Microsoft 365 Setup Guide for UK SMEs (2026)
Table of Contents
Executive Summary
- Microsoft 365 is the standard item for small to medium-sized enterprises in the UK; Unfortunately, without an appropriate configuration, Microsoft 365 can create significant risks to the security and compliance of an organisation.
- To avoid typical pitfalls like mismatched licensing or neglected data sources, start with planning and prerequisites.
- Written for non-technical decision-makers, this guide also provides practical information that can be followed by the administrators responsible for implementing this work.
- Put security first: To prevent phishing and security breaches, enable MFA, Conditional Access, and endpoint basics.
- The guide contains a very brief overview of GDPR and compliance, while purposefully avoiding making claims.
- Add migration checklists from file sources with zero-downtime advice, on-premise Exchange, or Google Workspace.
- For quick wins, use the Fast Track (Day 1) checklist; for a full rollout, use the 30-day plan.
Who This Guide Is For
This guide was created specifically for UK small and medium-sized enterprises (SMEs) with between 5-200 employees, including:
- Business owners and directors
- Operations/office managers
- IT coordinators/junior administrators
- Organisations moving from older technology platforms, such as Google Workspace, legacy e-mail accounts and on-premises systems
- Junior admins tasked with implementation
No specialist IT experience is required in order to use this guide.
What You’ll Achieve
The key benefits of using this guide are as follows
- Create a clean and well-designed Microsoft 365 tenant
- Lower exposure to security threats with sensible defaults
- Clear decision making with respect to licensing/configuration
- Roll out email, Teams, and file storage correctly
- Increased redundancy due to Backups & Audit logs
- Avoid common mistakes that cause long-term pain
Fast Track: Day 1 Checklist
- Use this list if you need to quickly establish your safe baseline.
- Create your first User Accounts
- Implement a Strong Password Policy
- Create a new Microsoft 365 Tenant
- Verify your Business Domain and add it to the Tenant
- Create a new separate Admin Account, which is different from the one used daily
- All Admin accounts need to enable MFA (Multi-Factor Authentication)
- Choose licences (Basic / Standard / Premium)
- Enable Audit Logging
- Setup Basic Conditional Access for Administrators
- Set Default Sharing Restrictions
- Disable Legacy Authentication
- Create Shared Mailboxes
- Set Default Exchange Spam and Phishing settings
- Create Teams Meeting Policies
- Confirm Device Encryption Status
- Restrict External Sharing by Default
- Enable Microsoft Defender by Default
- Confirm that OneDrive is Enabled
- Enable Retention by Defaults
- Document who has Admin Access to the Tenant
- Schedule a Migration Window
- Inform All Users about the Implementation of MFA
Standard Setup Plan (30 Days)
Week 1: Foundations & planning
- Verify DNS and domain access
- Make a list of users and roles
- Examine the current file and email systems
- Make a licensing decision
- Establish base and tenant settings
Week 2: Security, email, and identity
- Implement MFA for every user
- Keep user and admin accounts separate
- Set up email authentication
- Implement anti-phishing measures
- Test the mail flow
Week 3: Devices & cooperation
- Design Teams and channels
- Establish a SharePoint framework
- Set up OneDrive defaults
- Turn on device encryption
Week 4: Data, backups, and compliance
- Transfer files and emails
- Turn on backups
- Set up retention
- Examine the audit logs
1) Planning & Prerequisites
Gather the following before you begin utilizing Microsoft 365:
Access and Information
- Domain Registrar Login
- DNS Access
- Users and Roles List
- Current Email Provider
- Where Files are Stored
- Devices (e.g. Windows PC, Mac, Mobile)
Naming Convention
- All Usernames (i.e., Firstname.lastname@companydomain.co.uk
- Any Shared…Mailboxes (i.e., info@, support@, accounts@)
- Any Teams (Departments – Functions)
- Any SharePoint Sites (Departments or Purposes)
Shared Mailboxes & Groups
- Use Shared Mailboxes for roles not people
- Use Distribution Groups for Announcements
- Use caution with Nested Groups early on
2) Microsoft 365 Licensing (UK SME Guide)
Business Basic...Choose if:
- Only Email + Web…Apps required
- Minimal Security Required
- No Device Management Required
Business Standard...Choose if:
- Desktop Office Apps Required
- Teams and SharePoint are core applications
- Acceptable Level of Light Security
Business Premium (Recommended for most SMEs)...Choose if:
- You want a high security level
- You want to manage devices
- If you have remote or hybrid employees
- If compliance and control is important
General Rule of Thumb:
If Security is Important to you in any way, Business Premium will likely pay off.
