The Complete Microsoft 365 Administration Guide for IT Teams

Microsoft 365 as a single platform

Microsoft 365 is the productivity stack underneath most knowledge-work organizations in the world. For IT teams it is also one of the largest single sources of identity, data, and risk in the environment. Administering it well is one of the highest-leverage activities an IT team can do.

This guide is the structured reference we wish we had had when first taking ownership of an M365 tenant. It assumes you understand basic Windows administration and Active Directory; it does not assume prior Microsoft 365 experience.

Tenant design and licensing

Most organizations should run a single Microsoft 365 tenant. Multiple tenants are operationally painful — cross-tenant collaboration, identity, and compliance become significant ongoing work. Use organizational units, security groups, and administrative units to delegate within a single tenant.

Licensing is genuinely complex. The major SKUs are Business Basic / Standard / Premium for organizations under 300 seats, and E3 / E5 for everyone else. E5 includes Defender for Office, Defender for Endpoint, Defender for Identity, Power BI Pro, and a number of compliance features that, purchased separately, cost more than the E5 upgrade. Model the total cost before standardizing on E3 by default.

Identity: Entra ID, conditional access, and PIM

Microsoft Entra ID (formerly Azure AD) is the identity foundation of the entire stack. The minimum security baseline is: phishing-resistant MFA enforced through conditional access, a conditional access policy that blocks legacy authentication, Privileged Identity Management for any administrative role, and break-glass accounts that are excluded from conditional access policies and stored offline.

Audit your administrative roles. Most tenants have far more Global Administrators than they need. The principle of least privilege applies to administrative tiers — use scoped roles wherever possible.

Exchange Online: mail flow, anti-phishing, retention

Configure SPF, DKIM, and DMARC for every sending domain. DMARC in p=reject mode dramatically reduces brand-impersonation phishing and is now considered a minimum baseline by most security frameworks.

Enable Defender for Office 365 Safe Attachments and Safe Links policies. Configure mailbox audit logging. Set sensible retention and litigation hold policies aligned to your records management requirements.

SharePoint, OneDrive, and information governance

External sharing defaults matter. Decide deliberately whether the default for new SharePoint sites is internal-only, existing-guests-only, or anyone-with-link, and document the decision. Use sensitivity labels to classify content and apply protection (encryption, access restrictions) at the document level.

OneDrive Known Folder Move is one of the highest-ROI configurations in the product — it transparently backs up user desktops, documents, and pictures to OneDrive, eliminating a category of incident.

Teams, governance, and lifecycle

Microsoft Teams creates a SharePoint site, a Microsoft 365 group, and a series of policies every time a team is created. Without governance, this sprawls. Use Teams creation policies, expiration policies, and naming conventions to keep the directory clean.

Intune, endpoints, and the M365 device story

Microsoft Intune is the modern device management platform for Windows, macOS, iOS, and Android. Combined with Entra ID join, conditional access, and Defender for Endpoint, it is a complete management and security stack for endpoints.

Migrate from Group Policy to Intune configuration profiles deliberately. The two coexist during transition but the long-term destination is cloud-native management.