UPDATE: You my download the latest version of this guide here.
This guide summarizes Microsoft’s recommendations for enabling employees at small and medium-sized businesses to securely work from home, using the features included in Microsoft 365 Business Premium.
Microsoft 365 Business Premium is a comprehensive suite of collaboration products and enterprise-grade security tools curated specifically for businesses with 1 to 300 employees. It includes Office productivity apps and services plus advanced security capabilities to help defend businesses against cyberthreats, protect data, and secure devices. Although other licensing plans include some of these advanced security and management capabilities, for organizations with less than 300 employees, Microsoft 365 Business Premium is generally the most cost-effective package.
An overview of the key steps in enabling secure remote work is shown in the following illustration:
For each of these phases, we will review the key steps and any security-related issues to consider. Because SMBs have different security needs and attitudes, the checklist includes suggested recommendations for two common scenarios.
- The normal scenario is designed for a typical business that wants to enable secure remote work and balance ease of use with security.
- The high risk scenario is more appropriate for a business that wants to maximize security protections and has higher concern for risk (for example, to adhere to regulatory requirements such as HIPAA or GLBA). This business is also willing to put more effort into maintaining security and control of the work from home environment.
Both sets of defaults are intended to provide a starting point for a serious discussion around the security and compliance options available, rather than prescriptive guidance. One of the first and most important things that IT leaders and business leaders can do is talk through the possibilities.
You can download the summary checklist here. If you’d like to learn more about the checklist items, we’ve broken it down section by section below.
Enable Microsoft 365 security
We begin by setting up a Microsoft 365 tenant and making sure services and policies are configured for secure remote work. We’ll break this first phase down into five steps:
Set up tenant:
We start with the tasks typically done to set up a new tenant, such as enabling cloud identity and setting up email. The Microsoft 365 setup wizard walks you through these basic steps. The setup wizard also includes data loss prevention and mobile app policies; those checklist items are covered under the Configure information governance and Manage devices sections of this guide.
Set up tenant: |
Recommend settings – normal scenario |
Recommended settings – high risk scenario |
Decide between hybrid & cloud-only identity |
Hybrid, Azure AD Connect |
Hybrid, Azure AD Connect |
Azure AD Connect - sign-in method |
Password Hash Sync |
Password Hash Sync |
Azure AD Connect - single sign-on |
Enabled |
Enabled |
Azure AD Connect - On-premises attribute for Azure AD username |
userPrincipalName |
userPrincipalName |
Azure AD Connect - Password writeback |
Enabled |
Enabled |
Decide on email migration strategy |
Hybrid Agent |
Hybrid Agent |
Configure DNS domains |
Situational |
Situational |
Here is a brief explanation of each of these steps.
- Decide between hybrid and cloud-only identity: The users in the Microsoft 365 tenant can have their identities (usernames, passwords, etc.) managed completely in the cloud, or in concert with the on-premises Active Directory. If you do not have an existing Active Directory on-premises, you can set up cloud-only identity by adding users manually in the admin portal or bulk loading users using a CSV file. If you have Active Directory, then we recommend a hybrid approach—using Azure AD Connect to synchronize the domain to Microsoft 365. You can set up AD synchronization using the identity wizard in the onboarding hub. Click Setup in the left navigation of the admin portal and choose “Sync users from your org's directory” to begin. This will guide you through the process of checking Active Directory accounts for potential problems and installing Azure AD Connect. In the table above we’ve listed the appropriate choices for setting up Azure AD Connect for Microsoft 365 Business Premium customers, with single sign-on and password writeback enabled. Azure AD Connect has an Express Settings option which will configure password hash sync and set the on-premises attribute userprincipalname as the Azure AD sign-on name; however, it will not enable password writeback and single sign-on.
