

Basecamp / 37signals Remote-first principles company. Published "Remote: Office Not Required" — still lives by it.

Doist (Todoist/Twist) Async-first, distributed team, no offices. Public about their async philosophy and the tools they use.

Buffer Fully remote, radical transparency including public salary formulas. Smaller company but well-regarded remote culture.

Remote-Friendly (Hybrid with flexibility)

Atlassian "TEAM Anywhere" policy: employees choose where they work. Physical offices exist but are optional. No minimum days required. Has resisted RTO pressure while competitors mandated returns.

Shopify Went fully remote during pandemic and maintained it. Called themselves a "digital by default" company. Some optional gathering spaces but no office requirements.

Dropbox Pivoted to "Virtual First" — offices exist as collaboration spaces but are not where daily work happens. Hired globally as a result.

HubSpot Hybrid-flexible: employees choose @home, @office, or @flex. No blanket mandates.

Spotify "Work From Anywhere" — employees can work from wherever they're most productive, including outside their home country in many cases.

Quora Went remote-first and maintained it. CEO Pete Quora publicly documented the approach.

Reddit Maintained flexibility through 2025 despite market pressure to mandate returns.

Companies with Aggressive RTO Mandates

These companies have implemented mandatory return-to-office policies that have generated significant employee backlash and reported attrition:

Full 5-Day Mandates

Amazon Required all corporate employees back to the office 5 days per week starting early 2025. The policy triggered widespread internal opposition and reportedly significant attrition among senior engineers who could find remote roles elsewhere. Amazon has maintained the mandate.

JPMorgan Chase CEO Jamie Dimon has been one of the most vocal RTO proponents. Full 5-day return required for most roles. Has publicly criticized remote work repeatedly.

Goldman Sachs Five-day return with limited exceptions. Long-standing stance from David Solomon who called remote work an "aberration."

Dell Issued a memo classifying employees as either "remote" or "hybrid." Remote employees would be ineligible for promotions. Prompted significant internal backlash and attrition.

3-4 Day Mandates with Controversy

Google Three-day in-office requirement with attendance tracked via badge data. Employees who don't comply face performance review implications. Has caused friction, particularly among teams hired remotely during 2020-2022.

Meta Three-day minimum in-office requirement. Announced it would factor attendance into performance reviews.

Apple Three-day minimum. Generated significant internal pushback, including an employee petition. Several notable engineers departed citing the policy.

Disney Four-day in-office requirement under Bob Iger, who publicly criticized remote work. Led to some departures.

Salesforce Multiple policy shifts. Currently requiring most employees back 4 days/week, a significant reversal from earlier remote-friendly stance.

The Talent Market Impact

The RTO mandate wave has created a distinct bifurcation in the tech talent market:

Workers with options (senior engineers, specialized roles) are self-selecting into remote companies. LinkedIn data shows job postings with "remote" in the title receive 4-5x more applications than equivalent in-office roles.

Companies with aggressive RTO policies are winning on cost in the short term — attrition clears senior (expensive) headcount and enables workforce reductions without layoffs. This appears to be deliberate strategy at some firms.

Remote-first companies are capturing displaced talent. Atlassian, GitLab, Automattic, and similar companies have publicly noted they benefit from every RTO mandate their competitors announce.

What This Means for Remote Workers

If you're a remote IT worker in 2026:

You have more power than you think, but it's concentrated in specific roles. Senior engineers, cloud architects, security specialists, and DevOps engineers can generally command remote flexibility as a condition of employment. Junior roles have less leverage.

Check company culture before accepting. A "remote-friendly" policy on paper can hide a culture where remote workers are passed over for promotions and left out of key decisions. Ask specifically: what percentage of your leadership team is remote? How are promotions decided? Are in-person employees prioritized?

The companies on the RTO list aren't going away. Many are large, well-paying employers. If the compensation is significant enough, a hybrid arrangement with clear boundaries may be worth it. But know what you're signing up for.

Remote-first companies have their own challenges — async communication is a skill, documentation discipline is harder than it sounds, and isolation is real. The best remote companies invest heavily in culture, tooling, and intentional connection.

The remote work landscape in 2026 is more stable than the chaotic swings of 2020-2023. The companies that want remote workers have built structures for it. The companies that don't have made it clear. Choose accordingly.

