Today kicks off a comprehensive blog series where I’ll delve into the security features of the Business Premium license SKU, offering detailed step-by-step guidance and best practices.
In this first installment, we’ll explore the capabilities included in Business Premium and walk through the foundational configurations throughout the Admin center, Microsoft Entra, Microsoft Defender and Microsoft 365 Apps Admin center. These are the key settings I recommend establishing right from the start to set your organization up for success.
Without further ado, let's dive in!
Table of Content
Glossary of Abbreviations
This glossary is your quick reference guide for the abbreviations used throughout this blog series. Each term will be explained in detail as it appears in context. Refer back to this section anytime for clarity.
A
AIP: Azure Information Protection – A cloud-based service that uses labels to classify and protect documents and emails.
APP: App Protection Policy – An Intune MAM solution for protecting organizational data and applications on smartphones and Windows laptops.
ASR: Attack Surface Reduction – Security controls that minimize exploitable entry points by limiting risky behaviors and blocking malicious activities.
ATP: Advanced Threat Protection – Security features for email, apps, and collaboration tools.
Azure: Microsoft Azure Portal – A central hub for managing cloud services, virtual machines, storage, and other Azure resources.
B
BP: Business Premium – The license SKU for SMBs that this series focuses on, supporting up to 300 licenses.
C
CA: Conditional Access – A policy-based approach to secure access to apps and data based on user identity, location, and device state.
CAP: Conditional Access Policy – A policy enforcing specific requirements for granting or blocking access.
CASB: Cloud Access Security Broker – A security solution offering visibility, data protection, and compliance monitoring for cloud apps (e.g., Microsoft Defender for Cloud Apps).
CNAPP: Cloud-Native Application Protection Platform – An all-in-one security solution for safeguarding cloud-native applications.
CSPM: Cloud Security Posture Management – Tools to assess and manage cloud environment security risks.
CWP: Cloud Workload Protection – A security approach that protects cloud workloads by reducing the cloud attack surface.
D
Defender: Microsoft Defender XDR Portal – Provides unified security management for the Microsoft Defender Suite, including MDE, MDC, MDCA and MDO.
DLP: Data Loss Prevention – A security feature preventing unauthorized sharing or leakage of sensitive information.
E
EDR: Endpoint Detection and Response – A security solution focused on detecting, investigating, and responding to threats on endpoint devices by monitoring activities and behaviors in real time.
EIDP1: Entra ID Premium Plan 1 – An advanced identity and access management solution managed in the Entra portal.
Entra: Microsoft Entra Portal – A central portal for identity and access management.
G
GA: General Availability – Terminology for the stage when a product or feature is fully developed, tested, and released for widespread use by all customers.
GPO: Group Policy Object – A Windows feature for managing operating systems, applications, and user settings.
Graph: Microsoft Graph – A unified API endpoint providing access to Microsoft cloud services.
GSA: Global Secure Access – Microsoft first party ZTNA solution for secure internet access and remote access to private resources without exposing the resources to the internet.
I
IAM: Identity and Access Management – The practice of managing user identities and their access.
Intune: Microsoft Intune Portal – A cloud-based MDM solution for managing devices, apps, and compliance.
M
MAM: Mobile Application Management – A solution for managing organizational data on both managed and unmanaged devices, including smartphones, tablets, and laptops.
MAU: Monthly Active Users – A licensing term often used for pricing services like Power Pages or Microsoft Entra, introducing a small fee for external users.
MDB: Microsoft Defender for Business – A simplified security solution designed specifically for small and medium-sized businesses.
MDC: Microsoft Defender for Cloud – A CNAPP combining CSPM and CWP capabilities for multi-cloud and hybrid environments, offering continuous assessment and threat protection.
MDCA: Microsoft Defender for Cloud Apps – A CASB solution providing visibility, control, and protection for cloud apps.