3) Setting Up a Tenant
Step by Step Instructions:
- Create tenant at Microsoft 365 admin portal
- Enter your organisation’s name and location.
- Add and verify your own
- Determine your organisation’s default language and time zone.
- Create a Microsoft 365 administrator
- Add the required licenses for your organisation to use Microsoft
- Confirm that security settings match your organisation’s
4) Identity & Access
What is MFA?
MFA (multi-factor authentication) requires an additional verification step via SMS or app.
Why is MFA Important?
MFA stops the majority of hackers.
Recommand Approach:
- Enforce MFA for All Employees
- Use app-based authentication
- Do Not Allow Exceptions for Admins
Admin Accounts:
- There Should Only Be One Admin Account for Each Employee.
- Admin Accounts Should Not Be Used for Daily Email Activity.
- Use the Least Privileged Role Possible for Admins.
Starter Policies?
- MFA Is Required for Admin Accounts
- Block All Legacy Authentication
- A Compliant Device Is Required to Access Your Admin
5) Email Setup
What Is Email Authentication? (You Must Do This)
- MX record is used to route email to Microsoft Exchange (MX).
- SPF record is used to authorise senders to send emails.
- DKIM record is used to prove that email messages have not been tampered with in transit.
- DMARC record is used to control whether or not other servers can send email on behalf of your company.
- Email Authentication Is Critical to Protecting Your Brand Reputation and Reducing Phishing Attacks.
What Are Some Quick Wins to Prevent Phishing Attacks?
- Enable Impersonation Protection on Your Domain
- Protect the Name of Your Domain
- Enable Safe Links and Attachments.
6) Teams and Collaboration
Teams Structure
- Each Department Should Have a Separate Microsoft Team;
- Each Team Should Have Channels Based on Topics, Not Departments.
- Avoid creating teams for every chat
External Access
- Default: Disabled
- Allow only when needed
- Quarterly Review
7) SharePoint and OneDrive
Where to store what
| Use Case | Tool |
|---|---|
| Personal Work Files | OneDrive |
| Team Documents | SharePoint |
| Departmental Data | SharePoint |
| External Sharing | SharePoint (Controlled Access) |
Permissions
- Use Groups instead of Individuals
- Simplicity should rule the day
- Review permissions regularly
8) Device Security & Management
Basics
- Bit-locker should be enabled on all Windows systems
- FileVault should be enabled on all Macs
- All OS Updates should occur automatically
- Have Microsoft Defender enabled
Intune (Business Premium)
- Require Compliance for all devices
- Enforce Encryption on all devices
- All apps should have Basic app protection policies
9) Backup & Continuity
Why Backups are Necessary?
Because Microsoft 365 is not a complete backup solution
Why do we need Backup?
- Accidental deletions
- Ransomware
- Retention gaps occur
Types of backups
- Third-party Microsoft 365 Backup tools
- Cloud-to-cloud backups
- Daily automated backups
10) GDPR & Compliance (High Level)
- Data is stored in Microsoft UK/EU Data Center.
- Retention Policies are in place to protect records.
- eDiscovery supports investigations.
- Audit Logs track all actions taken by users
This information is not Legal advice be mind it.
