Complete Checklist — March 1, 2026

Microsoft 365 Setup Checklist for Small Businesses

A step-by-step checklist to get your team fully set up on Microsoft 365 — email, Teams, SharePoint, OneDrive, and the critical security settings most businesses miss entirely. Follow this in order and you’ll have a secure, professional Microsoft 365 environment in days, not weeks.

🎍
Most small businesses complete only 40–60% of a proper Microsoft 365 setup — leaving critical security gaps open This checklist covers all 8 phases: licensing, domain setup, email migration, user accounts, Teams, SharePoint, OneDrive, and security hardening. Interactive checkboxes let you track your progress as you go.
🎍 Get Expert M365 Setup Help M365 Managed Services
📅 March 1, 2026 ✍️ Navatek IT Team 📖 18 min read 🎍 Microsoft 365 ✅ Interactive Checklist 🔒 Security Included
99.9%Exchange Online uptime SLA — better than any on-premise email server
40%of small businesses skip critical Microsoft 365 security settings post-setup
1 TBOneDrive storage per user on Business Standard — replaces your file server
99.9%of account breaches blocked by multi-factor authentication alone (Microsoft 2025)
Before You Start

Choose the Right Microsoft 365 Plan for Your Business

Before setting up anything, you need the right plan. The wrong choice means paying for features you don’t need — or missing critical tools you do. Here’s the honest breakdown for small businesses.

Business Basic
$6
per user / month
Exchange Online email (50 GB)
Teams, SharePoint, OneDrive (1 TB)
Web versions of Office apps
No desktop Office installs
No Microsoft Defender
⭐ Most Popular
Business Standard
$12.50
per user / month
Everything in Basic
Desktop Office apps (5 devices/user)
Microsoft Bookings, Forms, Lists
Teams webinars (up to 1,000)
No Advanced Defender for Business
Business Premium
$22
per user / month
Everything in Standard
Microsoft Defender for Business
Azure AD Premium P1
Advanced compliance & eDiscovery
Intune device management
Apps for Business
$8.25
per user / month
Desktop & mobile Office apps
OneDrive (1 TB per user)
No Exchange email included
No Teams
Office apps only
💡
Our recommendation for most small businesses: Microsoft 365 Business Standard
Business Standard at $12.50/user/month hits the sweet spot — full desktop Office apps, Exchange email, Teams, SharePoint, and OneDrive for every user. If your business handles sensitive client data (healthcare, legal, financial) or you need advanced compliance tools, step up to Business Premium. The $9.50/month difference per user is worth it for the security and compliance features alone.
The Complete Setup Guide

Microsoft 365 Setup Checklist: All 8 Phases

Work through each phase in order. Checkboxes are interactive — click to mark items complete as you go. Don’t skip Phase 7. It contains the settings that protect everything else.