MDCG: Microsoft Defender Credential Guard – A Windows security feature isolating and protecting sensitive credentials to prevent identity theft.
MDE: Microsoft Defender for Endpoint – An endpoint security solution providing threat detection and response, investigation, and response capabilities.
MDEG: Microsoft Defender Exploit Guard – A security feature that reduces the attack surface by blocking potentially malicious behaviors on Windows devices.
MDO: Microsoft Defender for Office 365 – A solution protecting against phishing, malware, and other email-based threats.
MDM: Mobile Device Management – Technology for managing devices like smartphones, tablets, and laptops. Microsoft Intune is an MDM solution.
MFA: Multi-Factor Authentication – Adds a layer of security by requiring multiple identity verification steps.
O
OTP: One-Time Passcode – A passwordless authentication method using time-sensitive codes via SMS, email, or tokens - Either hardware or software based.
P
Purview: Microsoft Purview Portal – A centralized compliance and governance portal for managing solutions such as data loss prevention, eDiscovery, and compliance requirements.
S
SMB: Small-Medium Business – A business with 1–300 employees according to Microsoft. Other markets may define this range as 1–1,000 employees.
SPO: SharePoint Online – A web-based platform for collaboration and document management across teams and organizations.
SSGM: Self-Service Group Management – A feature that enables users to manage their group memberships without admin involvement.
SSO: Single Sign-On – Simplifies access to multiple apps with one set of credentials.
SSPR: Self-Service Password Reset – A feature allowing users to reset their own passwords securely without IT intervention, helping decreasing helpdesk requests.
SS: Microsoft Secure Score – A measurement of your organization’s security posture, providing recommendations for improving security.
T
TAP: Temporary Access Pass – A passwordless authentication method that can be configured for single or multiple uses, with a TTL ranging from 10 minutes to 30 days. Often used for first-time MFA setups or as a fallback authentication method.
TTL: Time To Live – A term describing the lifetime of a resource, usually expressed in seconds. For example, a TTL of 3600 equates to 1 hour.
W
WH4B: Windows Hello for Business – A phishing-resistant & passwordless authentication solution using device-bound cryptographic keys, allowing sign-in using biometrics or PINs.
WU4B: Windows Update for Business – Centralized management of Windows update deployments, managed through solutions like Microsoft Intune.
Z
ZTNA: Zero Trust Network Access – A software based, identity-centric security solution for securely connecting remote users to private resources.
X
XDR: Extended Detection and Response – A unified security solution that integrates and correlates data across multiple sources to provide comprehensive threat detection, response, and remediation.
Resource Links
Microsoft Admin Center: admin.microsoft.com
Microsoft Admin portals shortcut hub (cmd.ms): cmd.ms
Microsoft Azure: portal.azure.com
Microsoft Defender: security.microsoft.com
Microsoft Entra: entra.microsoft.com
Microsoft Exchange Admin Center: admin.exchange.microsoft.com
Microsoft Intune: intune.microsoft.com
Microsoft Purview: purview.microsoft.com
The SMB Landscape: Understanding the Cybersecurity Challenges
A 2022 Microsoft survey revealed that 99.9% of global businesses fall within the SMB segment, with half of these businesses anticipating a continued reliance on remote work and increase on cloud technologies reliance. (Source: Microsoft small and medium business (SMB) voice and attitudes to technology study)
Fast forward to Microsoft’s 2024 SMB report, and the cybersecurity challenges become even clearer: 1 in 3 SMBs experienced a cyberattack in the past year, with the average cost per incident reaching $254,445, and some topping out at a staggering $7 million. The rapidly evolving threat landscape poses significant risks, particularly for these smaller teams. (Source: Microsoft Security: SMB cybersecurity report)
Despite these alarming figures, many SMBs underestimate their vulnerability. Common misconceptions—such as believing they’re “too small” to be targeted or equating compliance with comprehensive security—can leave them exposed to greater risks.
