Azure Active Directory — now officially rebranded by Microsoft as Microsoft Entra ID, though widely still referred to as Azure AD — is the identity and access management service that underpins virtually every Microsoft cloud product. If your business uses Microsoft 365, you already have an Azure AD tenant whether you realise it or not. But there is a significant difference between having Azure AD and having it properly configured for your business.
For UK SMEs, a well-configured Azure AD environment is the foundation of modern security, user management, and cloud application access. It controls who can sign in to your systems, what they can access, how they authenticate, and what happens when they leave the organisation. Getting this right from the outset saves enormous time and prevents security gaps that could expose your business to data breaches, unauthorised access, or compliance failures under UK GDPR.
This guide walks through the essential steps to set up and configure Azure Active Directory properly for a UK small or medium-sized business, covering everything from initial tenant configuration to advanced security features.
Understanding Your Azure AD Tenant
When your business first signs up for Microsoft 365, an Azure AD tenant is automatically created. This tenant is your organisation's dedicated instance of Azure AD — a private directory that contains all your user accounts, groups, application registrations, and security policies. Think of it as your digital identity headquarters.
Your tenant has a unique identifier and a default domain name (typically something like yourcompany.onmicrosoft.com). One of the first configuration steps is to add and verify your actual business domain (for example, yourcompany.co.uk) so that your users sign in with their real email addresses rather than the onmicrosoft.com default.
Adding a Custom Domain
To add a custom domain to your Azure AD tenant, navigate to the Microsoft Entra admin centre, select Custom domain names, and click Add custom domain. Enter your domain name and Microsoft will provide you with a DNS record (typically a TXT record) that you must add to your domain's DNS configuration. This verification record proves that you own the domain. Once the DNS record propagates — which typically takes between a few minutes and 48 hours depending on your DNS provider — Microsoft will verify the domain and you can begin assigning it to user accounts.
In 2023, Microsoft rebranded Azure Active Directory to Microsoft Entra ID as part of a broader reorganisation of their identity and access products under the Microsoft Entra family. Functionally, the product remains the same — the admin interfaces, APIs, and features are unchanged. Throughout this guide, we use both terms interchangeably, as most UK IT professionals and documentation still commonly refer to it as Azure AD. When searching for help or documentation, searching for either term will return relevant results.
Essential Configuration Steps
Step 1: Configure User Accounts Properly
Every person in your organisation who needs access to Microsoft 365, Azure resources, or any cloud application integrated with your Azure AD should have a properly configured user account. At minimum, each account should have the correct display name, job title, department, phone number, and manager assignment. These fields are not just cosmetic — they drive dynamic groups, conditional access policies, and directory searches throughout Microsoft 365.
When creating user accounts, assign only the licences each user needs. Microsoft 365 licensing can become expensive quickly if every user is given the highest tier. Assess which users need full Microsoft 365 Business Premium and which can operate effectively with Business Basic or Business Standard.
Step 2: Enable Multi-Factor Authentication (MFA)
If you do nothing else from this guide, enable MFA. Microsoft's own data shows that 99.9% of compromised accounts did not have multi-factor authentication enabled. MFA is the single most effective security measure you can implement, and it is included in every Microsoft 365 subscription at no additional cost.
The recommended approach is to use Security Defaults or Conditional Access policies to enforce MFA for all users. Security Defaults is the simpler option — a single toggle that enables a baseline set of security measures including MFA for all users. For businesses that need more granular control, Conditional Access policies allow you to specify exactly when and how MFA is required based on factors such as user location, device type, and application being accessed.
Step 3: Set Up Groups for Access Management
Groups in Azure AD allow you to manage access to resources efficiently. Rather than assigning permissions to individual users — which becomes unmanageable as your organisation grows — you create groups and assign permissions to the groups. When a new user joins the marketing department, you simply add them to the Marketing group and they automatically receive access to all the resources that group is entitled to.
Azure AD supports two main types of groups. Security groups are used for managing access to resources such as SharePoint sites, applications, and Azure resources. Microsoft 365 groups combine security group functionality with collaboration features — creating a group automatically provisions a shared mailbox, SharePoint site, Teams channel, and Planner board.
For dynamic groups, Azure AD can automatically add and remove users based on their attributes. For example, you could create a dynamic group that automatically includes all users whose department attribute is set to "Sales." When a new sales person joins and their account is configured with the correct department, they are automatically added to the group and gain access to all sales resources without any manual intervention.