Operational Challenges of Running a Remote Company — and How to Solve Them

2026-02-03T00:00:00Z

Running a remote company sounds straightforward until you're doing it. The surface-level challenges (video calls, time zones) are easy. The hard ones are cultural and structural — they compound slowly and don't announce themselves until something breaks.

This guide covers the real operational challenges and the solutions that actually work, drawn from patterns across distributed companies that have been doing it for years.

Challenge 1: Communication That Doesn't Scale

The Problem

In an office, communication happens through ambient information — overheard conversations, body language in meetings, hallway context. Remote organizations don't have that. Without a deliberate communication architecture, you get:

Decisions made in Slack DMs that should be documented
Teams that don't know what other teams are doing
Junior employees who are invisible to leadership
Meetings that could have been documents
Documents that could have been structured so people could find them later

The result is either information overload (everything in Slack, urgent noise constantly) or information vacuum (people don't know what's happening and don't know who to ask).

The Solution: Communication Architecture by Design

1. Define what goes where — and enforce it

Type	Channel	SLA
Decisions and context	Notion/Confluence page	Permanent
Project updates	Project management tool (Linear, Asana)	Per project
Team discussion	Slack channel (team-specific)	24hr response
Quick questions	Slack DM	Best effort
Urgent	Phone call	Immediate

Post this publicly. Reference it when someone uses the wrong channel.

2. Asynchronous-first thinking

Before scheduling a meeting, ask: can this be a Loom video? A Notion doc with comments? A Slack thread? Meetings are expensive across time zones. Reserve them for decisions that require real-time discussion or relationship maintenance.

3. Weekly written updates

Require every team to post a weekly written update: what shipped, what's blocked, what's coming next. These are 200-word max posts in a dedicated Notion space or Slack channel. Leaders read them. Junior employees read leadership updates. It creates ambient awareness without meetings.

4. Working Out Loud culture

Encourage people to share work-in-progress in dedicated channels. Not for approval — for visibility. #wip-design, #wip-engineering channels where people share drafts, questions, and experiments. This replaces a lot of the ambient information office environments provide.

Challenge 2: Inconsistent and Ineffective Onboarding

The Problem

Remote onboarding fails when it's treated as "orientation" rather than "setup for success." Common failure modes:

New hire spends first week figuring out what tools they need access to
No documentation of how things actually work (only tribal knowledge)
No structured time with teammates — just dropped into Slack and told good luck
30/60/90 day expectations never written down, unclear what success looks like
No connection to company culture beyond reading the handbook

The result: 20-30% of remote new hires disengage in the first 90 days without ever fully ramping.

The Solution: Structured Onboarding as a System

Day 1 readiness checklist (completed before they start):

[ ] Laptop shipped and received
[ ] All accounts created (M365, GitHub, Slack, etc.)
[ ] Welcome Loom video recorded by their manager
[ ] 30-minute call scheduled for Day 1 with manager
[ ] First two weeks of onboarding calendar pre-populated

The 30-60-90 document

For every hire, write a document that specifies:

By day 30: understand X, complete training Y, have met Z people
By day 60: own responsibility A, shipped contribution B
By day 90: working independently on C, can onboard the next person on D

Make it collaborative — new hire should co-author their 90-day plan with their manager.

Onboarding buddy system

Assign a peer (not the manager) as an onboarding buddy. Their job: answer "dumb questions" that new hires are afraid to ask their boss. Weekly check-in for the first 60 days. This single practice dramatically increases onboarding satisfaction scores.

Documentation as culture

Remote onboarding fails when knowledge is only in people's heads. Every team should have a "how we work" doc that a new hire could read and understand the team's processes, tools, and norms. Make writing it a team exercise. Make updating it part of the culture.

Challenge 3: Cultural Drift

The Problem

Company culture in an office emerges partly through physical proximity — shared meals, spontaneous conversations, reading body language in meetings. Remote companies don't get that for free. Without intentional culture work, distributed teams drift toward:

Transactional relationships (people are tools for getting work done, not humans)
Subcultures within teams that diverge from company values
Headquarters-vs-remote divide if some people are co-located
Burnout without colleagues to notice and intervene

The Solution: Intentional Culture Investment

Regular non-work rituals

Weekly or biweekly "watercooler" calls: 30 minutes, optional, no agenda, cameras on. Some teams do themed calls (show us your workspace, show us your pet, etc.). This sounds trivial and it works.

