Microsoft 365 Business Premium: Fix Setup & Config Errors
Why This Is Happening
I've seen this exact scenario play out dozens of times. A small business owner , maybe 20, 50, or 80 employees , decides to upgrade to Microsoft 365 Business Premium. The purchase goes through fine. The license seats are assigned. And then... nothing works the way it's supposed to. Security features aren't active. Devices aren't enrolled. Microsoft Defender for Business is sitting there doing absolutely nothing because nobody ran the post-setup configuration. The admin portal shows green checkmarks, but the organization is still wide open.
Here's the thing Microsoft doesn't make obvious enough: buying Microsoft 365 Business Premium is step one. Actually configuring it is a completely separate process, and skipping it is the single most common reason businesses end up in trouble. The subscription covers up to 300 users and bundles together cloud productivity, device management, and enterprise-grade security, but that security doesn't switch on automatically just because you've paid for it.
The second major failure point I see is around the Zero Trust security model that underpins all of M365 Business Premium's protection. Zero Trust means no device, no user, and no app gets trusted by default, everything has to be verified. But when admins haven't walked through the security configuration wizard, they're essentially running a paid subscription on a free-tier security posture. Phishing attacks, ransomware, and unauthorized access to business data become far more likely as a result.
A third scenario: people come to me after the March 2025 update that introduced the Microsoft Defender Suite add-on (previously known as Microsoft 365 E5 Security). They bought the add-on expecting everything to just work, and instead got a confusing overlap between their existing Defender for Business baseline and the new extended capabilities. The September 2025 rebrand to "Microsoft Defender Suite for Business Premium" made things even murkier for admins who hadn't been tracking the changelog closely.
If you're reading this because Teams isn't connecting properly, devices won't enroll in mobile device management, security alerts are firing without explanation, or your initial setup stalled midway, you're in the right place. All of these problems have a common root: incomplete post-purchase configuration. Let me walk you through exactly how to fix it.
The Quick Fix, Try This First
If you've recently set up Microsoft 365 Business Premium and things feel broken, the fastest diagnostic step is checking whether your security configuration is actually complete. Microsoft's admin center has a setup wizard that many people abandon halfway through, and that half-finished state is responsible for a huge proportion of the support questions I see.
Here's what you do. Sign in at admin.microsoft.com with your global admin account. In the left-hand navigation, click Setup. Look for the section called Protect your organization. If you see pending items with a warning icon rather than a checkmark, that's your culprit right there. Work through each item in order, don't skip ahead and don't mark anything complete without actually doing it.
The three items that are most often left incomplete are: enabling multi-factor authentication (MFA) for all users, configuring Microsoft Defender for Business policies, and setting up device compliance rules. Each of these individually is a meaningful security gap. All three together means your Microsoft 365 Business Premium subscription is delivering maybe 30% of the protection you're paying for.
For MFA specifically: go to admin.microsoft.com → Users → Active users → Multi-factor authentication. Select all users and click Enable. Then go to Azure Active Directory → Security → Conditional Access and verify that MFA is actually enforced via a policy, enabling it in the legacy portal alone isn't enough in modern tenant configurations.
Once MFA is enforced and Defender policies are active, about 70% of the "nothing is working" reports I see resolve themselves within 24 hours as policies propagate. If you're still having issues after that, keep reading, the step-by-step section covers every layer in detail.
Before touching any security settings, confirm that every user who needs Microsoft 365 Business Premium features actually has the license assigned. This sounds obvious, but I've seen situations where a tenant was purchased for 25 seats, 30 users were created, and five of them quietly ended up without a license, unable to access Defender policies, Teams calling features, or OneDrive for Business sync.
Go to admin.microsoft.com → Billing → Licenses. Find your Microsoft 365 Business Premium subscription and check the "Assigned" vs. "Available" counts. Then go to Users → Active users, click the column selector, and add the "Licenses" column to your view. Sort by license to spot anyone who slipped through without one.
