Home → Office 365 → Tenancy Setup - Administration Guide → Microsoft 365 Tenancy Setup – Best Practice Checklist

1.1. Microsoft 365 Tenancy Setup – Best Practice Checklist

Microsoft 365 Tenancy Setup – Best Practice Checklist

---

1. Initial Tenant Configuration

• Register the tenant via the Microsoft 365 Admin Center

• Verify your domain(s) in Settings > Domains

• Assign an M365 license (e.g., Business Standard, E3) to the global admin

• Rename the default onmicrosoft.com domain if appropriate

---

2. Admin & User Account Setup

• Set up a break-glass Global Admin account with a strong, non-expiring password and MFA disabled (for emergency use only)

• Enable Multi-Factor Authentication (MFA) for all other users and admins

• Use roles-based access control (RBAC) – avoid using Global Admin unnecessarily

• Create security groups and use group-based licensing where appropriate

---

3. Security & Compliance

• Configure Microsoft Defender for Office 365 (anti-phishing, anti-malware, Safe Links, Safe Attachments)

• Set up SPF, DKIM, and DMARC in DNS

• Review and configure Azure AD Identity Protection and Conditional Access policies

• Enable and configure Microsoft Purview (data loss prevention, retention policies, audit logs, eDiscovery)

• Enable mailbox auditing, sign-in logs, and admin alerts

---

4. Exchange Online Configuration

• Configure mail flow (transport) rules (e.g., disclaimers, anti-spoofing headers)

• Set up shared mailboxes, distribution lists, and resource mailboxes

• Review and adjust anti-spam and anti-malware policies

• Migrate legacy mail using cutover, staged, hybrid, or PST import methods

---

5. Endpoint & Device Management

• Configure Microsoft Intune (if applicable) for device enrolment and management

• Set compliance policies for supported platforms (Windows, macOS, iOS, Android)

• Set up AutoPilot for zero-touch Windows deployments (optional)

---

6. Applications & Collaboration

• Set up SharePoint Online and OneDrive access/sharing settings

• Configure Microsoft Teams (guest access, chat, file sharing, compliance settings)

• Enable or disable other M365 apps (e.g., Loop, Planner, Bookings, Viva) as needed

• Build or customise a SharePoint intranet or communication hub if required

---

7. Monitoring, Reporting & Automation

• Enable Unified Audit Log in Microsoft Purview

• Review and act on Microsoft Secure Score recommendations

• Configure Log Analytics, Microsoft Sentinel, or a third-party SIEM (if in use)

• Enable Self-Service Password Reset (SSPR) for all users

---

8. Documentation & Handover

• Document:

  • Admin accounts and permission levels

  • Domain and DNS settings

  • Licensing overview and assignments

  • Key security and compliance configurations

• Provide a handover guide or support SOP to the client or IT team

• Implement and document your email/SharePoint/OneDrive backup strategy (e.g., Veeam, Dropsuite, SkyKick)