- Decide on a strategy for migrating email: You don’t have to migrate email to enable remote work; but doing so gives you the latest email and calendar capabilities, large mailbox sizes, and integration between email and Teams. When migrating email, you want to make sure you have a plan for handling email so there are no disruptions during tenant setup. Make sure you fully assess and understand the readiness for email migration. For businesses with Exchange Server on-premises, we recommend using the Microsoft Hybrid Agent for a simple email migration with the best user experience. For businesses migrating email from a POP or IMAP server use the built-in migration tool. For more information see What you need to know about migrating your IMAP mailboxes to Office 365. You can configure Microsoft 365 to accept email for business’ domains and route SMTP traffic to the existing server while you plan for email migration. For more information refer to Mail flow best practices for Exchange Online and Office 365 (overview)
- Configure DNS domains: When you complete the DNS domain portion of the setup wizard, it will prompt you to change DNS records, including the MX records for inbound email. If you are setting up a new DNS domain, there are no concerns for existing email routing. If you add an existing DNS domain that is already configured for email, make sure you are ready for this task because email will start flowing into Microsoft 365 shortly after you change the MX record. Make sure you configure DNS to match the strategy you chose for migrating email. For example, if you chose to wait on email migration then the simplest option is to leave existing DNS MX and email related TXT records in place for now and not add new ones.
Azure AD Connect single sign on and password writeback capabilities are included in the Microsoft 365 Business Premium subscription, and some enterprise subscription plans.
Configure identity protection:
The next step is to configure identity protection, which includes turning on multi-factor authentication (MFA).
Configure identity protection: |
Recommend settings – normal scenario |
Recommended settings – high risk scenario |
Plan for administrative access |
Required |
Required |
Configure dedicated admin accounts |
Recommended |
Recommended |
Multi-factor authentication (MFA) for admins |
Security defaults |
Required, Conditional Access |
Multi-factor authentication (MFA) for users |
Security defaults |
Required, Conditional Access |
Self-service password reset (SSPR) |
Enabled-All |
Enabled-All |
Combined security information registration |
Enabled-All |
Enabled-All |
- Plan for administrative access: When you create a new tenant, the first user is assigned as a Global Administrator and has unlimited control. Before proceeding further, you should decide who will have administrative control over the tenant, and which types of administrative roles to grant. We recommend configuring at least two, but no more than five, global admin accounts. Having at least two global admin accounts will help resolve issues if the first is locked out; however, we also recommend limiting the number of global admin accounts. If you require more than two global administrators, consider granting only the administrative permissions required. For more information refer to Assign admin controls.
- Configure dedicated admin accounts: We recommend using admin accounts exclusively for administration; not for email and collaboration. For example, if Megan Bowen and Alan DeYoung are the administrators, each should have a regular Microsoft 365 user account with a subscription assigned and each should have a separate account for administration with no subscription assigned. This is because if Megan falls victim to a phishing attack, or Alan’s computer had remote control malware, the attackers would only have access to Megan’s and Alan’s email and files; and would not have keys to the entire tenant. For more information refer to Securing privileged access for hybrid and cloud deployments in Azure AD
- Configure multi-factor authentication: Admin accounts in Microsoft 365 require multifactor authentication (MFA) by default. We highly recommend that you require MFA for the rest of the users in the business as well. Accounts with MFA enabled are up to 99.9% less likely to be compromised. This is because passwords are easily compromised by phishing, social engineering, poor user habits, and persistent attacks. MFA immediately increases account security by requiring multiple forms of verification when signing into an application For many businesses, the simplest and most appropriate way to accomplish this is to turn on security defaults. If the business needs more granular control, such as enabling an unprivileged account for IMAP-based helpdesk automation or email from a multifunction printer, then enable MFA via Conditional Access instead. If you choose conditional access, be sure to enable common conditional access policies right away. We do not recommend enabling MFA on a per user basis in the admin portal. Either use security defaults or conditional access because this will ensure MFA is turned on by policy as users or admins are added in the future.
- Self-service password reset (SSPR) allows a user who has forgotten their password to reset it without contacting the IT department. If you have chosen hybrid identity, you should also configure password changes to write back to the on-premises Active Directory, a feature of Microsoft 365 Business Premium. If you enabled the Password Writeback option when installing Azure AD Connect, you also need to enable Write back passwords to your on-premises directory under On-premises integration in the Azure AD admin portal.