Given these realities, it’s imperative for SMBs to prioritize robust cybersecurity measures to safeguard their operations, data, and overall business continuity.
Business Premium Capabilities: Your Swiss Army Knife for Security
The BP license is like a Swiss Army knife for your organization’s security needs—equipped with a range of tools to lock down your environment and protect your business from modern cyber threats.
If you’re looking for a detailed overview of what’s included in BP, here are two excellent resources to explore:
Aaron Dinnage’s M365Maps – Visual maps outlining Microsoft 365 licensing and capabilities, across the full scope of Microsofts license landscape.
Microsoft’s official comparison of SMB SKUs – Comprehensive details on Microsoft 365 subscription plans for small and medium businesses.
Here's a few of the standout security features, included in the license:
Microsoft Entra ID P1
CA
Dynamic Groups
Password Protection
Helps protecting identities by enforcing strong passwords utilizing a point scoring system.
GSA
Includes the Microsoft Traffic profile
MDCA
Includes Cloud App Discovery
Microsoft Intune
MAM
MDM
WU4B
WH4B
MDB
EDR Platform
Provides endpoint protection, reducing risks from malware and ransomware.
Mobile Threat Defense
ASR
Security Monitoring
SS
MDO P1
Protects email and collaboration tools against phishing, malware, and advanced threats.
AIP
Classifies and protects sensitive data with labels, ensuring security even outside your organization.
Windows Pro Upgrade to Windows Business
Enhances management and security features for a more secure environment, when compared to Windows Pro.
DLP
information labeling
Enhanced audit logs
Content search
Throughout this series, I’ll revisit these features (and more), providing in-depth guidance and real-world scenarios to demonstrate how they can be effectively leveraged to bolster your security posture.
Zero Trust Architecture
As technology, and the associated threats continue to evolve, it’s no longer sufficient to secure just the perimeters of our organizations. As such transitioning to a strategy built on Zero Trust is critical for addressing modern cybersecurity challenges.
A Zero Trust strategy can be visualized in this architecture diagram provided by Microsoft:
This diagram highlights the six pillars of Zero Trust, detailing their purpose and how they synergize to create a secure, interconnected framework.
The six pillars of Zero Trust:
Identities
Endpoints
Data
Apps
Network
Infrastructure
In this series, I’ll focus on four of these pillars and explore how to secure them using the BP license SKU.
Adhering to Zero Trust Principles
All recommendations, settings, and configurations in this series are designed to align with these three key principles of Zero Trust:
Zero Trust Principal | Description |
|---|---|
Verify explicitly | Always authenticate and authorize based on all available data points, rather than assuming trust based on location or prior access. |
Use least privileged access | Minimize access for both users and systems to only what is necessary, reducing the risk of unauthorized access and potential breaches. |
Assume breach | Act as though the environment is already compromised by implementing segmentation, monitoring, and advanced threat detection. |
Assessing Your Current Zero Trust Standing
To evaluate your Zero Trust posture, Microsoft offers a Zero Trust Assessment Tool. This tool helps admins of established tenants generate a detailed report on their current implementation and identifies areas for improvement.
With actionable insights and tailored recommendations, the tool is invaluable for pinpointing weak points and enhancing your organization’s overall security posture.
Foundational Microsoft Business Premium Security Configurations
These configurations leverage the capabilities of a BP environment, although not all of them strictly require BP licensing.
All recommendations are based on my experience, extensive research, adherence to the Zero Trust strategy, and alignment with CIS, NIST, and ISO controls.
As always, test these configurations and tailor them to your specific business and environment.
Microsoft 365 Admin center
The admin center provides essential tools for organizational configurations, access to backup features, and management services such as Microsoft Edge Management.
Let’s go through the fundamental configurations that every organization should establish.