Donut (Slack app) automatically pairs people across the company for 30-minute coffee chats. One of the simplest and most effective culture tools for remote teams.

Annual or semiannual in-person gatherings

The data from remote-first companies is consistent: in-person time matters, but it doesn't need to be daily. Well-run offsites (3-4 days, 1-2x per year) create relational capital that sustains distributed teams for months. Budget for this. Treat it as essential infrastructure, not a perk.

Values in practice, not on walls

Write down your values in terms of behaviors, not adjectives. Not "we value transparency" but "we publish meeting notes publicly within 24 hours." Review behaviors in retrospectives. Name them when you see them. This makes culture legible.

Manager 1:1 cadence

Require weekly or biweekly 1:1s between every employee and their manager. The agenda is the employee's — what they're working on, what's hard, what they need. Managers who don't do 1:1s lose sight of their remote team members until something is very wrong.

Challenge 4: Performance Management Across Time Zones

The Problem

Performance management in distributed companies defaults to either:

"Trust everyone" (no visibility into who's contributing or struggling)
Surveillance (activity monitoring, screenshot tracking, badge-data equivalents for remote workers)

Both are failures. The first produces inequitable outcomes. The second destroys trust and correlates with attrition of exactly the employees you want to keep.

The Solution: Outcome-Based Management

Define outcomes, not activity

For every role, define what success looks like in measurable terms: shipped features, resolved tickets, created content, closed deals. Review outcomes weekly in team standups. Struggling becomes visible early when measured on outputs, not hours logged.

OKRs (Objectives and Key Results)

Quarterly OKRs give every person visible goals that connect to company priorities. The process of setting them requires managers to have direct conversations about expectations. The process of reviewing them (monthly check-ins) surfaces problems before they compound.

Async status updates

Tools like Linear, Jira, or Notion allow managers to see progress without requiring meetings. Build the habit of updating tickets/tasks when status changes. This makes progress visible passively.

Calibration sessions

Every 6 months, managers in the same level meet to discuss their teams' performance together. This prevents manager bias (the squeaky wheel gets the grease) and creates consistent standards across a distributed org.

Challenge 5: Time Zone Coordination

The Problem

A team spanning 8+ hours of time zone difference has almost no natural overlap. Coordination becomes a scheduling puzzle. Decisions get delayed waiting for the right person to wake up. Some employees are always on calls outside business hours.

The Solution: Overlap Minimums and Async Handoffs

Define a core overlap window

Pick 2-3 hours that everyone can reasonably attend. For US + Europe teams, 9-11am ET (3-5pm CET) works. For US + APAC, this is hard — budget for one late/early call per week with rotation.

All-hands, team meetings, and time-sensitive decisions happen in the overlap window. Everything else is async.

Async handoff documents

For ongoing work that crosses time zones, use structured handoff notes: "I completed X, blocked on Y, you need to do Z before I pick it up at 8am my time." Takes 5 minutes. Saves hours of confusion.

Time zone visibility

Add team members' time zones to Slack profiles and org charts. Use the World Clock in Outlook or Google Calendar. Make it trivially easy to know what time it is for the person you're about to message.

Follow-the-sun for support roles

IT support and customer-facing teams can structure coverage by region, with documented handoffs between shifts. This provides 24-hour coverage without anyone working nights.

The Meta-Challenge: Everything Requires More Intentionality

The underlying pattern across all these challenges is the same: remote companies must be more intentional, more documented, and more structured than their office-based counterparts.

Things that "just happen" in an office — new employees absorbing culture, managers noticing struggling employees, teams staying aligned on direction — must be designed for in a remote environment.

The companies that fail at remote work aren't lazy. They're applying office-world operating models to a different environment. The fix isn't working harder — it's building the right systems.

The companies that succeed at remote work treat these systems as competitive advantages. Their onboarding is better. Their documentation is better. Their meetings are more purposeful. Their employees have clearer expectations. And their talent pool is global.

Building these systems takes time and discipline. But once built, they scale in ways that office-dependent operations cannot.