Microsoft 365 is the backbone of most remote-first organizations. Getting the setup right from day one prevents months of pain later. This guide covers everything from plan selection through first-30-day hardening.

Choosing the Right Plan

Microsoft's plan naming is deliberately confusing. Here's what actually matters:

Plan	Monthly (per user)	Key Features
M365 Business Basic	$6	Web/mobile Office apps, 1TB OneDrive, Exchange, Teams
M365 Business Standard	$12.50	Desktop Office apps + everything in Basic
M365 Business Premium	$22	Everything in Standard + Intune MDM, Defender, Entra ID P1

For most remote teams of 1-10: Start with Business Basic ($6/user). You can use Office apps in the browser, and most remote workers primarily use browser-based tools anyway.

Step up to Business Standard when: your team regularly creates complex documents locally, needs offline access consistently, or uses Teams live events/webinars.

Business Premium is worth it when: you have compliance requirements, need device management (Intune), or want the advanced security features (Defender for Business, Conditional Access via Entra ID P1).

The most common mistake: buying Business Premium immediately "to be safe" and then not using any of its advanced features. Start lean and upgrade deliberately.

Step 1 — Create Your Tenant

Go to microsoft.com/en-us/microsoft-365/business → click Try for free or Buy now
Click Set up → "Set up for your business"
Enter your email (doesn't have to be Microsoft yet), name, company name, country
Choose a yourcompany.onmicrosoft.com subdomain — this becomes your permanent tenant ID and cannot be changed
Complete payment or free trial

Choose the onmicrosoft subdomain carefully. While your users will eventually log in with @yourdomain.com, the .onmicrosoft.com subdomain persists in internal logs, Teams URLs, and SharePoint addresses. Make it clean and professional (contoso.onmicrosoft.com, not contoso2024ltd.onmicrosoft.com).

Step 2 — Add Your Custom Domain

In the Microsoft 365 Admin Center (admin.microsoft.com) → Settings → Domains → Add domain
Type your domain name → Use this domain
Microsoft will ask you to verify domain ownership. Choose Add a TXT record
Log into Cloudflare → DNS → Add record:
- Type: TXT
- Name: @
- Value: the verification code Microsoft gives you
- TTL: Auto
Back in the Admin Center, click Verify — may take 1-5 minutes

Step 3 — Configure MX Records for Email

After domain verification, Microsoft walks you through adding DNS records. Add all three:

MX Record (routes your email to Microsoft):

Type: MX
Name: @
Mail server: yourcompany-com.mail.protection.outlook.com
Priority: 0

Autodiscover (Outlook auto-configuration):

Type: CNAME
Name: autodiscover
Target: autodiscover.outlook.com

At this point, email sent to @yourdomain.com will arrive in Exchange Online.

Step 4 — SPF, DKIM, and DMARC

These three records authenticate your outbound email and protect your domain from spoofing. Skip them and your email will land in spam.

SPF

Tells receiving mail servers which servers are allowed to send email from your domain.

Add a TXT record:

Name: @
Value: v=spf1 include:spf.protection.outlook.com -all

DKIM

Cryptographically signs outbound email from your domain. Requires setup in the Admin Center.

Admin Center → Settings → Domains → select your domain
Or go directly to: security.microsoft.com → Email & Collaboration → Policies & Rules → Threat Policies → Email Authentication Settings → DKIM
Select your domain → toggle to Enabled
Microsoft will show you two CNAME records to add in Cloudflare:
- selector1._domainkey → selector1-yourdomain-com._domainkey.yourcompany.onmicrosoft.com
- selector2._domainkey → selector2-yourdomain-com._domainkey.yourcompany.onmicrosoft.com
Add both in Cloudflare → return to Microsoft → click Enable again

DMARC

Tells receiving servers what to do with email that fails SPF/DKIM. Start in monitor mode.

Add a TXT record:

Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

After confirming your legitimate email passes checks (use mail-tester.com), change p=none to p=quarantine then eventually p=reject.

Step 5 — Enable MFA for All Users

The fastest way (Security Defaults):

Admin Center → Azure Active Directory (Entra ID) → Properties
Click Manage Security Defaults (at the bottom)
Toggle Enable Security Defaults to Yes → Save

This enables MFA for all users, blocks legacy authentication protocols, and requires MFA for all admin actions. It's appropriate for most organizations.

For more control (Conditional Access — requires Entra ID P1 / Business Premium):

security.microsoft.com → Conditional Access → New Policy
Name: "Require MFA for all users"
Users: All users
Cloud apps: All cloud apps
Grant: Require multi-factor authentication
Enable the policy (start in Report-only mode first)

Step 6 — OneDrive Setup

OneDrive is included with every M365 plan. Ensure all users have it configured:

Desktop sync client:

Download from microsoft.com/en-us/microsoft-365/onedrive/download
Sign in with M365 account
Choose folders to sync locally
Important: Redirect Desktop, Documents, and Pictures to OneDrive (Files On-Demand)

Admin settings (Admin Center → SharePoint → Sharing):

External sharing: Set to New and existing guests (not "Anyone") for security
Require authentication for all shared links
Set link expiration: 30 days for anonymous links if you allow them

Step 7 — Microsoft Teams Basics

Teams is included with Business Basic and above. First-time admin setup:

In Teams (teams.microsoft.com or desktop app) → click the ... next to "Teams" → Create team
Suggested structure for small orgs:
- General (whole company)
- IT & Security
- One team per major project or department

Teams admin settings (admin.teams.microsoft.com):

Messaging policies: Disable Giphy if you have compliance requirements
Meeting policies: Decide whether external users can join without lobby
External access: Federate with other Teams organizations if needed

Common Mistakes to Avoid

Mistake 1: Not setting up SPF/DKIM/DMARC Your email will be flagged as spam or spoofed. Do this in the first week.

Mistake 2: Leaving Security Defaults or Conditional Access disabled Every admin account without MFA is a breach waiting to happen.

Mistake 3: Sharing everything via "Anyone with the link" This is how sensitive documents leak. Set the default sharing level to "People in your organization."

Mistake 4: Not assigning a secondary Global Admin If the primary admin loses access to their account, recovery is painful. Have at least two Global Admin accounts — keep one as a break-glass account that isn't used for daily work.

Mistake 5: Using the Global Admin account for daily tasks Create a separate standard user account for daily work. Reserve admin credentials for admin tasks only.

Mistake 6: Ignoring the Microsoft 365 admin mobile app The M365 Admin app (iOS/Android) lets you manage users and review alerts from your phone. It's free and essential for remote IT admins.

30-Day Checklist

Week 1:

[ ] Tenant created with clean onmicrosoft subdomain
[ ] Custom domain added and verified
[ ] MX records set, test email received
[ ] SPF record added
[ ] DKIM enabled and DNS records added
[ ] DMARC record added (p=none to start)

Week 2:

[ ] All users created with correct licenses
[ ] MFA enabled (Security Defaults or Conditional Access)
[ ] All users prompted and completed MFA setup
[ ] OneDrive configured on all devices

Week 3:

[ ] Teams structure created
[ ] External sharing settings reviewed
[ ] DMARC changed to p=quarantine after confirming clean email flow

Week 4:

[ ] Break-glass admin account created and credentials stored securely offline
[ ] Microsoft Secure Score reviewed (security.microsoft.com → Secure Score)
[ ] Review sign-in logs for any suspicious activity

Microsoft 365 is a significant investment. Setting it up correctly at the start means you spend the next years using it instead of fixing it.