How to Set Up Microsoft 365 for a New Business

Microsoft 365 has become the default productivity platform for UK businesses. From email and calendars to file storage, video conferencing, and collaboration, it provides virtually everything a modern business needs to operate — all under a single subscription. For a new business, setting up Microsoft 365 correctly from the start saves enormous time and avoids the painful migration and reconfiguration work that businesses face when they outgrow a poorly planned initial setup.

Yet despite Microsoft's efforts to make the setup process accessible, getting it right involves far more than just signing up and creating user accounts. There are decisions about licensing, domain configuration, security settings, data organisation, and compliance controls that have long-term implications for how your business operates, communicates, and protects its data.

This guide walks you through the complete process of setting up Microsoft 365 for a new UK business, from choosing the right plan to configuring the security settings that will keep your data safe.

Step 1: Choose the Right Microsoft 365 Plan

Microsoft offers several 365 plans for businesses, and choosing the right one at the outset avoids unnecessary costs or disruptive mid-term upgrades. The main options for UK SMEs are Microsoft 365 Business Basic, Business Standard, and Business Premium.

Microsoft 365 Business Basic (£4.60/user/month): Includes Exchange Online email with a 50GB mailbox, OneDrive with 1TB storage, Teams for chat and video conferencing, and web versions of Word, Excel, PowerPoint, and Outlook. It does not include desktop applications — users can only access Office apps through a web browser.

Microsoft 365 Business Standard (£9.40/user/month): Everything in Business Basic plus full desktop and mobile versions of all Office applications. This is the most popular choice for UK SMEs because it provides the full Office experience that staff expect, along with all the cloud collaboration tools.

Assessing Your Licensing Requirements

Before committing to a plan, take stock of how your team actually works. If your staff primarily use laptops and desktops for document creation, spreadsheets, and presentations, the desktop applications in Business Standard or Premium are essential. However, if your team is largely mobile or works from tablets and smartphones, Business Basic may be sufficient since the web and mobile versions of Office apps are fully functional for most everyday tasks.

It is also worth considering that you can mix licences within your organisation. A common approach for UK SMEs is to assign Business Standard licences to most staff while giving Business Premium licences to directors, finance teams, and anyone handling particularly sensitive data. This allows you to control costs whilst still providing enhanced security where it matters most. Microsoft's admin centre makes it straightforward to assign different licence types to different users, and you can upgrade or downgrade individual licences at any time without disrupting the user's account or stored data.

For businesses expecting to grow beyond 300 users, note that all Business plans are capped at this limit. If you anticipate exceeding 300 users within the next few years, you may wish to start with an Enterprise plan instead, which offers the same core features plus additional capabilities such as unlimited archive mailboxes, advanced analytics with Power BI Pro, and more sophisticated compliance tools. Starting with the right plan family from day one avoids a complex and disruptive migration later when you hit the user ceiling.

Microsoft 365 Business Premium (£16.60/user/month): Everything in Business Standard plus advanced security features including Microsoft Defender for Office 365, Intune device management, Azure Information Protection, and conditional access policies. This plan is strongly recommended for any business handling sensitive data or subject to regulatory requirements.

Feature	Business Basic	Business Standard	Business Premium
Monthly cost per user	£4.60	£9.40	£16.60
Exchange Online email (50GB)	Yes	Yes	Yes
OneDrive (1TB)	Yes	Yes	Yes
Teams	Yes	Yes	Yes
Desktop Office apps	No	Yes	Yes
Intune device management	No	No	Yes
Defender for Office 365	No	No	Yes
Conditional access	No	No	Yes
Max users	300	300	300

Step 2: Register Your Domain

Your Microsoft 365 tenant will initially be set up with a default domain in the format yourcompany.onmicrosoft.com. While this works technically, it is not suitable for business use. You need to add and verify your own custom domain (for example, yourcompany.co.uk) so that your email addresses, SharePoint URLs, and Teams identifiers all use your professional business domain.

If you already own a domain, you will need to verify ownership by adding a TXT record to your domain's DNS settings. Microsoft provides the specific record to add, and most domain registrars — including GoDaddy, Namecheap, 123 Reg, and Fasthosts — support this process. Verification usually takes a few minutes to a few hours, depending on DNS propagation times.

Domain Strategy for Growing Businesses

For UK businesses with growth ambitions, your domain strategy deserves careful thought at the outset. Many established businesses regret not securing multiple domain variants early on. Consider registering both the .co.uk and .com versions of your company name, even if you only plan to use one initially. This prevents competitors or domain squatters from acquiring the alternative, and the cost is typically under twenty pounds per year per domain.

If your business trades under a name different from its registered company name, or if you plan to launch sub-brands in the future, consider how your domain structure will accommodate this. Microsoft 365 supports multiple domains within a single tenant, so you can add additional domains later without creating separate environments. This is particularly useful for businesses that operate distinct client-facing brands but want a unified back-office infrastructure for their staff.