Security Baseline (Recommended Defaults)
| Setting | Recommended Default | Why | Where |
|---|---|---|---|
| MFA | Enabled for all users | Prevents account compromise | Entra ID |
| Anti-phishing | Enable Safe Links and Safe Attachments | Scans emails for malicious content | Security Admin Centre → Email & Collaboration → Policies |
| Admin roles | Separate admin and user accounts | Enforces least-privilege access | Microsoft 365 Admin Centre |
| Legacy authentication | Disabled | Blocks outdated attack methods | Entra ID |
| DKIM | Enabled | Improves email trust and delivery | Exchange Admin Centre |
| Audit logs | Enabled | Supports investigation and compliance | Compliance Centre |
| Sharing | Restricted and controlled | Maintains data control | SharePoint Admin Centre |
Typical UK SME Scenarios
A) 10 User Professional Service
Company with a premium license focusing on Microsoft Teams and email, Moving from Google to Microsoft.
B) 30 User Retail/Back Office
30 User Retail/Back Office with a minimally functional standard license with Premium Licensing for devices, built out SharePoint to manage inventory, and migrate to Microsoft from Dropbox.
C) 100 User Mixed Remote / Office
100% Premium Mandatory, Intune compliance, Conditional Access based on geography. Hybrid rollout from exchange server to Exchange Online.
Go Live Checklist
- Final Data Sync
- DNS Update (MX/SPF)
- Notify Users (Outage Window)
- Access / Email Testing
- Queue Monitoring
Post Go Live Checklist (First 30 Days)
- Gather user feedback
- Conduct Secure Score Scan
- Conduct Backup Testing
- Conduct Audit Log Review
- Train on New Features
- Optimization of Policies
Common Mistakes (Top 15)
- Mostly Skipping MFA
- You only have one admin account that is shared among all users
- Not backing up your data
- You do not have a system to handle naming your files
- Do not review your audit log regularly
- Do not provide training for your users
- Using weak authentication on your email
- Not encrypting your devices
- Using personal email accounts for work purposes
- Do not have documentation of your user accounts
- You have adopted a “set it and forget it” mentality
FAQs
The Premium Plan (16.90 per user per month) is ideal for providing enhanced security, while Standard Plan (9.60 per user per month) is appropriate if you are only using basic applications.
M365 provides tools, including Purview and residency, to help you comply with GDPR. However, you are ultimately responsible for how your M365 account is configured for GDPR compliance. Therefore, M365 does not provide a legal guarantee regarding GDPR compliance.
To enable MFA in M365, navigate to your Entra Admin Centre under MFA, and then click the "Enable" button for MFA.
Conditional Access is a set of policies that define the conditions under which users are allowed to access your M365 account.
SharePoint is designed for use by teams (Collaboration) and OneDrive is designed for personal use (Personal Storage)
Yes, you can use the Intune app to enrol your mobile devices into M365 to ensure compliance with your organisation's security policies.
About This Guide
The Computer Support Centre has produced this Microsoft 365 Setup Guide to assist UK small and medium-sized enterprises in implementing Microsoft 365 in a structured, secure, and implementable manner.
The guide is based on our professional experiences working with organisations using Microsoft 365 on a day-to-day basis, including the use of email, collaboration tools, identity and access management, device protection, and compliance.
Unlike many guides that focus on the technology alone, our planning guide focuses on the procedures, processes, best security defaults, and long-term management of your Microsoft 365 implementation so that your organisation can continue to grow in confidence and have complete control over your IT system.
Conclusion
When it is set improperly, Microsoft 365 can cause many problems for UK small and medium-sized enterprises. Using a systematic, security-based setup will yield positive results for organisations by avoiding common errors, lowering the potential for risk, and establishing a stable base of operations for everyday activities.
Following this setup guide will enable an organisation to implement Microsoft 365 efficiently, reliably, and effectively. Rather than relying on “quick-fix” philosophies, this guide places emphasis on the tools, processes, best security practices, and long-term management of the product.