🎨
Phase 1 — Foundation
Licensing & Tenant Setup
Create your Microsoft 365 tenant, select the right plan, and verify your account before anything else.
5 items
Choose the correct Microsoft 365 Business plan
Select based on team size and needs. Business Standard is recommended for most SMBs. Business Premium for compliance-heavy industries. Do not select Microsoft 365 Personal or Family — those are for individual use.
admin.microsoft.com🕑 15 min
Create your Microsoft 365 tenant with your business name
Your initial tenant domain will be yourcompany.onmicrosoft.com — this is a permanent part of your tenant identity. Choose carefully. You’ll replace the user-facing domain with your own in Phase 2, but the .onmicrosoft.com domain cannot be changed.
One-Time Decision🕑 10 min
Set up your Global Administrator account — use a dedicated admin address
Create a dedicated admin account that is never used for daily email (e.g., admin@yourcompany.onmicrosoft.com). Using your personal business email as Global Admin is a significant security risk. Admin credentials are the highest-value target for attackers.
Security Critical🕑 10 min
Create a second Global Administrator account as emergency backup
If your primary admin account is compromised or locked, a second Global Admin account is your recovery path. Store credentials securely in a password manager or physical safe — not in a shared spreadsheet.
Important🕑 5 min
Set up billing with the correct payment method and license count
Add one or two extra licenses beyond your current user count — you’ll need them during onboarding before removing old accounts. Set a billing alert so you’re not surprised when adding users.
Admin Center🕑 10 min
🌎
Phase 2 — Domain
Domain & DNS Verification
Connect your business domain so email flows to you@yourbusiness.com instead of you@yourcompany.onmicrosoft.com — and lock down your email reputation.
6 items
Add your business domain and verify ownership with a TXT record
In the Microsoft 365 Admin Center, go to Settings → Domains → Add domain. Microsoft will give you a TXT record to add at your DNS registrar (GoDaddy, Namecheap, Cloudflare, etc.). This verifies you own the domain. DNS propagation takes up to 72 hours but usually completes in under an hour.
DNS Registrar🕑 20 min + propagation
Add the Microsoft 365 MX record to route email to Exchange Online
This is the record that tells the internet where to deliver email addressed to @yourdomain.com. Do NOT add this until all mailboxes are migrated and verified — adding it early cuts off email delivery to your old system. The MX record is your go-live switch.
Do Last in Phase 4DNS Registrar
Add the SPF (Sender Policy Framework) TXT record
SPF tells receiving servers which mail servers are authorized to send email on behalf of your domain. The Microsoft 365 SPF record is: v=spf1 include:spf.protection.outlook.com -all. Without SPF, your outgoing emails are more likely to be marked as spam.
Email Deliverability🕑 5 min
Enable DKIM (DomainKeys Identified Mail) for your domain
DKIM adds a cryptographic signature to outgoing email so receiving servers can verify it was genuinely sent from your domain. Enable it in the Microsoft 365 Defender portal under Email & collaboration → Policies → DKIM. Then add the two CNAME records it gives you at your DNS registrar.
Email SecurityDefender Portal
Add a DMARC TXT record to protect your domain from spoofing
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when an email fails SPF or DKIM — reject it, quarantine it, or just report it. Start with a monitoring policy (p=none) and tighten to p=reject after reviewing reports for 30 days.
Anti-Spoofing🕑 10 min
Verify all DNS records are correct in the Microsoft 365 Admin Center
The Admin Center’s domain setup wizard shows a green checkmark next to each verified record. If any show errors, compare your DNS settings exactly to what Microsoft specifies — typos in DNS records cause persistent email delivery failures that are painful to diagnose.
Verification StepAdmin Center
👥
Phase 3 — Users
User Accounts & Roles
Create accounts for every team member, assign licenses, and set up role-based access so people only have the permissions they actually need.
5 items
Create all user accounts with your business email addresses
Create accounts for every employee before migrating email — you need mailboxes to migrate into. For more than 10 users, use bulk import via a CSV file in the Admin Center or PowerShell. Assign licenses during creation to activate Exchange Online for each user immediately.
Admin Center / PowerShell🕑 30–60 min
Assign admin roles with least-privilege — only what each person needs
Not everyone who helps with IT needs Global Admin. Use scoped roles: Teams Administrator for Teams management, User Administrator for account support, Exchange Administrator for email settings. Global Admin should be reserved for two break-glass accounts only. Review and trim roles quarterly.
Security CriticalAzure Active Directory
Create shared mailboxes for team addresses (info@, support@, billing@)
Shared mailboxes in Microsoft 365 don’t require a license (up to 50 GB). Create them for any inbox that multiple people need access to. Add members who should see and send from each shared mailbox and configure them to auto-map in Outlook so they appear automatically in each member’s Outlook profile.
Exchange Admin🕑 20 min
Create Microsoft 365 Groups for each department or team