Setting Up Your Custom Domain
Although not BP-specific, the first step in any setup is configuring and validating your custom domain:
Access the Admin Portal Navigate to the Microsoft 365 Admin portal and go to Domains in the Settings blade:
Add Your Domain Select Add domain, which launches a wizard. Enter the domain name you want to add:
Verify Your Domain Verification is handled through your domain registrar, not Microsoft. Choose one of the provided verification methods. Depending on your DNS registrar the process might be automated, otherwise manually by any of the provided options:
Configure DNS Records Once verified, you’re presented with required MX, TXT, and CNAME DNS records for Microsoft Exchange services. You'll also receive optional CNAME DNS records for Basic Mobility & Security, which should also be configured for device management:
Org settings
Managing Self-Service Configurations
By default, users can trial any available Microsoft licensed product, which automatically convert to a paid version at the trial’s end, this can incur unwanted costs, and enable products that might undermine security or business decisions. To prevent unexpected experiences and costs:
Access Self-Service Configurations Navigate to Org settings in the Settings blade and choose Self-service trials and purchases:
Disable Unwanted Trials Review Microsoft’s offerings and disable trials for products where costs could accumulate quickly, or which would go against business decisions. Recommended items to disable include:
Microsoft 365 Copilot
Teams Premium
Windows 365 Business
Windows 365 Enterprise
Windows 365 Business with Windows hybrid benefit
Power Apps per user
Restrict User-Owned Apps
Return to the Org settings blade and navigate to User-owned apps and services. Disable:
Office Store access
Starting trials on behalf of your organization
Configuring Admin Notifications
Keeping up with new features, alerts, and incidents across your tenant is essential to help you be on top of potential issues across your environment. To streamline notifications:
Windows Release Health Alerts
Navigate to Windows release health in the Health blade.
Choose Preferences to enable emails, set recipients, and specify which versions you want service health alerts for:
Service Health Alerts
Navigate to Service health in the Health blade.
Select Customize to enable emails, configure recipients, and define which services and alert types to monitor:
Use Plus Addressing for Email Management
To efficiently manage admin notifications without adding licenses, set up Plus addressing. For guidance, refer to my quick guide: Mastering Plus Addressing in Microsoft: Simplify Email Management
Microsoft Entra ID User Specific Configurations
Effective identity and access management is arguably the most critical part of any environment, especially when building on Zero Trust principles, due to the increase in identity-centric access controls across apps and environments, both internally and externally.
To establish a strong foundation, it’s essential to limit default user permissions for non-admin users (both internal and external) and implement secure device and approval settings.
Restricting Default User Permissions
Start by accessing the Entra portal and navigating to User settings under Users in the Identity blade. Update the following permissions:
Users can register applications → Configured to No
Restrict non-admin users from creating tenants → Configured to Yes
Users can create security groups → Configured to No
Guest user access restriction → Configured to Guest user access is restricted to properties and memberships of their own directory objects (most restrictive). Note: This doesn’t apply to guest user admin accounts.
Show ‘keep user signed in’ → Configured to No
Optimizing Collaboration Settings
Navigate to Manage external collaboration settings at the bottom of the User settings menu. Configure the following:
Guest invite restrictions → Configured to Member users and users assigned to specific admin roles can invite guest users, including guests with member permissions.
Enable guest self-service signup via user flows → Configured to No
Securing Device Settings
To minimize security risks, it is critical to ensure that users do not have local administrator privileges on their devices by default. Local administrator access allows users to install software, modify critical settings, and inadvertently execute malicious files. This increases the risk of malware infections, data breaches, and unauthorized changes. Restricting local administrator access reduces the attack surface and enforces a more secure, controlled environment.
Rationale for Removing Local Administrator Privileges
Removing default local administrator privileges:
Prevents Unnecessary Risks: Users are less likely to install unauthorized software or fall victim to malicious downloads.
Limits Impact of Malware: Malware requiring administrative rights is far less effective when users operate without elevated permissions.
