Microsoft 365 Administration: Complete Guide to Tenant Setup, Exchange, SharePoint, Teams, and Security

Microsoft 365 is the backbone of productivity for over 400 million commercial users worldwide. For IT administrators, managing an M365 tenant means orchestrating identity, email, collaboration, file storage, security, and compliance across a platform that Microsoft updates weekly. The difference between a well-managed tenant and a neglected one is the difference between an organization that works efficiently and one that leaks data, accumulates technical debt, and generates constant helpdesk tickets.

This guide covers the six pillars of Microsoft 365 administration that every IT team must master: initial tenant configuration, Exchange Online management, SharePoint Online architecture, Teams governance, security hardening, and compliance configuration. Each section provides specific, actionable steps rather than generic advice.

Tenant Setup and Initial Configuration

A new Microsoft 365 tenant requires deliberate configuration before any user signs in. The default settings prioritize ease of use over security, which means that an unconfigured tenant exposes your organization to avoidable risks from day one.

Domain Verification and DNS Configuration

The first step is verifying your custom domain. In the Microsoft 365 admin center, navigate to Settings, then Domains, and add your domain. Microsoft will ask you to create a TXT record in your DNS provider to prove ownership. Once verified, configure the required DNS records for mail flow, autodiscover, and federation.

The essential DNS records for a fully functional M365 domain include:

• MX record pointing to your-domain.mail.protection.outlook.com for mail routing
• CNAME record for autodiscover pointing to autodiscover.outlook.com
• TXT record for SPF: v=spf1 include:spf.protection.outlook.com -all
• CNAME records for DKIM selectors selector1 and selector2
• TXT record for DMARC: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

SPF, DKIM, and DMARC are not optional. Without all three configured correctly, your outbound email will be flagged as suspicious by recipient mail servers, your domain is vulnerable to spoofing, and you have no visibility into who is sending email on your behalf. Configure DMARC in monitoring mode initially with p=none, then tighten to p=quarantine after reviewing reports for 30 days, and finally move to p=reject once you have confirmed all legitimate email sources are authenticated.

Admin Account Security

Create dedicated admin accounts separate from daily-use accounts. An administrator should sign into their regular account for email and Teams, and use a separate admin account only when performing administrative tasks. This limits the exposure of privileged credentials during daily work.

Every admin account must have multi-factor authentication enabled. Use the Microsoft Authenticator app or FIDO2 security keys rather than SMS-based MFA, which is vulnerable to SIM swapping. Configure at least two Global Administrators for redundancy, but no more than four. Each Global Administrator should have a break-glass emergency access account stored securely offline.

Organization Profile and Settings

Configure your organization profile with the correct company name, address, and technical contact. Set the default data location for your tenant - this cannot be changed after provisioning and affects where your data is stored geographically. For organizations with data residency requirements, verify that the tenant's data location complies with your regulations before creating any user accounts.

Configure the release track for your tenant. Standard Release receives updates after they have been validated across First Release organizations. Targeted Release (First Release) gets updates early, which is useful for IT teams that want to test new features before they reach end users. Set specific users to Targeted Release rather than the entire organization.

Exchange Online Administration

Exchange Online handles email, calendar, and contact management for your organization. Proper configuration prevents mail delivery issues, reduces spam exposure, and ensures compliance with retention requirements.

Mail Flow Configuration

Configure accepted domains to control which email domains your tenant processes. Your verified domain is automatically an authoritative domain, meaning Exchange Online accepts and delivers mail for it. If you are migrating from an on-premises Exchange server, configure the domain as Internal Relay until migration is complete, then switch to Authoritative.

Transport rules, now called mail flow rules, are the primary tool for enforcing email policy. Common rules that every organization should implement include:

• External email warning: prepend a banner to emails from outside the organization so users can identify potential phishing
• Block auto-forwarding to external domains: prevent compromised accounts from silently forwarding email to attacker-controlled addresses
• Encrypt emails containing sensitive data: apply Microsoft Purview Message Encryption to messages matching keyword or sensitive information type patterns
• Disclaimer for outbound email: append legal disclaimers and confidentiality notices to external messages

Anti-Spam and Anti-Phishing Configuration

The default anti-spam and anti-phishing policies provide baseline protection, but they are tuned for broad compatibility rather than strict security. Create custom policies that tighten the defaults. In the Microsoft Defender portal, configure connection filter policies to block known malicious IP ranges. Configure anti-phishing policies with impersonation protection enabled for your executives and key partners - this detects emails that spoof the display name of protected users.

Safe Attachments detonates file attachments in a sandbox before delivering them to users. Enable Dynamic Delivery mode, which delivers the email body immediately and replaces the attachment with a placeholder while scanning. This prevents delivery delays while maintaining security. Safe Links rewrites URLs in emails and Office documents to route through Microsoft's real-time URL scanning service, which catches phishing links that were clean at delivery time but became malicious afterward.