Microsoft 365 Groups tie together email distribution, a shared inbox, a SharePoint site, a Teams channel, a shared calendar, and a Planner board in one object. Create a group for Sales, Operations, Marketing, HR, etc. — this is the backbone of how Teams and SharePoint organize around your business structure.
Teams + SharePoint🕑 30 min
Configure password policy — set to never expire when MFA is enforced
Microsoft’s current guidance: don’t force periodic password changes if MFA is enforced. Forced rotations cause weaker passwords (Password1, Password1!, Password2). Set passwords to never expire in Azure AD and rely on MFA (configured in Phase 7) as the real authentication factor.
Microsoft GuidanceAzure AD
📧
Phase 4 — Email
Email Migration to Exchange Online
Move all existing email, contacts, and calendars to Exchange Online — without losing a single message and without disrupting your team’s email access.
6 items — Most Complex Phase
Choose the right migration method for your current email platform
From Gmail or Google Workspace: use the Google Workspace Migration Tool (GWMT) in the Microsoft 365 Admin Center. From another Microsoft 365 tenant: use cross-tenant migration. From on-premise Exchange: use the Exchange Admin Center migration wizard or Hybrid Configuration. From other IMAP providers (Zoho, GoDaddy email): use the IMAP migration tool. Each has different complexity and time requirements — don’t guess.
Method Matters🕑 30 min planning
Pre-stage mailbox content before the DNS cutover
Start the migration sync before you change your MX record. This copies existing email to Exchange Online in the background while your team continues using their old email. The pre-stage sync can take hours to days depending on mailbox size — letting it run before cutover means the final sync (the one that causes the switch) takes minutes, not days.
Reduces Downtime🕑 Hours to Days
Migrate contacts and calendars for all users
Contacts and calendars don’t always migrate automatically with the email migration tool — verify your method covers them. For Gmail migrations, GWMT migrates contacts and calendar events. For IMAP-only migrations, contacts and calendars require a separate export/import step. Verify before cutover that each user can see their contacts and calendar in Outlook.
Verify Separately🕑 1–2 hrs
Test email send and receive in Exchange Online before changing MX
Send test emails between your new Exchange Online mailboxes using the yourname@yourcompany.onmicrosoft.com addresses. Verify Outlook connects correctly with AutoDiscover. Check that shared mailboxes are accessible. Only proceed to the MX record change once every mailbox is verified working.
Test Before Cutover🕑 1 hr
Change your domain MX record to Microsoft 365 (schedule during off-hours)
This is your go-live moment. Schedule it for a Friday evening or weekend. Lower your TTL to 300 seconds 24 hours before cutover to speed up DNS propagation. After changing the MX record, monitor new email delivery in Exchange Online for 30–60 minutes. Keep your old email system accessible in read-only mode for 2 weeks as a fallback.
Go-Live Step🕑 Off-Hours Only
Set up Outlook (desktop, mobile, web) for every user after cutover
Remove old email accounts from Outlook and add the new Exchange Online account. On most modern Windows machines, Outlook auto-discovers Exchange Online after the user signs in with their Microsoft 365 credentials — but verify with each user. Configure Outlook on iOS and Android using the Microsoft Outlook mobile app (not the native mail app) for full security policy support.
All Devices🕑 1–3 hrs
💬
Phase 5 — Communication
Microsoft Teams Setup
Set up Teams as your team’s communication hub — replacing email threads, phone calls, and file-by-email chaos with organized channels your whole team actually enjoys using.
6 items
Create a Team for each department and one company-wide Team
Create separate Teams for Sales, Operations, Marketing, HR, and IT. Add one company-wide Team called [Company Name] - All Staff for announcements and company-level communication. Each Team gets its own SharePoint site, document library, notebook, and Planner board automatically. Set the company-wide Team to automatically add new members.
Teams Admin Center🕑 30 min
Create channels within each Team for specific topics or projects
Every Team has a General channel by default — add specific channels for recurring topics. For a Sales team: Proposals, Client Follow-Ups, Pipeline, Wins. For Operations: Vendors, Projects, Scheduling. Keep channels focused — fewer, purposeful channels are more useful than dozens of abandoned ones. Use private channels sparingly, only for genuinely confidential sub-groups.
Structure Matters🕑 30 min
Configure Teams meeting policies in the Teams Admin Center
Set a policy that allows external guests to join meetings (with lobby waiting room). Disable “allow anonymous users to start a meeting” — this prevents meeting link hijacking. Enable transcription and recording for meetings where that’s appropriate. Set cloud recording storage to OneDrive or SharePoint, not third-party services.
Security SettingTeams Admin Center
Configure calling policies if your team uses Teams for phone calls
If you have Microsoft Teams Phone (formerly Teams Calling) or a Calling Plan, configure dial plans, call queues, and auto-attendants in the Teams Admin Center. If you’re using Teams only for internal calls and video (not as your phone system), set calling policies to disable PSTN calling for users who don’t need it — this prevents unexpected charges.