While you're in the admin center, check your tenant's service health. Go to Health → Service health and look at the Microsoft 365 suite status. If Microsoft is having an active incident affecting authentication (Event IDs typically show up as EX or MO prefix codes like EX789012 for Exchange Online or MO567890 for Microsoft 365 general), that could explain why things that should work simply aren't right now, and no amount of local troubleshooting will fix a Microsoft-side outage.
Also confirm your domain is properly verified. Under Settings → Domains, every domain you use should show a green "Healthy" status. A domain stuck in "Setup incomplete" means MX records, SPF, and DKIM records haven't been correctly added to your DNS registrar, and that directly breaks mail flow and Teams federation.
If you see all licenses assigned, no active incidents, and domains healthy, you're ready to move on to security configuration. If anything looks off here, fix it first, everything downstream depends on a clean tenant foundation.
Microsoft 365 Business Premium is built around a post-purchase security setup that has to be completed deliberately. The official guidance from Microsoft is explicit on this: after basic setup, your next step is to configure security protection. A lot of admins skip this step entirely because the subscription feels "active" the moment licenses are assigned, but the security layer is dormant until you configure it.
In admin.microsoft.com, go to Setup → Microsoft 365 Business Premium setup. You'll see a checklist. The items that matter most are:
- Protect against malicious content, this activates Safe Links and Safe Attachments via Microsoft Defender for Office 365
- Protect against ransomware, this sets up mail flow rules that block Office macro-based attack vectors
- Stop email auto-forwarding, critical for preventing data exfiltration via compromised accounts
- Protect your email from phishing, enables anti-phishing policies with impersonation protection
Work through each item by clicking it and following the sub-wizard. Don't just mark them done, actually expand each one and verify the toggle is set to On (not just "default"). The defaults in a brand-new tenant are frequently not the recommended settings.
Once you're through the wizard, validate the Defender for Office 365 policies are active by navigating to security.microsoft.com → Email & Collaboration → Policies & Rules → Threat policies. You should see active policies for Anti-phishing, Anti-spam, Safe Links, and Safe Attachments. If any show as "Default policy only," you'll want to create a custom policy scoped to your domain, default policies have weaker thresholds than recommended custom ones.
After completing this step, your organization is protected against the email-based threats, phishing, ransomware delivery, and business email compromise, that account for the vast majority of successful SMB cyberattacks.
Microsoft Defender for Business is included with Microsoft 365 Business Premium, and it's genuinely powerful endpoint protection. The catch: it has its own activation process separate from the main admin center setup, and many admins simply never find it.
Go to security.microsoft.com, this is the Microsoft Defender portal, separate from admin.microsoft.com. Sign in with your global admin credentials. If this is your first time here, you'll be prompted to run the setup wizard for Defender for Business. Do it. Don't close this window and come back later, the wizard walks you through onboarding your first devices and setting up baseline policies.
During setup, you'll configure the following:
- Next-generation protection, cloud-delivered protection, real-time scanning, potentially unwanted application (PUA) blocking
- Attack surface reduction rules, policies that block specific high-risk behaviors like Office apps spawning child processes, a tactic ransomware frequently exploits
- Web content filtering, blocks access to malicious or inappropriate categories at the network level
To onboard Windows devices, go to Settings → Endpoints → Device management → Onboarding. Download the onboarding package and deploy it via your preferred method, Group Policy, Microsoft Intune (recommended), or a local script for small deployments. Once devices check in, they appear under Assets → Devices with a status of "Onboarded."
If you're on the Microsoft Defender Suite for Business Premium add-on (the September 2025 update), you'll also see extended identity protection features under Settings → Microsoft Defender XDR. These extend protection to your Azure AD identities, flagging risky sign-ins, lateral movement attempts, and compromised credentials automatically.
Within 48 hours of onboarding devices, the Defender portal's vulnerability management section will show you a device exposure score. Anything above 40 needs immediate attention.