Mailbox Management and Retention

Configure retention policies to meet your organization's compliance requirements. The default retention policy keeps deleted items for 14 days in the Deleted Items folder and 14 days in the Recoverable Items folder. For most organizations, extend the Recoverable Items retention to 30 days and configure archive mailboxes for users who regularly exceed the 50 GB primary mailbox limit.

Shared mailboxes, room mailboxes, and equipment mailboxes do not require licenses as long as they stay under 50 GB. Use shared mailboxes for team email addresses like support@company.com and sales@company.com. Convert inactive user mailboxes to shared mailboxes before deleting the user account to preserve email history without consuming a license.

SharePoint Online Administration

SharePoint Online is the file storage and intranet platform underlying OneDrive, Teams file tabs, and your organization's internal websites. Effective SharePoint administration prevents data sprawl, enforces access controls, and builds a usable information architecture.

Site Architecture Design

Modern SharePoint uses a hub site architecture that replaces the old site collection hierarchy. Hub sites provide shared navigation, theme, and search scope across associated sites without creating parent-child relationships that restrict site moves.

Design your hub architecture with these principles:

1. Create one intranet hub as the organization's home site with company news, policies, and global navigation
2. Create department hubs (HR, IT, Marketing, Sales) as hub sites that aggregate department-specific content
3. Associate team sites with their department hub for shared navigation and news rollup
4. Use communication sites for one-to-many broadcasting - company announcements, project showcases, policy documentation
5. Use team sites connected to Microsoft 365 Groups for collaboration - these automatically provision a Teams channel, shared mailbox, Planner, and OneNote notebook

Sharing and Access Control

The default sharing settings in SharePoint Online are too permissive for most organizations. In the SharePoint admin center, configure the organization-level sharing settings before users start creating content.

Set the default sharing link type to "People in your organization" rather than "Anyone with the link." The "Anyone" option creates anonymous links that cannot be audited or revoked and represent the most common vector for unintentional data exposure in Microsoft 365. Configure external sharing at the organization level to "New and existing guests" which requires authentication, then restrict individual sites to more restrictive settings as needed.

Enable access requests so that when a user is denied access to a site, they can request permission from the site owner rather than asking IT. This reduces helpdesk tickets while maintaining access control. Configure site storage limits to prevent individual sites from consuming disproportionate amounts of your tenant's storage quota.

OneDrive for Business Governance

OneDrive for Business is a personal SharePoint site collection under the hood. Configure the default storage limit per user in the SharePoint admin center. The default is 1 TB per user on most plans. Set file sync restrictions to block syncing of specific file types that cause issues with cloud storage, such as Outlook PST files or database files that corrupt when synced.

Configure the OneDrive retention policy for departed employees. When a user account is deleted, their OneDrive content is preserved for 30 days by default. Extend this to 365 days in the SharePoint admin center to give managers time to review and migrate critical files. Assign a manager as the secondary owner of each user's OneDrive so that content is accessible immediately when someone leaves the organization.

Microsoft Teams Administration

Teams is the collaboration hub that brings together chat, meetings, calling, and file sharing. Without governance, Teams deployments quickly become a maze of abandoned teams, inconsistent naming, and uncontrolled guest access. Proactive administration prevents these problems.

Teams Governance Policies

Configure a teams naming policy in the Microsoft 365 admin center under Groups settings. Enforce prefixes or suffixes that identify teams by department or type: PROJ-ProjectAlpha, DEPT-Marketing, CLIENT-AcmeCorp. This makes teams discoverable and sortable in the teams list. Block specific words from team names to prevent inappropriate or confusing names.

Set a group expiration policy to clean up abandoned teams automatically. A 180-day expiration period works for most organizations. When a team approaches expiration, the owners receive email notifications. If no owner renews the team, it is soft-deleted and recoverable for 30 days. This prevents the accumulation of abandoned teams that contain stale data and confuse users searching for active content.

Control who can create teams. By default, every user can create a Microsoft 365 Group, which creates a team. For organizations larger than 50 users, restrict team creation to a security group of approved users. This prevents the proliferation of duplicate and low-value teams while still allowing departments to request new teams through a managed process.

Meeting and Calling Policies

Configure meeting policies to balance usability with security. Key settings include:

• Meeting recording: enable for internal meetings, configure automatic recording storage in OneDrive or SharePoint rather than Stream Classic
• Transcription: enable live transcription and post-meeting transcripts, which dramatically improve meeting searchability and accessibility
• Lobby settings: require guests and external users to wait in the lobby until admitted by a meeting organizer
• Meeting chat: enable persistent chat that continues after the meeting ends so that action items and follow-ups are captured
• Content sharing: allow screen sharing and PowerPoint Live but consider blocking desktop sharing for guest users to prevent accidental exposure of sensitive content

For organizations using Teams Phone, configure calling policies, dial plans, and emergency calling. Auto attendants and call queues handle inbound call routing. Configure holidays, business hours, and overflow handling for each auto attendant. Test emergency calling from physical locations to verify that the correct emergency address is transmitted.