If Using Phone System🕑 1 hr
Pin relevant apps and tabs in each Team channel
Each Teams channel can have pinned tabs for SharePoint pages, shared Excel files, Power BI dashboards, Planner boards, or OneNote notebooks. Pin the resources your team uses every day — this makes Teams the hub where work happens, rather than just a chat tool. Keep pinned tabs to 5 or fewer per channel to avoid visual clutter.
Productivity Win🕑 30 min
Configure external access and guest access in the Teams Admin Center
External access lets your users communicate with Teams users at other organizations (useful for client collaboration). Guest access lets external people join your Teams as guests (useful for contractors). Enable both, but set guest permissions carefully — by default, guests can see all channels in a team they’re added to. Consider using private channels for guest collaboration if you have sensitive internal channels.
Review CarefullyTeams Admin Center
💾
Phase 6 — Files & Collaboration
SharePoint & OneDrive Setup
Replace your file server with SharePoint shared document libraries and OneDrive personal storage — so your team can access every file from any device, anywhere, with full version history.
6 items
Create SharePoint team sites for each department
Each Microsoft 365 Group and Team you created in Phase 3 already has an associated SharePoint site. Use these as the home for each department’s shared files, announcements, and quick links. Create an additional intranet-style SharePoint communication site for your company homepage — a central place for company announcements, policy documents, and HR resources.
SharePoint Admin🕑 1–2 hrs
Build document library folder structure before migrating files
Map out your folder structure before migrating. Resist the urge to recreate your old file server folder tree exactly — this is an opportunity to reorganize. Flatten deep folder hierarchies (SharePoint works better with fewer nested levels). Plan for folders by project or client rather than by document type. Get team leads to agree on the structure before you migrate files into it.
Plan First🕑 2–3 hrs planning
Migrate file server or Google Drive data to SharePoint
Use the SharePoint Migration Tool (SPMT) for file server migrations, or Migration Manager in the SharePoint Admin Center for Google Drive and Dropbox. Run the migration in phases — start with less-critical folders to test the process, then migrate active working files. Run a final delta migration the day before go-live to capture any files changed since the initial run.
SharePoint Migration Tool🕑 Hours to Days
Restrict external sharing to specific domains or disable it by default
By default, Microsoft 365 allows any user to share any file with anyone via a link. This is one of the most dangerous default settings for small businesses. In the SharePoint Admin Center, set the external sharing level to “Specific people” or “Existing guests only” — at minimum, require users to specify a name and email, not just create an open link. You can always loosen this for specific sites that need it.
Security CriticalSharePoint Admin
Configure OneDrive sync on all user computers
Install the OneDrive sync client on every computer (pre-installed on Windows 10/11). Sign users in with their Microsoft 365 account. Set Known Folder Move to automatically back up Desktop, Documents, and Pictures folders to OneDrive — this is one configuration change that eliminates the risk of local file loss for your entire team. Enable it silently via Group Policy or Intune for the smoothest deployment.
Enable Known Folder Move🕑 30 min per device
Verify version history is enabled in SharePoint and OneDrive
SharePoint and OneDrive keep version history for every file by default — but verify the version limit is set appropriately. The default (500 versions) is fine for most files. For frequently-edited documents, version history is your undo button for the past 500 saves. It also provides basic protection against ransomware that encrypts synced files — you can restore to a clean version.
Verify Default OnSharePoint Admin
🔒
Phase 7 — Most Important Phase
Security Hardening — Don’t Skip This
The settings most businesses miss — the ones that separate a properly secured Microsoft 365 environment from a liability. Your Microsoft Secure Score will jump from 28 to 70+ after completing this phase.
8 items — Critical
⚠️ Enforce Multi-Factor Authentication for every user and admin account
This is the single most impactful security setting in Microsoft 365. Enable MFA via Security Defaults (the easy way) or Conditional Access Policies (the flexible way). Use Microsoft Authenticator as the MFA method — not SMS codes, which are vulnerable to SIM swapping. MFA blocks 99.9% of automated account compromise attempts. Do this before anything else in this phase.
#1 PriorityAzure AD / Entra ID🕑 1 hr
Create Conditional Access policies (requires Azure AD P1 / Business Premium)
Conditional Access lets you enforce rules like: “require MFA when signing in from outside the office network,” “block sign-ins from high-risk countries,” or “require a compliant device to access sensitive SharePoint sites.” Start with Microsoft’s pre-built policy templates in the Azure AD portal. At minimum, enable the “Require MFA for admins” and “Require MFA for all users” policies.
Business Premium RequiredAzure AD / Entra ID
Enable and configure Microsoft Defender for Office 365