- Combined security information registration will improve the MFA setup experience for the users by only asking for additional phone & email verification options once, providing help obtaining and setting up Microsoft Authenticator, and giving users an option to postpone registration for up to 14 days. It’s simple to enable combined security information registration at the same time you enable self service password reset. For more information refer to Enable combined security information registration in Azure Active Directory.
Self-service password reset and Combined security information registration capabilities are included in the Microsoft 365 Business Premium subscription, and some enterprise subscription plans.
Configure email protection:
All Microsoft 365 subscriptions come with Exchange Online Protection, which includes defenses against spam, viruses, and phishing that are enabled by default. For additional protection, you can configure optional policies available in all subscription types, and you can enable Office 365 Advanced Threat Protection, a feature included in Microsoft 365 Business Premium.
Configure email protection: |
Recommend settings – normal scenario |
Recommended settings – high risk scenario |
Enable Common Attachment Types filter |
Recommended |
Required |
Enable transport rule for attachments with Office macro extension |
Warn |
Block |
Enable transport rule to block auto-forwarded email |
Recommended |
Required |
Enable Sender Policy Framework (SPF) to help prevent spoofing |
Required |
Required |
Enable DomainKeys Identified Mail (DKIM) to help prevent spoofing |
Optional |
Signed, all domains |
Enable DMARC policy to validate email |
Enabled, p=quarantine |
Enabled, p=reject |
Enable Office 365 ATP Policies |
Recommended policies |
Required, with spear phish |
- Enable Common Attachment Types filter: To block email attachments that contain file types that are commonly used for malware, you can activate this filter. For more details, see Raise the level of protection against malware in mail
- Enable transport rule for attachments with Office macro extension: By opening files that contain malicious macros, users can introduce ransomware to the business. To help prevent this, you can insert a warning to the user whenever a file type that may contain macros flows through the email system. The steps are detailed in Protect against ransomware
- Enable transport rule to block auto-forwarded email: If a cybercriminal gains access to an employee’s account, they may auto-forward that person’s email to an outside account. This allows the attacker to watch the flow of email over extended periods of time, looking for opportunities to steal other people’s credentials and impersonate others—for example, to divert payments to a fake supplier. To prevent this, stop auto-forwarding for email.
- Email authentication will help prevent spoofing of the domain and reduce phishing and other unauthentic emails from other domains. There are three separate but related technologies work together to accomplish this: the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Setting up email authentication is relatively simple if all outbound email originates through Outlook and Microsoft 365, and requires just a few DNS records and policy settings. For more information refer to Email authentication in Microsoft 365.
- Enable Office 365 ATP Policies: ATP protects businesses from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. You can enable the default recommended ATP policies using the onboarding hub. For step by step guidance using the wizard in the onboarding hub click here. You may also want to configure policies to help prevent impersonation of key individuals – also known as spear-phishing. For more information see Exclusive settings in ATP anti-phishing policies.
Office 365 Advanced Threat Protection is included in the Microsoft 365 Business Premium subscription, and some enterprise subscription plans.
Configure information governance:
Businesses that work with sensitive data will often require protection against accidental leakage of data, as well as policies for retention of data, and classification of data through sensitivity labels.
Configure information governance: |
Recommend settings – normal scenario |
Recommended settings – high risk scenario |
Set up Data Loss Prevention (DLP) |
Recommended, using default policy |
Enabled for sensitive data types (GLBA, HIPAA, etc.) |
Enable email encryption |
Office 365 Message Encryption |
Sensitivity Labels |
Enable retention policies |
None |
Enabled |
Enable sensitivity labels |
Optional |
Enabled, Default or custom labels |
- Set up Data Loss Prevention (DLP): If the business deals with sensitive information such as credit card information, government-assigned identification numbers, health information, or similar data types, DLP policies can help protect this information from inadvertent disclosure. You can enable a default DLP policy using the setup wizard, using pre-defined templates. Or you can configure a custom DLP policy using the built-in sensitive information types or ones that you create.