It is also prudent to consider your email routing requirements carefully. If you are migrating from an existing email provider such as Gmail or a hosted Exchange service, you will need to plan the DNS cutover to minimise disruption. The transition period during which MX records propagate across the internet can result in emails being delivered to either the old or new system unpredictably. A well-planned migration typically involves lowering the DNS TTL values several days before the switch, configuring mail forwarding on the old system, and monitoring both platforms during the propagation window to ensure no messages are missed.

If you do not yet have a domain, you can purchase one through Microsoft directly during the setup process, or through any domain registrar. For UK businesses, a .co.uk domain is the standard choice for domestic-facing businesses, while .com is preferable if you operate internationally.

Step 3: Configure DNS Records for Email

Once your domain is verified, you need to configure DNS records to route email through Microsoft 365. This involves setting up MX records (which tell the internet where to deliver email for your domain), SPF records (which specify which servers are authorised to send email on your behalf), DKIM records (which add a digital signature to outgoing emails to prove they are genuine), and DMARC records (which tell receiving servers what to do with emails that fail SPF or DKIM checks).

Getting these records right is critical for email deliverability and security. Incorrectly configured DNS records can cause emails to be rejected by recipients, land in spam folders, or leave your domain vulnerable to spoofing attacks where criminals send emails that appear to come from your domain.

Understanding Each DNS Record in Detail

The MX record is the most critical, as it directs incoming email to Microsoft's Exchange Online servers. Without a correctly configured MX record, email sent to your domain simply will not arrive at your Microsoft 365 mailboxes. The record typically points to a Microsoft address in the format yourcompany-co-uk.mail.protection.outlook.com, and the priority should be set to zero to ensure Microsoft is treated as the primary mail handler for your domain.

SPF (Sender Policy Framework) is a TXT record that lists the servers authorised to send email on behalf of your domain. For Microsoft 365, your SPF record must include the value include:spf.protection.outlook.com. If you also use other services that send email on your behalf — such as a CRM system, marketing automation platform, or transactional email provider — their sending servers must be included in the same SPF record. Having multiple SPF records for a single domain is a common misconfiguration that causes authentication failures and deliverability problems.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email, allowing the recipient's mail server to verify that the message genuinely originated from your domain and was not altered in transit. Microsoft 365 supports DKIM signing, but it requires you to publish two CNAME records in your DNS that point to Microsoft's DKIM key infrastructure. Once configured, signing happens automatically for all outbound messages with no ongoing maintenance required.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that instructs receiving servers on how to handle emails that fail authentication checks. A basic DMARC record should be set to monitor mode initially, collecting reports on authentication failures without rejecting any messages. Over time, as you gain confidence that all legitimate email sources are properly authenticated, you can tighten the policy to quarantine or reject unauthenticated messages, providing robust protection against domain spoofing and phishing attacks that impersonate your business.

Step 4: Create User Accounts and Assign Licences

With your domain configured, you can create user accounts for your team. Each user needs an account in Microsoft Entra ID (the identity service behind Microsoft 365) and an assigned licence that determines which services they can access.

When creating accounts, use a consistent naming convention for email addresses. The most common format in the UK is firstname.lastname@company.co.uk, which is professional, easy to remember, and scales well as the business grows. Avoid using first names only, initials, or inconsistent formats that will cause confusion.

Consider creating shared mailboxes for generic addresses like info@, accounts@, and support@. Shared mailboxes do not require a licence, making them a cost-effective way to manage departmental email without paying for additional users.

Administrative Accounts and Role Management

One of the most commonly overlooked aspects of setting up Microsoft 365 is proper administrative account management. Your initial setup will create a Global Administrator account, which has unrestricted access to every setting and every piece of data in your tenant. This account should be treated with extreme care and should never be used for day-to-day work such as reading email or editing documents.

Best practice is to create a dedicated Global Administrator account with a strong, unique password and hardware-based multi-factor authentication, then assign your IT staff or director accounts to more limited administrative roles. Microsoft provides a range of built-in roles including Exchange Administrator, SharePoint Administrator, Teams Administrator, and User Administrator, each granting only the permissions necessary for that specific function. This principle of least privilege significantly reduces the risk of accidental misconfiguration or a compromised account leading to a wide-ranging data breach.

For UK businesses working with a managed IT support provider, you should also consider how to grant your provider appropriate administrative access without giving them unrestricted control over your environment. Microsoft's Granular Delegated Admin Privileges (GDAP) allow you to grant your IT partner specific administrative roles for defined time periods, providing them with the access they need to support your tenant whilst maintaining your oversight and a full audit trail of every administrative action they perform on your behalf.

Step 5: Configure Security Settings

This is the step that too many new businesses skip or defer — and it is arguably the most important. Microsoft 365 provides powerful security tools, but many of them are not enabled by default. You need to actively configure them.