Defender for Office 365 (included in Business Premium, add-on for Standard) protects your email from phishing, malware, and zero-day attachments. Enable Safe Attachments (scans all attachments in a sandbox before delivery), Safe Links (re-scans URLs at click time), and Anti-Phishing policies with spoof intelligence. Without these, Exchange Online Protection alone is insufficient against modern targeted attacks.
Email SecurityDefender Portal
Review Microsoft Secure Score and work through its recommendations
Go to security.microsoft.com and click Secure Score. Your score shows where you stand and gives you a prioritized list of recommended actions — each with an impact score and specific implementation steps. Work through the “Recommended actions” tab from highest impact to lowest. Each completed action raises your score. Aim for 65+ before go-live; 80+ within 90 days.
Your Security Scorecardsecurity.microsoft.com
Enable unified audit logging in Microsoft 365
Audit logging records who accessed what, who changed which settings, and who sent which emails. It’s essential for incident investigation after a security event — without it, you’re flying blind. In the Microsoft 365 Defender portal, go to Audit → turn on Audit Log Search. This is off by default. New tenants should turn this on before any users start working in the environment.
Off by DefaultDefender Portal🕑 5 min
Set up Data Loss Prevention (DLP) policies for sensitive data
DLP policies automatically detect and protect sensitive information — credit card numbers, Social Security numbers, health records, financial data — in emails and shared files. Microsoft provides built-in templates for PCI DSS, HIPAA, GDPR, and more. Start with “monitor” mode to see what’s in your environment before enforcing blocking. Required for healthcare, legal, and financial businesses handling regulated data.
HIPAA / PCI RequiredPurview Compliance
Block legacy authentication protocols (SMTP, IMAP, POP3, basic auth)
Legacy authentication protocols bypass MFA entirely — an attacker with stolen credentials can log in via IMAP regardless of your MFA policy. Use Conditional Access to block legacy authentication for all users. If any devices or apps in your environment still use basic auth (old printers that email, legacy line-of-business apps), identify and remediate them first. This is a critical step most businesses skip.
Blocks MFA BypassAzure AD
Configure activity alerts for admin account changes and suspicious sign-ins
Set up alerts that email you immediately when: a new Global Admin is added, a user account is created outside business hours, a sign-in is blocked by Conditional Access (repeated failures indicate an attack in progress), mass file download occurs in OneDrive, or mail forwarding rules are added to a mailbox (a common post-compromise attacker technique). Configure alerts in the Microsoft 365 Defender portal under Alerts.
Threat DetectionDefender Portal
🎉
Phase 8 — Launch
Employee Training & Go-Live
Bring your team onto the new platform confidently — with training before cutover, helpdesk coverage during transition, and monitoring to catch issues before they cause real pain.
5 items
Create simple quick-start guides for Outlook, Teams, SharePoint, and OneDrive
One-page visual guides showing how to: find email in Outlook, post in a Teams channel vs. send a chat, find files in SharePoint, save files to OneDrive vs. SharePoint. Keep them simple — bullet points and screenshots, one page per app. Post them in your Teams General channel before training so employees can reference them anytime.
Before Training🕑 2–3 hrs
Run team training sessions at least 2 days before go-live
Hold separate 60-minute training sessions per team — don’t do one company-wide session where front desk and developers are in the same room. Cover: how to find their email in Outlook, how to use Teams channels vs. chat vs. meetings, how to find and share files in SharePoint, and the security rules (MFA, don’t share passwords, don’t click unexpected links). Run a Q&A at the end.
Before Go-Live🕑 1 hr per team
Complete MFA enrollment for all users before go-live day
Do not flip the go-live switch with unenrolled MFA users. When Conditional Access enforces MFA and a user hasn’t enrolled, they get locked out of their account immediately. Walk every user through Microsoft Authenticator setup individually or use a group session. Make MFA enrollment a prerequisite for getting access to the new system, not an afterthought.
Prerequisite to Go-Live🕑 10 min per user
Provide dedicated helpdesk coverage on go-live day and the following week
Have IT staff (internal or remote IT support) available all day on go-live day and for the first full week. The most common go-live day issues: Outlook not connected, OneDrive sync not working, MFA prompts confusing users, Teams notifications too aggressive, can’t find shared files. Fast support on day one builds confidence and prevents the “this new system is terrible” narrative from taking hold.
Go-Live CoverageRemote Support
Schedule a 30-day post-launch review of Secure Score, usage, and open issues
At 30 days post-launch: review Microsoft Secure Score and complete any remaining recommendations, audit user accounts for any inactive licenses, review sharing settings in SharePoint for any links created during go-live chaos, check Teams usage analytics for channels that aren’t being used (simplify), and resolve any lingering migration issues with email or files. Document what you did and what’s still open.
30 Days Post-Launch🕑 2–3 hrs
The Settings That Matter Most