- Enable email encryption: Email messages exchanged between most mail services are protected in transit, but the email messages themselves are not encrypted when at rest. For businesses that require message-level email encryption and rights protection, we recommend Office 365 Message Encryption for typical scenarios. It is enabled by default and makes it easy to share protected emails with anybody—inside or outside the business. For higher risk scenarios, consider using sensitivity labels for email encryption because this approach provides more multiple classifications, protection options, and controls. For more information refer to Office 365 Message Encryption.
- Enable retention policies: Setting retention policies helps ensure files and emails are kept as long as legally required. Equally important, they can help reduce legal risk by deleting files and emails after these are no longer required to be retained. For more information refer to Overview of retention policies.
- Enable sensitivity labels: These labels work in combination with the Microsoft Information Protection framework to apply encryption and rights management to files and emails. This allows businesses to retain security and control of information no matter where the information goes. Sensitivity labels let you classify and protect the business' data, while making sure that user productivity and their ability to collaborate isn't hindered. For more information on how to configure refer to Learn about sensitivity labels.
Data Loss Prevention (DLP), Office 365 Message Encryption, Retention policies, and Sensitivity labels are included in the Microsoft 365 Business Premium subscription, and some enterprise subscription plans.
Configure Teams security:
For many businesses, deploying Microsoft Teams is as straightforward as just turning it on. For businesses concerned about the governance and oversight, there are additional configuration options to consider.
Configure Teams security: |
Recommend settings – normal scenario |
Recommended settings – high risk scenario |
Teams governance (to allow users to create Teams on their own) |
Defaults |
Restrict groups settings |
Guest access (to allow external users to fully participate in teams & channels) |
Enabled |
Enabled |
External chat (to allow external users to initiate chat) |
Allowed, default policy |
Restricted |
3rd party cloud storage |
Defaults |
Off |
Meeting policy and settings |
Defaults |
Block anonymous |
Messaging policy |
Defaults |
Defaults |
OneDrive for Business sharing |
Anyone |
Require login |
Migrate files to Teams & OneDrive for Business (to enable recovery) |
Required |
Required |
- Teams governance: Businesses just starting out with Teams are sometimes concerned that users can create teams and channels on their own by default. Teams is actually designed for this capability and we recommend leaving the defaults, and using group expiration policies instead of restricting users’ ability to create teams. For more information on creating expiration polices refer to Microsoft 365 group expiration policy and Team expiration and renewal in Microsoft Teams. If you still want to implement Teams governance by limiting who can create teams, you can do this by managing which users can create Office 365 groups, as described in Manage who can create Groups.
- Guest access: Many businesses want to use Teams to collaborate with outside clients, suppliers, and partners beyond participating in meetings. To allow external users to fully participate in teams, enable guest access in the Teams admin center. We recommend enabling guest access even for security-conscious businesses because only specific users are allowed access and they must be explicitly added to individual teams.
- External chat is different from guest access in that it only allows users outside of the business to initiate a Teams chat. This is useful when it is desirable for employees at the businesses to initiate a chat just by knowing someone’s email address; however, it may turn tricky in situations where uninvited chats are undesirable. By default, external chat is allowed from any domain even if guest access is disabled; however, you can turn it off or restrict external chat to a list of domains. For more information see Manage external access in Microsoft Teams.
- 3rd party cloud storage: Teams includes the ability for users to upload and share files from cloud storage services such as Dropbox, Box, and Google Drive. Some businesses may want to limit cloud storage to only those services they control directly in their Microsoft 365 tenant (SharePoint and OneDrive). For more information refer to Manage Microsoft Teams settings for your organization.
- Teams supports meeting policy and settings customizations that control audio/video settings, content sharing, and behavior for dial-in users. The defaults are appropriate for many organizations; however, we recommend reviewing the individual settings. For more information refer Meetings and conferencing in Microsoft Teams.
- Teams also supports messaging policy customizations such as read receipts and URL previews. The defaults are appropriate for most organizations; however, we recommend reviewing the options available prior to deployment. For more information refer to Chat, teams, channels, & apps in Microsoft Teams.