Step 4: Configure Conditional Access Policies
Conditional Access is one of the most powerful features in Azure AD and is available with Microsoft 365 Business Premium and Azure AD Premium P1 licences. Conditional Access policies allow you to enforce different security requirements based on the context of the sign-in attempt.
For a UK SME, recommended Conditional Access policies include requiring MFA for all users accessing resources from outside the office network, blocking sign-ins from countries where your business has no employees or operations, requiring compliant devices for access to sensitive applications, enforcing app protection policies on mobile devices, and blocking legacy authentication protocols that do not support MFA.
Essential Azure AD Security Settings
- Multi-factor authentication enforced for all users
- Legacy authentication protocols blocked
- Self-service password reset enabled with MFA verification
- Admin accounts protected with separate Conditional Access policies
- Sign-in risk policies detecting suspicious authentication attempts
- Regular access reviews for privileged accounts
Common Azure AD Security Mistakes
- Global Admin accounts used for daily work instead of dedicated admin accounts
- MFA not enforced or only enabled for some users
- No Conditional Access policies — relying solely on passwords
- Legacy protocols still enabled, bypassing MFA entirely
- Guest accounts left active long after the engagement ends
- No monitoring of sign-in logs for suspicious activity
Managing Applications in Azure AD
Azure AD is not just for Microsoft products. It can serve as the central identity provider for virtually any cloud application your business uses. This is known as single sign-on (SSO), and it means your users can access Salesforce, Slack, Zoom, Dropbox, and thousands of other applications using the same credentials they use for Microsoft 365 — without needing separate usernames and passwords for each service.
The Azure AD application gallery contains pre-configured integrations for thousands of popular cloud applications. Adding an application to your Azure AD typically takes just a few minutes and provides immediate benefits: users get seamless access, you get centralised control over who can access the application, and when someone leaves your organisation, disabling their Azure AD account automatically revokes their access to all connected applications.
Enterprise Application Security
When integrating third-party applications, pay attention to the permissions each application requests. Some applications ask for extensive permissions that may not be necessary for their function. Review permissions carefully and only grant what is required. You can also configure user consent settings to prevent users from granting permissions to applications without administrator approval — this prevents the common attack vector where a malicious application tricks a user into granting it access to organisational data.
Azure AD Licensing for UK SMEs
Azure AD comes in several tiers, and understanding which features are available at each level helps you make informed licensing decisions.
| Feature | Free (included with M365) | P1 (Business Premium) | P2 (Enterprise) |
|---|---|---|---|
| User and group management | Yes | Yes | Yes |
| Multi-factor authentication | Security Defaults only | Conditional Access | Conditional Access |
| Conditional Access policies | No | Yes | Yes |
| Dynamic groups | No | Yes | Yes |
| Self-service password reset | Cloud only | With on-prem writeback | With on-prem writeback |
| Identity Protection | No | No | Yes |
| Privileged Identity Management | No | No | Yes |
| Approximate per-user cost | Included | £5.20/month | £7.50/month |
For most UK SMEs, Microsoft 365 Business Premium provides the best balance of features and cost. It includes Azure AD P1, which unlocks Conditional Access, dynamic groups, and self-service password reset with on-premises writeback — features that make a genuine difference to both security and administrative efficiency.
Monitoring and Maintenance
A properly configured Azure AD environment requires ongoing monitoring and maintenance. Review sign-in logs regularly for suspicious activity — failed sign-in attempts from unusual locations, attempts to use legacy authentication, and successful sign-ins from unfamiliar devices. Azure AD provides these logs through the Microsoft Entra admin centre and can send alerts for high-risk events.
Conduct quarterly access reviews to ensure that users only have access to the resources they need. When staff change roles within the organisation, their access requirements change too — but access revocation is often forgotten, leading to privilege creep over time. Automated access reviews in Azure AD P2 can simplify this process significantly.
Conclusion
Azure Active Directory is far more than just a user directory — it is the security and identity backbone of your entire Microsoft cloud environment. For UK SMEs, taking the time to configure it properly delivers immediate benefits in security, user experience, and administrative efficiency. The steps outlined in this guide — from MFA enforcement and Conditional Access to application integration and ongoing monitoring — represent the essential foundation that every business using Microsoft 365 should have in place.
Need Help Configuring Azure AD for Your Business?
Cloudswitched provides expert Microsoft 365 and Azure AD configuration services for UK businesses. Whether you need a complete Azure AD setup, security hardening for an existing tenant, or ongoing management and monitoring, our team can help ensure your identity infrastructure is secure and properly configured. Get in touch for a free consultation.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.