Improves Policy Enforcement: IT administrators retain full control over device configurations and software installations, ensuring compliance with organizational security policies.
Supports Zero Trust Principles: This action aligns with the Use Least Privileged Access principle, reducing the potential scope and impact of breaches.
To ensure no user has local administrator access to their device by default:
Navigate to All devices via the Devices menu in the Identity blade and access the Device settings menu.
Update these policies:
Global administrator role as local administrator on the device during Microsoft Entra join → Configured to No
Registering user is added as local administrator on the device during Microsoft Entra join → Configured to None
To leverage the cloud-based LAPS functionality you need to enable it:
Microsoft Entra Local Administrator Password Solution (LAPS) → Configured to Yes
Managing Consent and Permissions
Limiting user ability to consent to applications reduces the risk of data leakage from over-provisioned apps, while adhering to the Zero Trust principal Use Least Privileged Access.
Follow these steps to manage the application consent flow:
Access Consent and Permissions
Go to the Enterprise applications blade under Applications in the Identity blade. Select Consent and permissions from the Security menu.
Classify Permissions
In Permission classifications, add the following permissions to the Low classification:
User.Read
offline_access
openid
profile
email
Admin Consent Settings
Enable the option for users to request admin consent for apps.
By default, only Global Administrator, Cloud Application Administrator, Application Administrator, and Privileged Role Administrator roles can grant consent.
Add additional reviewers, configure consent notifications, and set the expiration for no more than 30 days.
User Consent Settings
Navigate to User consent settings and set User consent for applications to:
Allow user consent for apps from verified publishers, for selected permissions
While it’s more secure to enforce admin-only consent for all applications, allowing user consent for basic information minimizes administrative overhead and improves the end-user experience without exposing sensitive data.
Microsoft Entra ID Tenant-Wide Configurations
These tenant-wide configurations help manage external user licensing, authentication methods, and tenant personalization. They enhance security, user experience, and B2B collaborations.
Authentication Methods
Transitioning to Modern Management
With Microsoft planning to deprecate legacy authentication settings like SSPR and Per-User MFA by September 30th, 2025, it’s critical to transition to the modern unified management interface. (Source: Microsoft Learn: Manage authentication methods for Microsoft Entra ID)
To migrate the Authentication Methods to the modern unified management follow these steps:
Access the Entra Portal
Navigate to Authentication methods in the Protection blade
For Newer Tenants: If your tenant uses the new authentication method management, skip to the Authentication Registration step.
For Older Tenants: You’ll see the migration option.
Choose a Migration Approach:
You can choose to either manually migrate by choosing change, or better yet, utilize the automated migration tool by choosing the Begin automated guide option
Manual Migration
Open the Migration fly-out. Select Migration In Progress and save. This allows a phased migration without user disruption.
Navigate to Per-user MFA and Service settings. Record configurations for manual replication under the modern interface.
Repeat for SSPR configurations under Password reset in the Protection menu.
NOTE: Ensure SSPR is enabled for all users in Properties which allows all your users to reset their password without the need for IT personnel intervening. This in turn help to minimize helpdesk tickets.
Return to Authentication methods and configure the noted settings. Mark the migration status as Migration Complete.
Automated Migration
Select Begin automated guide and follow the wizard, which provides direct links to SSPR and Per-user MFA settings.
Review configurations on the Review + Migrate page, modify as needed, and complete the migration.
Enforcing Authentication Registration
To enforce strong second-factor authentication, enable the Registration Campaign, which Microsoft have been gradually enforcing since October 15th, 2024:
Navigate to Authentication methods → Registration campaign and change the state to Enabled.
Exclude Breakglass accounts (use dedicated hardware passkey tokens).