One of the core value propositions of Microsoft 365 Business Premium is device management, Windows, Mac, iOS, and Android. This is handled through Microsoft Intune (now called Microsoft Intune admin center), and it won't do anything until you actively enroll devices and assign compliance policies.
Access Intune at intune.microsoft.com. For Windows devices in a corporate environment, the cleanest enrollment method is Azure AD Join combined with automatic MDM enrollment. Users go to Settings → Accounts → Access work or school → Connect, enter their work email, and the device joins Azure AD and auto-enrolls in Intune simultaneously.
Once devices are enrolled, you need compliance policies. Go to Devices → Compliance policies → Create policy, select the platform (Windows 10/11), and configure:
Require BitLocker: Yes
Require Secure Boot: Yes
Minimum OS version: 10.0.19041 (Windows 10 20H1 minimum)
Require device health attestation: Yes
Microsoft Defender Antimalware: Required
Assign the policy to All Users or a specific group. Devices that don't meet these requirements will be marked "Not compliant", and if you have a Conditional Access policy blocking non-compliant devices from accessing company resources (which you should), those devices simply won't be able to connect to Teams, SharePoint, or Exchange until they're brought into compliance.
For personal devices (BYOD), use App Protection Policies instead of full MDM enrollment. These policies protect company data inside apps like Outlook Mobile and Teams without touching personal photos, messages, or apps. Find them under Apps → App protection policies.
Once this step is complete, check Devices → Monitor → Noncompliant devices. Work through any flagged devices with the device owners to bring them into compliance.
Microsoft Teams is the productivity hub of Microsoft 365 Business Premium, and it's also a surface that attackers actively target through external guest access, malicious file sharing, and meeting-based social engineering. Getting Teams settings right protects both your users' productivity and your data.
In admin.microsoft.com → Admin centers → Teams, you'll land in the Teams admin center. Start under Users → External access. Here you control whether your users can communicate with people at other Microsoft 365 tenants and Skype users. For most SMBs, I recommend keeping Teams and Skype federation enabled but turning off access from unmanaged external accounts, that blocks the "hey, join this Teams call" phishing vectors that have become increasingly common.
Under Users → Guest access, review whether guests can use Teams features in your tenant. Guests are people outside your organization invited to Teams channels. They should not, by default, have the ability to share files publicly or create channels. Set Create channels and Delete channels to Off for guests.
For meeting security, go to Meetings → Meeting policies. In the Global (org-wide) policy, set:
Allow cloud recording: On (but review recordings stored in OneDrive)
Who can bypass the lobby: People in my organization and guests
Allow meeting chat: On
Automatically admit people: Invited users only
These settings mean external participants can't silently join meetings, and your internal meetings aren't accidentally exposed to uninvited participants.
Finally, check your SharePoint and OneDrive sharing settings. Go to admin.microsoft.com → SharePoint → Policies → Sharing. The "Anyone" sharing level (which allows link sharing with no sign-in required) should be turned off for most business environments. Set it to New and existing guests at minimum, ideally Only people in your organization for sensitive content.
After these changes, run the Microsoft Secure Score assessment at security.microsoft.com → Secure score. A well-configured Microsoft 365 Business Premium tenant typically scores between 65–80%. Anything below 50% means there are significant gaps to close.
Advanced Troubleshooting
When the standard setup wizard and policy configuration aren't enough, you need to dig into the lower layers. Here's where I go when basic fixes haven't resolved things.
Conditional Access Policy Conflicts
Conditional Access is the enforcement engine behind Zero Trust in Microsoft 365 Business Premium. But conflicting policies, especially after importing third-party templates or running the "Security Defaults" migration, can cause sign-in failures that look like account lockouts. Go to Azure Active Directory → Security → Conditional Access → Insights and reporting and check the sign-in logs for any policy that shows as "Failure" against real user sign-ins. The column "Conditional Access" will show which policy blocked a sign-in, giving you a specific policy name to investigate.