Four Microsoft 365 Configurations Most Businesses Get Wrong

These are the areas where small businesses most commonly end up with a Microsoft 365 setup that looks complete but has significant security or usability problems hiding beneath the surface.

Azure AD — MFA & Conditional Access Status
MFA enforced — all users✓ Active
Security DefaultsDisabled (using CA)
Conditional Access policies8 active
Legacy auth blocked✓ Enforced
SMS MFA users2 (upgrade needed)
Authenticator app users13 ✓
MFA enrollment
87%
Sign-in risk blocked
100%
Security Priority 01 🔐 MFA — The One Setting That Changes Everything

MFA Is Not Optional — And SMS Is Not Enough

Multi-factor authentication blocks over 99.9% of automated account compromise attempts — Microsoft’s own telemetry from 2025. A stolen password is worthless against MFA. But not all MFA methods are equally secure. SMS codes are vulnerable to SIM swapping attacks; use the Microsoft Authenticator app instead. And enforcing MFA without blocking legacy authentication protocols is like locking the front door and leaving the back door open.

🚨
Security Defaults vs. Conditional Access — know the difference
Security Defaults (free, simple) enforce baseline MFA for all users. Conditional Access (requires Azure AD P1 / Business Premium) lets you set fine-grained policies — MFA only from outside the office, block specific countries, require compliant devices. Start with Security Defaults if you’re just getting started. Upgrade to Conditional Access as soon as your budget allows.
  • Enable MFA before any users start working in the new environment
  • Use Microsoft Authenticator as the primary MFA method — not SMS
  • Block legacy authentication via Conditional Access to prevent MFA bypass
  • Require MFA for admin accounts every sign-in, regardless of location
  • Enroll every user before enforcing — don’t surprise them with a lockout on go-live day
Get Security Help
Defender for Office 365 — Email Protection
SPF record configured Verified
DKIM signing enabled Active
DMARC policy — p=reject Enforced
Safe Attachments — Dynamic Delivery Active
Safe Links — time-of-click scan Active
Anti-phishing impersonation rules Configuring
Phishing simulation training Pending
Security Priority 02 📧 Email Security — More Than Just Spam Filtering

Exchange Online Protection Alone Is Not Enough in 2026

Exchange Online Protection (EOP) — included with all Microsoft 365 plans — blocks basic spam and known malware. But in 2026, AI-generated spear-phishing emails and zero-day attachment exploits bypass EOP routinely. Microsoft Defender for Office 365 adds the critical next layer: Safe Attachments detonates every attachment in a sandbox before delivery, Safe Links rescans URLs at the moment a user clicks them, and anti-impersonation rules catch emails pretending to be your CEO.

⚠️
Configure anti-phishing impersonation protection with your executives’ names
Add your CEO, CFO, and any other executives as protected users in the anti-phishing policy. This detects emails pretending to be from leadership (the most common BEC attack vector) — even when the display name looks correct but the email address is a lookalike domain. This setting alone would prevent the majority of “CEO fraud” wire transfer attacks at small businesses.
  • Configure SPF, DKIM, and DMARC before go-live — email authentication is non-negotiable
  • Enable Safe Attachments with Dynamic Delivery (no delay for users)
  • Enable Safe Links for email, Teams messages, and Office documents
  • Add executives to anti-phishing impersonation protection
  • Set up Attack Simulator for monthly phishing simulation training
Email Security Setup
SharePoint Admin — Sharing Policies
External sharing levelDefault: Anyone ⚠
⚡ Recommended settings:
SharePoint org-level sharingSpecific People
OneDrive sharingSpecific People
Anonymous link expiry7 days max
External domains whitelistConfigured
Link type defaultSpecific People
Default link permissionsView only
Security Priority 03 💾 Sharing Settings — The Dangerous Default

Microsoft 365’s Default Sharing Settings Are Too Permissive for Most Businesses

Out of the box, Microsoft 365 lets any user create a public “Anyone with the link” share for any file — no authentication required, no expiry, no audit trail. For a small business with client contracts, financial records, or any sensitive data in SharePoint, this default is a liability. It takes about 15 minutes to tighten sharing settings appropriately — and it’s one of the most overlooked configurations in every Microsoft 365 setup we’ve seen.

💡
You can still share externally — just require a name and email address
Setting sharing to “Specific people” doesn’t prevent you from sharing files with clients — it requires specifying who you’re sharing with. That name and email address appears in your audit log. Anonymous open links have no accountability. This one change eliminates accidental data exposure from forwarded sharing links.
  • Set org-wide SharePoint sharing to “Specific people” (not “Anyone”)
  • Set the default link type to “Specific people” in Admin Center
  • Set default link permissions to “View” rather than “Edit”
  • Restrict sharing to approved external domains if you only collaborate with specific partners
  • Set anonymous link expiry to 7 days maximum if anonymous links are enabled at all
M365 Management Services
Microsoft Secure Score — Before & After Setup
Default tenant (no config) 22 / 100
After Phase 7 (this checklist) 72 / 100
After 90-day optimization 84 / 100
Top improvement actions:
Require MFA for admins+10 pts
Enable audit logging+8 pts
Block legacy auth+7 pts
Enable Safe Attachments+6 pts
Security Priority 04 📈 Microsoft Secure Score — Your Ongoing Security Report Card