- OneDrive for Business sharing: Another point to consider is how external users access files that are shared via OneDrive. Sharing files can be very useful for collaboration and by default anyone with a link to a shared file can access it; however, for businesses in the high risk scenario, we recommend setting OneDrive and SharePoint sharing policy to “New and existing guests” which will require all users to log in to access a shared file. For more information see Collaborate with guests on a document.
- Migrating files to Teams and OneDrive not only helps enable remote work, it also offers additional backup and recovery options. For example, OneDrive will help block bulk ransomware encryption of files and enable file recovery if an endpoint device is compromised with ransomware. Keeping files in the cloud rather than on someone’s local computer provides a way to recover from hard drive failure and other accidents. Because Teams and OneDrive use SharePoint for file storage, it’s possible to review changes and/or revert to a prior version if a mistake is made. For many businesses, migrating important files is as simple as having content owners move files into Teams channels. If you would like to use a tool to migrate file shares to Teams see Download and install the SharePoint Migration Tool. For more information on the built-in ransomware protection see Ransomware detection and recovering your files.
Secure devices and remote access
With Microsoft 365 policies and services configured for increased security, we turn our attention to devices and access to systems.
Manage devices:
One of the most important tasks involved in securing remote work is onboarding devices into Azure AD and Intune. It’s vital to have visibility into the devices owned by the business, because you can’t secure what you can’t see.
Manage devices: |
Recommend settings – normal scenario |
Recommended settings – high risk scenario |
Onboard existing Active Directory joined PCs |
Hybrid Azure AD Join |
Hybrid Azure AD Join |
Provision new/refreshed company PCs |
Azure AD join |
Azure AD join Autopilot recommended |
Configure app protection policies for company owned PCs |
Enabled, encrypt data only |
Encrypt + block relocation |
Block/Allow access from employee owned mobile devices |
Allowed, default app protection policy |
Block client app access, block web downloads |
Block/Allow access from employee owned PCs |
Block client app access, block web downloads |
Block client app access, block web downloads |
Enable device configuration profiles |
Basic config profile |
Endpoint security profiles |
Enable device compliance policies |
Optional |
Enforced, Conditional Access |
- To onboard existing Active Directory joined PCs we recommend configuring Hybrid Azure AD join, which allows Windows 10 PCs currently managed in on-premises Active Directory to also be managed through Azure AD. This approach allows users to retain their existing Windows user profiles. If you join computers directly to Azure AD without configuring a hybrid setup, new user profiles will be created on the devices, which will not allow them to access their local files, favorites, and other customizations. For more information see Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business.
- Provision new/refreshed company PCs: To set up a PC that is newly purchased or repurposed for a new employee, we recommend Windows Autopilot. Autopilot eliminates the need for traditional imaging and helps set up devices ready for productive use upon receipt by the user. Autopilot can also join the device to Azure AD and enroll in Intune. In this situation, we’re starting with a fresh profile, so hybrid Azure AD joining the device isn’t necessary. The user can still access resources secured by the on-premises Active Directory such as apps, file shares, and printers from a computer that is Azure AD joined. This approach also has an advantage over hybrid device join for new/refreshed company PCs, because hybrid device join requires a network connection to an Active Directory server which is usually not optimal for remote work scenarios.
- Configure App protection policies for company owned PCs: For computers that the business owns, we recommend enabling app protection policies to keep corporate data protected and separate from personal locations. This involves two key capabilities. The first is encryption, which requires proper credentials and/or a managed device to open the file and allows you to wipe data if a device is lost or stolen. The second is the ability to block relocation, restricting files to locations on devices that the business approves, manages, and controls. For example, you can make sure all corporate data is encrypted and stored in protected locations such as the user’s OneDrive folder. At the same time, you can permit the employees to use Microsoft Word to create and store personal files such as recipes to local storage on the PC or a flash drive. For more information see Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune.
- Access from employee owned phones & tablets: Another important item to consider is whether to allow employees to access email and corporate data from their personal devices. Mobile app protection policies provide the ability to ring fence apps on personal devices so that the business can retain control of corporate email and files. For example, if an employee leaves the business, then business data can be removed from the protected app without impacting the user’s personal data and apps. App protection policies work best with Office mobile apps on Android and iOS. You can get started with an app protection policy for employee iOS and Android devices using the Protect mobile app data wizard under the Setup menu in the admin portal. For more information see App protection policies overview.