Important: if you have Security Defaults enabled (the older baseline) AND custom Conditional Access policies, you'll get unpredictable behavior. Security Defaults and custom Conditional Access are mutually exclusive. Disable Security Defaults at Azure Active Directory → Properties → Manage Security Defaults before relying on custom policies.
Event Viewer for Defender for Business Issues
On Windows endpoints, Microsoft Defender logs to Event Viewer under Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational. Key event IDs to look for:
Event ID 1006: Malware detected
Event ID 1007: Action taken on malware
Event ID 1116: Platform update failed
Event ID 2001: Signature update failed
Event ID 3002: Real-time protection failure
Event ID 3002 in particular is a signal that real-time protection isn't running, often caused by a third-party antivirus conflicting with Defender. Microsoft 365 Business Premium's Defender for Business expects to be the sole endpoint protection agent. Uninstall any competing AV product and verify Defender shows "Active" under Windows Security → Virus & threat protection.
Intune Enrollment Failures
If device enrollment fails with error code 0x80180026, this usually means the MDM authority hasn't been set correctly. Go to intune.microsoft.com → Tenant administration → Tenant status and verify "MDM authority" shows as "Microsoft Intune." If it shows "None" or "Configuration Manager," that's your problem. The fix requires setting the authority, but be aware this is a one-time, irreversible action in the tenant.
For enrollment error 80070774 on Windows devices, the issue is almost always a stale computer object in Azure AD. Delete the existing Azure AD device record for that machine, disjoin and rejoin it, then re-enroll.
Microsoft Defender Suite Add-On Configuration
Since September 2025, the Microsoft Defender Suite for Business Premium add-on (which replaced the former Microsoft 365 E5 Security add-on) requires a separate license assignment on top of Business Premium. If users aren't getting the extended identity and endpoint capabilities, check admin.microsoft.com → Billing → Licenses and confirm the Defender Suite for Business Premium licenses are assigned to the right users, not just present in the tenant.
Prevention & Best Practices
I know this is frustrating, especially when it blocks your work or leaves your business exposed while you scramble to figure out what went wrong. So let me give you the proactive checklist that prevents all of this from happening in the first place.
The biggest preventable issue is running Microsoft 365 Business Premium without a documented security baseline. Microsoft publishes a Cybersecurity Playbook grounded in the Zero Trust security model, download it and work through it methodically during your initial deployment, not after something goes wrong. It covers identity, devices, data, and apps in a logical sequence that mirrors how policies actually depend on each other in the platform.
The second most preventable issue is ungoverned guest and external access. Every month, do a quick audit: Azure Active Directory → Users → All users → filter by "User type: Guest". Remove anyone who no longer has a business reason to be in your tenant. Former contractors, vendors from completed projects, and ex-partner contacts accumulate quietly and represent real access risks.
For ongoing device health, set up a monthly review of your Intune compliance dashboard and your Defender for Business vulnerability management report. These two dashboards together tell you which devices are out of compliance, which have unpatched vulnerabilities, and what your exposure score looks like, before an attacker finds out for you.
Finally, keep your Microsoft 365 Business Premium subscription current on the "What's New" changelog. The security landscape moves fast. The March 2025 Defender Suite add-on and the September 2025 rebrand both introduced meaningful capability changes that affected how existing tenants should be configured. Spending 10 minutes per month reading the official release notes prevents the kind of "my security add-on isn't working" confusion that's entirely avoidable.
- Enable MFA for every admin account first, admin account compromise is the number one path to full tenant takeover.
- Set up a monthly Microsoft Secure Score review cadence and assign an owner to any score items below 60% completion.
- Download the Microsoft Digital Threats Guide (available as PDF or PowerPoint from Microsoft's security docs) and share it with your team, user awareness is still the best defense against phishing.
- Configure automatic Windows Update deployment via Intune to keep devices patched, go to Intune → Devices → Update rings for Windows 10 and later and set a deployment ring with a 7-day deferral for quality updates and 30 days for feature updates.
Frequently Asked Questions
Why should I choose Microsoft 365 Business Premium over cheaper Microsoft 365 plans?