Your Secure Score Tells You Exactly What to Fix Next

Microsoft Secure Score (at security.microsoft.com) is arguably the most underused tool in Microsoft 365. It grades your environment on a 0–100 scale and gives you a prioritized, step-by-step improvement plan with the exact impact each action will have on your score. A default new tenant typically scores 20–28. Completing Phase 7 of this checklist alone pushes most small businesses to 65–75. Aim for 80+ within 90 days of go-live.

Navatek reviews and remediates Secure Score for every managed client monthly
Our managed Microsoft 365 clients receive a monthly Secure Score report showing current score, actions completed, actions pending, and our recommendations for the next 30 days. Most new clients go from a score of 25–35 to 75+ in the first 60 days of managed service.
  • Check Secure Score on day one of your tenant to establish a baseline
  • Complete the top 10 recommended actions before go-live — these are highest impact
  • Review Secure Score monthly — new recommendations appear as Microsoft adds features
  • Use the “Compare” tab to see how your score benchmarks against similar-size organizations
  • Don’t chase a perfect score — some recommendations may not apply to your business
Get a Free Secure Score Review
Don’t Make These Mistakes

6 Microsoft 365 Setup Mistakes That Create Serious Problems Later

These are the errors we see most often when businesses set up Microsoft 365 on their own — each one quietly creating a problem that surfaces weeks or months later at the worst possible time.

🚫

Using Global Admin as Your Daily Email Account

Your Global Admin account should never be used for day-to-day email. If that account gets phished, the attacker has admin access to your entire Microsoft 365 environment — every user, every file, every setting. Use a dedicated admin account with a separate email address that nobody corresponds with externally.

Critical Security Error
🔐

Turning Off Security Defaults Before Configuring Conditional Access

Security Defaults provide baseline MFA protection. Many setup guides tell you to disable Security Defaults early in the process (to allow Conditional Access). But if you disable it before creating your Conditional Access policies, you have a window with no MFA enforcement. Never disable Security Defaults until your CA policies are live and tested.

Configuration Trap
📧

Changing the MX Record Before All Mailboxes Are Migrated

Changing your MX record is the switch that routes all incoming email to Exchange Online. Do it before mailboxes are ready and new email vanishes. Pre-stage all mailboxes, test thoroughly, and only flip the MX record as the final step of email migration — ideally on a Friday evening with IT monitoring email delivery in real time for the first hour.

Email Loss Risk
💾

Leaving External Sharing Set to “Anyone”

The default Microsoft 365 sharing setting allows any user to create an open link to any file — no authentication, no expiry, no audit trail. This is appropriate for a public content website, not a business managing client data. Change it to “Specific people” on day one. You can always loosen it for individual sites that genuinely need open links.

Data Exposure Risk
📢

Not Enabling Audit Logging Before Users Start Working

Audit logging is off by default and does not retroactively capture events — it only logs from the moment you enable it. If a security incident occurs before you turn it on, you have no record of what happened. Enable audit logging during tenant setup, before any users are active. This 5-minute configuration saves you in every security investigation you’ll ever need to do.

Forensics Gap
👥

Not Training Employees on File Storage Rules Before Go-Live

Without training, employees save files to their desktop (bypassing OneDrive), email attachments instead of sharing SharePoint links, and use personal Dropbox accounts out of habit. A 60-minute training session before go-live that covers “where to save files” and “how to share files” prevents months of file management chaos and duplicate files scattered across every platform.

Adoption Risk
Your Questions Answered

Microsoft 365 Setup FAQs for Small Business

A complete Microsoft 365 setup for a small business takes 3–5 business days for a team of 10–25 users when done properly. A basic setup (email only, no SharePoint migration, minimal security config) can be done in 4–8 hours. A full deployment including email migration, SharePoint file migration, Teams setup, security hardening, and employee training typically takes 3–10 days depending on data volume and team size. Navatek Solutions handles complete Microsoft 365 deployments as part of managed IT onboarding — included with no extra fee for new managed plan subscribers.