App Management

Teams supports three categories of apps: Microsoft apps, third-party apps from the Teams app store, and custom line-of-business apps. Configure app permission policies to control which categories of apps users can install. For regulated industries, block third-party apps by default and allow specific approved apps. For most organizations, allow third-party apps but block specific apps that overlap with existing tools or present data security concerns.

Deploy organization-wide apps using app setup policies. Pin essential apps like Planner, Approvals, and your intranet SharePoint site to the Teams sidebar so that all users see them without manual installation. This increases adoption of approved tools and reduces the tendency for teams to adopt unsanctioned alternatives.

Security Hardening

Microsoft 365 security requires configuration across identity, email, endpoint, and data protection layers. The built-in security score provides a prioritized list of recommendations, but understanding the reasoning behind each setting is essential for making informed decisions.

Identity Protection with Conditional Access

Conditional access policies are the foundation of Microsoft 365 security. They evaluate conditions like user identity, device compliance, location, and application before granting, blocking, or requiring additional verification for access. Every tenant should implement at minimum these policies:

1. Require MFA for all users accessing any cloud application
2. Require MFA for all administrative actions in the Azure portal and Microsoft 365 admin centers
3. Block legacy authentication protocols that cannot enforce MFA, including POP3, IMAP, SMTP AUTH, and Exchange Web Services with basic authentication
4. Require compliant or hybrid Azure AD joined devices for access to corporate data from desktop applications
5. Block access from countries where your organization has no employees or business operations
6. Require password change immediately for users flagged as high risk by Azure AD Identity Protection

Named locations allow you to define trusted IP ranges for your office networks. Access from trusted locations can receive a reduced MFA prompt frequency while access from unknown locations triggers full MFA every time. This balances security with user experience.

Data Loss Prevention

Microsoft Purview Data Loss Prevention policies detect and protect sensitive information across Exchange, SharePoint, OneDrive, Teams, and endpoint devices. Configure DLP policies for the sensitive information types relevant to your organization:

• Financial: credit card numbers, bank account numbers, SWIFT codes
• Personal: Social Security numbers, passport numbers, driver's license numbers
• Health: HIPAA identifiers, medical record numbers
• Custom: internal project codes, employee IDs, proprietary data patterns

Start DLP policies in test mode with notifications enabled. Review the matches for 30 days to identify false positives before switching to enforcement mode. A DLP policy that blocks too aggressively causes users to find workarounds that are less secure than no DLP at all.

Microsoft Defender for Office 365

Configure preset security policies in Defender for Office 365 as a baseline. The Standard preset provides balanced protection suitable for most organizations. The Strict preset provides aggressive filtering appropriate for high-security environments but may increase false positives. Apply the Strict preset to executive accounts and the Standard preset to all other users as a balanced approach.

Enable Attack Simulation Training to send simulated phishing emails to your users. Track click rates and completion of training modules. Organizations that run monthly simulations see a 50 to 70 percent reduction in real phishing click rates over 12 months. Customize simulation templates to match the types of phishing attacks targeting your industry.

Compliance Configuration

Microsoft Purview provides the compliance tools integrated into Microsoft 365 for data governance, eDiscovery, audit, and regulatory compliance. Configuration depends on your industry and regulatory requirements, but certain baseline settings apply to every organization.

Audit Logging and Monitoring

Enable unified audit logging in the Microsoft Purview compliance portal. This is not enabled by default in all tenants. Unified audit log captures user and admin activity across Exchange, SharePoint, OneDrive, Teams, Azure AD, and other Microsoft 365 services. The default retention period is 90 days on E3 licenses and 365 days on E5 licenses.

Configure alert policies for critical security events: user account compromised, malware detected in SharePoint, unusual volume of file deletion, mail forwarding rule created to external domain, and admin role assignment. Each alert should notify both the IT security team and the affected user's manager. Set up a weekly review of the alert dashboard to identify patterns that individual alerts miss.

Retention Policies and Labels

Retention policies define how long content is preserved and when it is eligible for deletion. Create retention policies aligned with your organization's record retention schedule:

• Email: retain for 7 years, then delete (common regulatory requirement)
• Teams chat: retain for 3 years, then delete
• SharePoint documents: retain for 5 years after last modification, then review
• OneDrive files: retain for 1 year after account deletion

Retention labels provide more granular control than policies. Apply labels manually or automatically based on content conditions. Auto-apply labels for documents containing sensitive information types, specific keywords, or metadata values. Use disposition reviews for records that require human approval before permanent deletion.

Information Barriers and Sensitivity Labels

Sensitivity labels classify and protect content based on confidentiality level. Create a label taxonomy that matches your organization's data classification scheme: Public, Internal, Confidential, and Highly Confidential. Each label can enforce encryption, access restrictions, visual markings, and auto-labeling rules. When a document is labeled Highly Confidential, it can be automatically encrypted so that only specified users or groups can open it, even if the file is shared externally or copied to a USB drive.

Information barriers prevent communication between specific groups of users in Teams and SharePoint. Financial services organizations use information barriers to enforce regulatory walls between investment banking and equity research departments. Configure information barriers based on Azure AD attributes such as department or custom attributes that identify regulatory segments.