Enhancing Authentication Settings
With unified management of authentication methods now in place, it’s time to fine-tune your configurations to further strengthen security and reduce the risk of compromise. Two critical settings should be enabled to enhance your organization’s authentication experience and resilience:
These are the two configurations:
Report suspicious activity: This feature empowers users to report unusual or unauthorized authentication attempts, such as unexpected MFA prompts via the Authenticator app or OTP emails. By enabling this setting, you create an additional layer of defense, as users can directly flag potential threats or phishing attempts.
Why Enable This?
Increases end-user awareness and involvement in security.
Provides IT admins with valuable insights into potentially malicious activities.
Helps identify and mitigate phishing campaigns targeting users.
System-preferred multifactor authentication: This setting ensures that the most secure authentication method available to a user is always prioritized during login. Without it, the system defaults to the method used in the last successful authentication attempt, which may not be the most secure option. Enforcing system-preferred MFA strengthens the organization’s overall security posture.
Why Enable This?
Prioritizes stronger authentication methods (e.g., biometrics or hardware tokens) over less secure options (e.g., SMS OTPs).
Reduces reliance on potentially vulnerable authentication methods.
Aligns with the Zero Trust principle of “Verify explicitly.”
I strongly recommend enabling both settings for all users to maximize security and improve the overall authentication experience. While these features can significantly reduce the risk of compromise, remember to educate your users about reporting suspicious activity to ensure they utilize the feature effectively.
Configuration Steps
Navigate to the Authentication methods menu in the Protection blade.
Go to Settings and enable the following options:
Report suspicious activity
System-preferred multifactor authentication
Managing Your Company Branding
While not strictly a security feature, company branding can have an indirect impact on security. A branded authentication experience reassures end-users that they are on the legitimate organizational login page, which can help deter phishing attempts that rely on unbranded or generic login interfaces.
Why Branding Matters
Phishing Deterrence: Users are more likely to recognize a legitimate login page that reflects your organization’s branding.
Professional Experience: A branded authentication page provides a cohesive and professional experience for both employees and external collaborators.
User Trust: Familiar branding reassures users, reducing hesitation during the authentication process.
While company branding is optional, it enhances the user experience and supports your organization’s overall professional image. I strongly recommend implementing this configuration as a foundational step.
Configuring Company Branding in Entra
Navigate to the User Experience blade under the Identity menu in the Entra portal.
Customize the following to align with your business needs:
Logo and header images.
Background colors and patterns.
Example text for the sign-in email.
Managing External User Licenses
External collaboration is critical for many organizations, and Monthly Active User (MAU) licensing simplifies external user management. Microsoft’s legacy 1:5 internal-to-guest user ratio has been quietly retired, making MAU licensing essential for cost-effective external user management.
Key Features of MAU Licensing
Free MFA Prompts: Provides 50,000 free MFA prompts per month, with additional prompts costing $0.0163 per prompt. This is usually sufficient for most SMB organizations.
Identity Governance Features: Enables advanced identity governance options for external users if your organization chooses to adopt them in the future.
Guest User Support: MAU licensing applies to external and internal guest users with the user type set to “guest.”
Benefits of MAU Licensing
Cost Efficiency: Avoid unexpected costs from misaligned licensing by enabling MAU licensing.
Scalability: Easily scale external user collaboration without impacting internal license counts.
Security and Governance: Utilize premium Entra features for external users without extra internal licensing overhead.
Enable MAU licensing to streamline external collaboration and control costs. Monitor Azure consumption and set a spending limit to avoid surprises.
Configuring MAU Licensing in Entra
Configuring MAU licensing
Navigate to External Identities choosing the Overview and then accessing Linked subscriptions
Select Link subscription.
In the fly-out menu, assign the Subscription and Resource Group for billing.
Defender
Let’s talk about a few foundational policies for Defender. Before diving in, make sure you have access to your domain’s DNS registrar—this is a crucial step.
Getting Started
To begin, you need to get data flowing into Microsoft Defender to unlock its full potential.
When you access Defender for the first time, you’ll see a welcome wizard guiding you through the initial setup. At this stage, I recommend setting up email notifications—either to a dedicated email address or using plus addressing, as covered earlier.
