- Buying Business Premium turns almost none of its security on by itself.
- Work in order: identity, then devices, then email, then data.
- Create a break-glass account before any policy can lock you out.
- Each phase points to a deeper per-topic guide to follow next.
Microsoft 365 Business Premium is a genuinely strong security bundle for a small business, but buying the licenses turns almost none of it on. Out of the box you get email and Office apps working, and most of the protection (multi-factor authentication, device management, email filtering, data controls) sitting dormant until someone configures it. This guide is the master runbook for that someone. It's for the owner, office manager, or IT lead who just bought Business Premium and wants a sane order of operations instead of forty browser tabs. By the end, you'll have a phased checklist, you'll know what to do first versus later, and you'll know which deeper guides to follow for each piece.
Before you start
Get these in hand before you begin:
- Global Administrator credentials for the tenant, protected with MFA.
- A second admin account to act as emergency access (a "break-glass" account), so a bad policy can't lock everyone out.
- A current list of your people, the devices they use, and roughly who needs access to what.
- A maintenance window or a quiet afternoon. Some changes prompt users to re-register or sign in again.
- A note of your domain name and where its DNS is hosted, since email security touches DNS records.
The golden rule: go in order. Identity first, then devices, then email security, then data protection. Each layer assumes the one before it is in place. Turning on device compliance before identity is sorted, for example, just creates confusion.
Phase 1: Identity (do this first)
Identity is the foundation. If accounts aren't secured, nothing else matters.
Do first:
- Sign in to the Microsoft 365 admin center (admin.microsoft.com) and confirm your domain is verified.
- Create your break-glass emergency access account and exclude it from the policies you'll build later.
- Turn on multi-factor authentication for everyone. On smaller or simpler tenants, security defaults in Microsoft Entra ID do this in one switch. If you have Business Premium and want more control, use Conditional Access instead.
- Enable self-service password reset (SSPR) so people can recover their own accounts.
- Stop forcing periodic password changes, which modern guidance considers counterproductive.
Do later:
- Build out a small set of Conditional Access policies (require MFA, block legacy authentication, require compliant devices for sensitive apps).
- Set up named locations and review admin role assignments.
Create the break-glass account before you create any Conditional Access policy, and exclude it from every one of them. If a policy ever misfires and locks out your admins, this is the account that gets you back in. Give it a long passphrase, store that somewhere safe and offline, and watch its sign-ins.
Deeper guides to follow next: our guides on enforcing MFA and retiring password expiration, and on Conditional Access starter policies, pick up exactly where this phase leaves off.
Phase 2: Devices (do this second)
With identity sorted, you can manage the laptops and phones that touch company data, using Microsoft Intune (the device management service inside Business Premium).
Do first:
- In the Microsoft Intune admin center (intune.microsoft.com), confirm the mobile device management (MDM) authority is set to Intune.
- Turn on automatic enrollment for Windows so company laptops register themselves when a user signs in.
- Create a basic compliance policy: require BitLocker disk encryption, a screen lock, a minimum operating system version, and Microsoft Defender turned on.
- Create a couple of configuration profiles to push those baseline settings (BitLocker, screen lock).
Do later:
- Set up Windows Autopilot (or Autopilot device preparation) so new laptops provision themselves on first boot.
- Add app protection policies for phones so company data in Outlook and Teams stays inside managed apps.
Don't tie Conditional Access to device compliance until you've actually enrolled and confirmed a few devices report as compliant. If you require a compliant device too early, people get locked out of email before their laptops have finished checking in. Enroll first, confirm green, then enforce.
Deeper guide to follow next: our guide on enrolling your first Windows laptops in Intune and setting up Autopilot walks this phase click by click.
Phase 3: Email security (do this third)
Email is how most attacks arrive, so harden it once identity and devices are underway. Business Premium includes Microsoft Defender for Office 365.
Do first:
- In the Microsoft Defender portal (security.microsoft.com), review the preset security policies and turn on at least the Standard preset for all users. This applies sensible anti-phishing, Safe Links, and Safe Attachments settings without hand-tuning.
- Confirm your domain's email authentication records are in place: SPF, DKIM, and DMARC. These help stop others from spoofing your domain.
- Enable Safe Links and Safe Attachments so risky URLs and files are checked before they reach people.
Do later:
- Tune anti-phishing impersonation protection for your executives and your domain.
- Set up a process to review quarantined messages.
Phase 4: Data protection (do this fourth)
Last, protect the data itself, in SharePoint, OneDrive, and Teams. This comes last because it's easier to set up sensibly once you know who your people are and which devices are trusted.
Do first:
- Decide a simple SharePoint structure: a small number of sites that match how the business actually works (by team or by function), not a sprawl of one site per project.
- Set external sharing defaults that match your risk tolerance (for many SMBs, "existing guests" or "new and existing guests" with expiration, rather than "anyone with the link").
- Turn on the OneDrive Known Folder Move so Desktop, Documents, and Pictures back up to the cloud automatically.
Do later:
- Add data loss prevention (DLP) policies to catch obvious sensitive data (for example, credit card or Social Security numbers) leaving the org.
- Apply retention policies so things are kept, or deleted, on a schedule.
- Consider sensitivity labels for your most confidential content.
Sort the SharePoint structure before you migrate files into it. Moving content twice because the first structure didn't fit is the most common avoidable rework in a Business Premium rollout. A few hours of planning the site layout up front saves days later.
Verify the whole thing
Before you call it done, confirm each layer is actually live:
- Identity: sign in as a normal test user and confirm you're prompted for MFA. Confirm SSPR works by resetting that user's password from the sign-in page.
- Devices: check that at least one enrolled laptop shows as Compliant in the Intune admin center.
- Email: send a test message with a known-safe but unusual link and confirm Safe Links rewrites it. Check the Defender portal shows your presets applied.
- Data: confirm external sharing behaves the way you set it, and that a test user's Desktop and Documents are syncing to OneDrive.
Keep a short record of what you turned on and when. When something changes later, that record is the difference between a five-minute fix and an afternoon of guessing.
What to do next
You now have the four layers of Business Premium doing real work instead of sitting idle. From here, follow the per-topic guides for the pieces you marked as "do later," especially Conditional Access and Autopilot, which deliver the most security and time savings for the least ongoing effort. If you'd rather have this set up correctly the first time, with the break-glass account, the policies, and the device baseline all done in the right order, that's exactly the kind of rollout we run for clients, so reach out and we'll plan it with you.