- Access from employee-owned PCs: We recommend blocking access from personal computers to corporate data, except when the business has low security requirements. If the business decides to allow access to business data from personal PCs, we recommend using Conditional Access policies limit access to potentially sensitive or confidential information. When using Conditional Access, we recommend creating policies in pairs, one policy to allow an action under certain desired conditions, and another to block the same action under other conditions. For more information refer to Learn about Conditional Access and Intune.
- Enabling device configuration profiles helps you manage settings such as device features, security controls, PKCS certificates, VPN, and Wi-Fi profiles on many different types of devices including Windows 10, macOS, iOS, and Android. We recommend getting started with a basic config profile and apply endpoint security profiles in higher risk scenarios. For more information refer to Apply features and settings on your devices using device profiles in Microsoft Intune.
- Enabling device compliance policies defines the rules and settings that devices must meet to be compliant. When combined with Conditional Access, you can grant, deny or limit access to cloud resources based on the device’s compliance with the rules. For example, you can create a policy that requires a minimum OS level and Bitlocker encryption turned on before allowing access to Microsoft 365. For more information refer to Set rules on devices to allow access to resources in your organization using Intune.
Device management capabilities mentioned here are included in the Microsoft 365 Business Premium subscription, and some enterprise subscription plans.
Secure access to other apps:
Users will often need access to existing business resources such as file servers and line of business apps when working from home.
Secure access to other apps: |
Recommend settings – normal scenario |
Recommended settings – high risk scenario |
Access to on-premises data & apps (existing VPN) |
Split-tunnel VPN |
Split-tunnel-VPN |
Access to 3rd party cloud apps |
Azure AD Single sign-on (SSO) |
Azure AD Single sign-on (SSO) |
Access to on-premise webapps |
Azure AD App proxy |
Azure AD App proxy |
Access to desktop apps |
Windows Virtual Desktop (WVD) |
Windows Virtual Desktop (WVD) |
- Access to on-premises data & apps via VPN: The simplest way to provide access is to use existing VPN technology; however, legacy VPNs are often inadequate for many simultaneous users. One way to increase capacity is to configure split-tunnel VPN so that network traffic not specifically required to traverse the VPN can make direct connections. All network traffic related to Microsoft 365 is natively encrypted during transport so there is no need route Microsoft 365 traffic through a VPN.
- Secure access to 3rd party cloud apps: If users need to access third-party cloud apps such as Adobe or Salesforce then we recommend securing the user identity with Azure AD, MFA, and Single-Sign On. Enabling single sign on means less passwords for users to manage and remember, and when an employee leaves the business deactivating access is simpler. For more information refer to Tutorials for integrating SaaS applications with Azure Active Directory.
- Secure access to on-premises web apps: If users need to access to on-premises webapps, Azure AD app proxy provides secure remote access. For example, Application Proxy can provide remote access and single sign-on to Remote Desktop, Tableau, Qlik, and other line of business (LOB) applications that users access via a web browser. For more information refer to Azure Active Directory's Application Proxy provides secure remote access to on-premises web applications.
- Secure access to desktop apps: For the highest levels of data security for users working from home, we recommend Windows Virtual Desktop (WVD) to deliver a virtual desktop experience and remote apps to any device. One major security benefit is that all data is kept within the virtual session, so when you close the session nothing is left on the user’s device enabling them to use home or personal machines securely. To learn more about WVD have a look at the Windows Virtual Desktop documentation.
Azure AD Single Sign On, Azure App Proxy, and Windows Virtual Desktop (WVD) capabilities are included in the Microsoft 365 Business Premium subscription, and in some enterprise subscription plans. The WVD host pool also requires an Azure subscription for compute and storage resources consumed.
We hope this guide has helped shed light on the practical aspects of securing work-from-home setups with Microsoft 365 Business Premium. If you have questions about the content of this guide, or feedback, please start a conversation with us in the SMB Tech Community.