Multi-Factor Authentication (MFA)

MFA should be enforced for every user from day one. Microsoft's Security Defaults feature provides a basic level of MFA enforcement at no additional cost. For Business Premium subscribers, conditional access policies offer more granular control, allowing you to require MFA based on factors like location, device compliance, and risk level.

Security Defaults

At a minimum, enable Security Defaults in your Microsoft Entra ID tenant. This enforces MFA for all users, blocks legacy authentication protocols (which are frequently exploited by attackers), and requires administrators to authenticate with MFA every time they sign in. Security Defaults are free and take less than a minute to enable.

Password Policies and Regulatory Compliance

Microsoft's current guidance, aligned with recommendations from the National Cyber Security Centre (NCSC), is to require long passwords of a minimum of twelve characters but to avoid mandatory periodic password changes. Research has consistently shown that forced password expiry leads users to choose weaker passwords overall, as they tend to make minimal, predictable modifications such as incrementing a number at the end. Instead, focus on password length, complexity requirements, and the use of MFA as the primary protection against credential compromise.

For businesses subject to regulatory requirements — such as financial services firms governed by FCA regulations, healthcare organisations bound by NHS data security standards, or legal practices following Solicitors Regulation Authority guidance — your Microsoft 365 security configuration may need to satisfy specific compliance frameworks. Business Premium includes compliance features such as sensitivity labels for document classification, data loss prevention policies that can prevent sensitive information from being shared outside your organisation, and retention policies that ensure business records are preserved for the legally required period. These features are managed through the Microsoft Purview compliance portal and should be configured in consultation with your compliance officer or legal adviser.

Audit logging is another critical security feature that should be enabled from day one. Microsoft 365 records a detailed audit trail of user and administrator activities, including email access, file downloads, permission changes, and login attempts from unusual locations. These logs are invaluable for investigating security incidents and demonstrating compliance to regulators and auditors. Ensure that your audit log retention period meets your industry's specific requirements, as the default retention period may need to be extended for businesses in regulated sectors.

Step 6: Set Up SharePoint and OneDrive

SharePoint and OneDrive are your file storage and collaboration platforms within Microsoft 365. OneDrive provides each user with 1TB of personal cloud storage, while SharePoint provides shared document libraries for teams, departments, and projects.

For a new business, establish a clear file structure from the outset. Create SharePoint sites for each department or team and set appropriate permissions. Enable versioning on document libraries so that previous versions of files can be recovered. Configure sharing settings to prevent users from inadvertently sharing sensitive documents externally.

Set up OneDrive Known Folder Move on all company laptops, which automatically redirects the Desktop, Documents, and Pictures folders to OneDrive. This ensures that locally created files are automatically backed up to the cloud without users having to remember to save files in the right place.

Step 7: Configure Teams

Microsoft Teams is the hub for communication and collaboration within Microsoft 365. For a new business, configure Teams thoughtfully rather than allowing a chaotic proliferation of channels and teams.

Create a Teams structure that mirrors your organisation — a team for each department, with channels for specific topics or projects. Set clear naming conventions and configure guest access policies if you need to collaborate with external partners. Consider configuring Teams calling if you want to use Teams as your phone system, which can save the cost of a separate telephony solution.

Teams Governance and Usage Policies

Without governance, Teams deployments can quickly become unwieldy. Staff create new teams and channels on an ad-hoc basis, information becomes fragmented across dozens of overlapping spaces, and finding documents or conversations becomes a daily frustration. Establishing governance policies from the outset prevents this sprawl and ensures Teams remains a genuinely productive tool rather than a source of confusion and duplicated effort.

Define who is permitted to create new teams — either restrict creation to designated administrators or require approval through a formal process. Establish naming conventions for teams and channels that make their purpose immediately clear to anyone in the organisation. Configure expiration policies for project-specific teams so they are automatically archived when no longer active, keeping the environment tidy and reducing the surface area for potential data exposure or accidental information leakage.

Consider your external collaboration requirements carefully. Teams supports guest access, allowing users outside your organisation to participate in specific teams and channels. This is invaluable for working with clients, suppliers, and project partners, but it must be configured with appropriate safeguards. Restrict which external domains can be invited as guests, limit what guest users can see and access within your environment, and conduct periodic reviews to remove former collaborators who no longer require access to your internal discussions and documents.

Step 8: Plan for Backup

A common misconception is that because Microsoft 365 is a cloud service, your data is automatically backed up. While Microsoft provides infrastructure redundancy and some data retention capabilities, it does not provide comprehensive backup in the traditional sense. Microsoft's shared responsibility model makes clear that protecting and backing up your data is your responsibility.

We recommend implementing a third-party backup solution for Microsoft 365 from day one. Solutions like Veeam Backup for Microsoft 365, Datto SaaS Protection, or Acronis Cyber Protect back up your Exchange mailboxes, OneDrive files, SharePoint sites, and Teams data to an independent location, giving you the ability to recover from accidental deletion, malicious destruction, or ransomware attacks. Typical costs range from £2 to £4 per user per month — a small price for the protection it provides.