Once the wizard is complete, the Defender portal begins initializing. Keep in mind that this process can take a while—up to 30 hours in rare cases—but don’t worry, the wait is worth it!
While the portal initializes, there are two critical policies you should implement immediately for any email-sending domain:
DKIM - DomainKeys Identified Mail
DMARC - Domain-based Message Authentication, Reporting, and Conformance
Understanding DKIM and DMARC
Email authentication is a cornerstone of securing your domain and ensuring recipients can trust your communications, while mitigating phishing risks. That’s where DKIM and DMARC come in.
DKIM: Validates that the content of an email hasn’t been altered by using cryptographic signatures.
DMARC: Instructs recipients on how to handle emails that fail SPF or DKIM checks. Think of it as a policy that says: “If this domain has SPF and DKIM configured, and an email fails either, quarantine or reject it.”
Together, SPF, DKIM, and DMARC enhance email security, reduce phishing risks, and ensure that recipients can trust the integrity of your emails.
Setting Up DKIM
DKIM should be configured for every email-sending domain to ensure email integrity and prevent spoofing.
To configure DKIM for your domain:
Enable the Policy:
Navigate to Email & Collaboration > Policies & Rules in Defender.
Go to Threat Policies and select Email Authentication Settings under the Rules menu.
Change the view from ARC to DKIM.
Choose Your Domain:
Select the domain you want to configure.
Click either Generate DKIM keys or Enable signing with DKIM.
Note the CNAME DNS records that need to be added in your DNS registrar for the DKIM configuration.
Once the DNS records are updated and propagated, your DKIM setup will help validate email integrity for your domain.
Implementing DMARC
For DMARC, tools like dmarcian’s DMARC Record Wizard or services such as Valimail and Barracuda make configuration easier. Here’s how to proceed:
Create Your DMARC Policy
Start with the policy set to None for about 30 days to collect telemetry.
Use your DMARC service to analyze the data.
Gradually move the policy to Quarantine, and finally to Reject.
Note DMARC TXT record for the next step.
Configuring DNS Records
Now that both DKIM and DMARC are ready, deploy the records to your DNS registrar:
Navigate to Your DNS Registrar Access the DNS administration panel (e.g., Simply.com, godaddy.com, one.com)
Add DKIM Records
Create two new CNAME records using the keys provided earlier:
Add the DMARC Record
Create a TXT record with as low a TTL as possible:
Optional - Add SPF for Subdomains If you don’t plan to send emails from subdomains, create an SPF record for subdomains to redirect to your main SPF record:
Once all records are published, use validation tools like the Centera Security Domain Checker or MXToolBox to confirm the policies are live:
Microsoft 365 Apps Admin Center
The final foundational step is initializing the Microsoft 365 Apps Admin Center (Cloud Config). Simply log in, click on any menu, and you’ll see a message indicating that initialization is underway. Be patient—this can take up to 24 hours.
Once initialization is complete, there are additional steps to configure. We’ll cover those in the next part of this series.
Conclusion: Building a Strong Security Foundation
Starting with a strong foundation is key to most in life, including when securing any organization, but especially for smaller organizations with limited resources.
This post have outlined the initial, foundational steps in leveraging the full package of Microsoft Business Premium's security capabilities.
We've gone through basic configurations, from configuring and validating a custom domain, to implementing identity and security settings helping with Entra ID hardening, while getting the different parts of the environment ready for more advanced configurations in the future.
These configurations aren’t just about checking boxes—they’re about creating a security-first culture that aligns with Zero Trust principles.
and now to take a break from all the tech talk, here's another bad joke
Why does the open-source program get dumped by all it's dates?
Because it's too eager for any commits! 😎
In the next installment, I’ll dive deeper into securing identity and access. Stay tuned, and until then, keep your data safe and your configurations solid!