Microsoft 365 Business Premium is the only SMB plan that bundles full productivity with enterprise-grade security in a single subscription, and that bundling matters. Business Basic and Business Standard give you Office apps and Teams, but they don't include Microsoft Defender for Business, Intune device management, or the advanced threat protection features for email. If your business handles sensitive client data, operates in a regulated industry, or has any employees working remotely, the security gap between Basic/Standard and Premium is significant enough that the extra cost is worth it. For businesses up to 300 users, it's genuinely one of the most complete security-plus-productivity packages available at that price point.
How do I know if my Microsoft 365 Business Premium security is actually working?
Check your Microsoft Secure Score at security.microsoft.com, it's the clearest single number that reflects how well you've configured your security posture. A fully configured Microsoft 365 Business Premium tenant should score between 65% and 80%. Below 50% is a red flag. Beyond Secure Score, look at the Defender for Business dashboard to confirm devices are onboarded and policies are applied, and check that your Conditional Access policies have at least one sign-in blocked or granted in the last 7 days, that confirms the policies are actively evaluating traffic. If Conditional Access shows zero evaluations, something is wrong with policy scope or assignment.
What's the difference between the Microsoft Defender Suite add-on and the base Defender for Business that comes with Business Premium?
Microsoft Defender for Business (included with Business Premium) covers endpoint protection, antivirus, EDR, vulnerability management, and attack surface reduction for your Windows, Mac, iOS, and Android devices. The Microsoft Defender Suite for Business Premium add-on (available since September 2025, previously called Microsoft 365 E5 Security) goes further, adding advanced identity protection, extended email and collaboration threat intelligence, and more sophisticated hunting and investigation capabilities. Think of the base Defender for Business as strong SMB-grade endpoint security, and the add-on as getting closer to what enterprise security teams use. Most SMBs with under 100 users will be well-served by the base level; larger teams or those in high-risk industries should evaluate the add-on.
My users can't sign in to Microsoft 365 after I set up Conditional Access, what did I break?
This is almost always a Conditional Access policy that's too broadly scoped, or a conflict between Security Defaults and your custom policies. First, check if Security Defaults is still enabled, it must be disabled if you're using custom Conditional Access policies. Go to Azure Active Directory → Properties → Manage Security Defaults and set it to Disabled. Second, in the Conditional Access blade, look at your policies and check if any are set to "All users" with no exclusion group, you should always have a "break glass" emergency admin account excluded from every Conditional Access policy so you don't accidentally lock yourself out. Add your global admin account to an exclusion group on any policy that's causing sign-in failures.
Does Microsoft 365 Business Premium work for Mac and iPhone users, not just Windows?
Yes, fully. Microsoft 365 Business Premium explicitly supports device management for Windows, Mac, iOS, and Android. For Macs, you can enroll them in Intune through the Company Portal app and apply compliance and configuration policies the same way you would for Windows. Microsoft Defender for Business also has a Mac agent available through Intune. iOS and Android devices can be enrolled for full MDM management or, for personal devices, through App Protection Policies that only govern corporate data inside Microsoft apps. The Teams app, Outlook Mobile, and the full Office suite are all available on iOS and Android with full Microsoft 365 Business Premium feature support.
What's new in Microsoft 365 Business Premium security that I should know about?
The two biggest recent changes are both from 2025. In March 2025, Microsoft made the Defender Suite (formerly Microsoft 365 E5 Security) available as an add-on to Business Premium subscriptions, a meaningful upgrade path that was previously only available to enterprise customers. Then in September 2025, that add-on was rebranded to "Microsoft Defender Suite for Business Premium" with expanded capabilities. If you're an existing Business Premium admin who hasn't looked at the security changelog since 2024, those two updates represent the most significant capability expansions in recent memory. It's also worth noting that Microsoft moved all Defender XDR learning resources to learn.microsoft.com in July 2024, so if you're looking for training on the security portal, that's where to find it now.