Microsoft 365 Business Standard ($12.50/user/month) is the best choice for most small businesses — it includes Exchange email, full desktop Office apps (Word, Excel, PowerPoint, Outlook), Teams, SharePoint, and OneDrive with 1 TB per user. If your business operates in a regulated industry (healthcare, legal, financial) or needs advanced compliance and security tools, Business Premium ($22/user/month) adds Microsoft Defender for Business, Azure AD Premium P1, Intune device management, and advanced compliance features. The extra $9.50/user/month for Business Premium is almost always worth it for businesses handling sensitive client data.

In priority order: (1) Multi-Factor Authentication enforced for all users using Microsoft Authenticator — this single setting blocks 99.9% of account compromises. (2) Block legacy authentication to prevent MFA bypass via IMAP/SMTP/POP3 basic auth. (3) Enable Unified Audit Logging before users start working — it doesn’t capture retroactively. (4) Set SharePoint external sharing to “Specific people” — the default “Anyone” setting is too permissive. (5) Configure anti-phishing impersonation protection with your executive names. (6) Enable Safe Attachments and Safe Links in Defender for Office 365. (7) Review Microsoft Secure Score and complete the top-10 recommended actions.

Yes — with proper planning, a Microsoft 365 email migration causes zero unplanned downtime. The key is pre-staging: run the migration sync in the background for 24–72 hours before the DNS cutover so that the final sync (and resulting transition) takes minutes rather than hours. Schedule the MX record change on a Friday evening or weekend with IT monitoring delivery for the first hour. Keep your old email system accessible in read-only mode for 2 weeks as a fallback. Navatek has migrated dozens of small businesses to Exchange Online with zero email loss and no unplanned downtime.

Yes — Microsoft 365 is designed entirely for remote administration. Every admin function — user management, security configuration, email settings, Teams policies, SharePoint permissions, compliance tools, and Secure Score — is managed through browser-based admin centers accessible from anywhere. Navatek Solutions manages Microsoft 365 for hundreds of small businesses entirely remotely: user provisioning and deprovisioning, license management, security policy updates, helpdesk support, and monthly Secure Score reviews — all without requiring a single on-site visit.

Microsoft Secure Score (at security.microsoft.com) is a free built-in tool that grades your Microsoft 365 security posture from 0–100 and gives you a prioritized list of improvement actions — each with an exact point impact and step-by-step implementation instructions. A default new tenant scores 20–28. A properly configured SMB environment following this checklist reaches 70–80+. Secure Score is the most actionable free security diagnostic available to Microsoft 365 customers — it tells you exactly what to fix, in what order, and shows you the specific risk each action mitigates. Review it monthly; Microsoft regularly adds new recommendations as the threat landscape evolves.

We Handle the Whole Thing

Don’t want to work through this checklist yourself? We set up, migrate, secure, and manage Microsoft 365 for small businesses — entirely remotely, with zero downtime, included in our managed IT plans.

🎍

Microsoft 365 Management

Full Microsoft 365 administration — user accounts, license management, SharePoint configuration, Teams policies, Exchange settings, Defender for Business, and monthly Secure Score review. All in one flat-rate plan.

Learn More →
📡

Remote Computer Support

When your team needs help with Outlook, Teams, OneDrive, SharePoint, or any Microsoft 365 app, we’re one call away with a 15-minute response guarantee — 24/7, for every employee on your plan.

Learn More →
🔐

Microsoft 365 Security Hardening

Full Phase 7 security implementation: MFA enforcement, Conditional Access policies, Defender for Office 365, Safe Attachments, Safe Links, DLP, audit logging, anti-phishing configuration, and Secure Score optimization.

Learn More →
NS
Navatek Solutions IT Team
Microsoft 365 & Managed IT Specialists
Navatek Solutions is a Microsoft Certified Partner specializing in Microsoft 365 deployment, migration, and ongoing management for small and medium businesses across the United States. We’ve helped hundreds of small businesses migrate to Microsoft 365 with zero email downtime and a fully hardened security configuration from day one.
Share This Guide in LinkedIn 𝕏 Share ✉ Email
Skip the Checklist — We’ll Handle It

Get Your Microsoft 365 Set Up the Right Way, Fully Remotely

Our Microsoft-certified remote IT team handles every phase of this checklist for you — licensing, domain setup, email migration, Teams, SharePoint, security hardening, and employee training. Zero downtime. Zero configuration gaps. Included in our managed IT plans.

🎍 Get a Free M365 Setup Quote M365 Managed Services
✓ Microsoft Certified Partner  ·  ✓ Zero-downtime migration  ·  ✓ Security hardening included  ·  ✓ 100% remote