Microsoft 365 Business Premium: Fix Setup & Config Issues
Why This Is Happening
I've seen this play out dozens of times. A small business owner or IT admin buys Microsoft 365 Business Premium, gets their licenses assigned, and then… nothing works the way it should. Sign-ins fail silently. Devices aren't enrolling in Intune. Multi-factor authentication prompts keep looping. Security policies aren't applying. The frustrating part? Microsoft's error messages , when you even get one , are almost never actionable. You get something like AADSTS50020 or a generic "Something went wrong" screen, and you're left Googling at midnight.
Here's the reality. Microsoft 365 Business Premium is a genuinely powerful product. It bundles productivity tools, cloud identity management via Azure Active Directory (now called Microsoft Entra ID), device management through Microsoft Intune, and advanced threat protection via Microsoft Defender for Business, all in one subscription designed for up to 300 users. That breadth is exactly what makes it tricky. When something breaks, the fault could be sitting in any one of five or six different admin portals.
The most common pain points I see fall into a few categories. First, initial setup sequencing errors, people try to configure conditional access before MFA is fully rolled out, or they enroll devices before policies are published. Second, license assignment gaps, a user has a seat but specific service plans (like Defender for Business or Intune) haven't been toggled on. Third, domain verification failures, DNS TXT and MX records that weren't propagated before the admin tried to move on to the next step. Fourth, security baseline mismatches, the built-in security defaults conflict with manually created conditional access policies, causing a deadlock where neither set of rules applies cleanly.
I know this is frustrating, especially when your whole team is waiting on you to get email or Teams working. The good news: every one of these problems has a clear fix. None of them require a support ticket if you follow the right sequence. Let's work through it systematically.
The Quick Fix, Try This First
Before you go deep on any individual problem, run through this 90-second triage. It resolves a surprising number of Microsoft 365 Business Premium issues in one shot.
Open a browser you don't normally use, Edge InPrivate or Chrome Incognito, and go to admin.microsoft.com. Sign in with your global admin account. Look at the top of the page for any service health alerts. Go to Health > Service health in the left nav. If Microsoft is having an outage or degraded performance on any service your users depend on (Exchange Online, Azure AD, Intune), that's your answer right there. Stop troubleshooting and wait.
If service health is green across the board, go to Users > Active users and click on the affected user. Under the Licenses and apps tab, confirm that:
- The Microsoft 365 Business Premium license is checked and saved
- Within that license, individual apps like Microsoft Intune, Microsoft Defender for Business, and Azure Active Directory Premium P1 are all toggled On, not just the top-level license
This alone fixes roughly 30% of the "it's not working" tickets I've seen. The license is assigned but one or more service plans are disabled, usually because someone bulk-assigned licenses from a template that had certain plans turned off.
If both checks pass, the next fastest thing is to go to Settings > Org settings > Security & privacy and verify that Security defaults is either clearly enabled or clearly disabled. A half-configured state, where someone started setting up conditional access but didn't finish, creates authentication loops that look completely unrelated to policy.
I can't tell you how many Microsoft 365 Business Premium problems trace back to a domain that isn't fully verified. When your domain isn't confirmed, Microsoft falls back to the *.onmicrosoft.com address for everything, email routing breaks, Teams federation fails, and Intune device naming gets messy. Fix this first, even if you think it's already done.
In the Microsoft 365 admin center, go to Settings > Domains. Your custom domain should show as Healthy with a green checkmark. If it shows Incomplete setup or a yellow warning icon, click it and follow the steps Microsoft provides.
The two records that trip people up most are:
- MX record: Must point to
[yourdomain]-com.mail.protection.outlook.com, note the dash, not dot, between domain and TLD - TXT record for SPF: Must be
v=spf1 include:spf.protection.outlook.com -all, if you have other email senders like Mailchimp or Salesforce, their include values go before the-all
After updating DNS at your registrar, propagation can take up to 72 hours, but usually resolves in 15–30 minutes for most providers. Use nslookup from a Windows command prompt to check yourself:
nslookup -type=MX yourdomain.com
nslookup -type=TXT yourdomain.comWhen both records return the expected values, go back to Settings > Domains and click Check health. A green Healthy status means you're clear to move on. Don't skip this, every step after this depends on domain verification being solid.
Microsoft 365 Business Premium includes Azure AD Premium P1, which gives you conditional access, but before you touch conditional access policies, you need MFA working correctly for every account in your tenant. I've seen environments where conditional access was turned on before MFA enrollment was complete, locking everyone out simultaneously. Don't do that.
First, decide your approach. If you're starting fresh and don't have custom access policies yet, go to Azure Active Directory (Entra ID) > Properties > Manage Security defaults and set it to Enabled. Security defaults force MFA registration for all users and block legacy authentication protocols. This is Microsoft's recommended starting point for small business deployments and it maps directly to the Zero Trust baseline the official docs reference.
If you have or plan to have conditional access policies, you must set Security defaults to Disabled, they cannot coexist. Then go to Azure Active Directory > Security > Conditional Access and create a new policy manually requiring MFA for all users on all apps. The setting path is: New policy > Users: All users > Cloud apps: All cloud apps > Grant: Require multi-factor authentication. Set the policy to Report-only first, monitor for 48 hours in the sign-in logs, then switch to On.
After enabling either option, send users to https://aka.ms/mfasetup to register their authenticator method. Watch for Event ID 6273 in Azure AD sign-in logs if users report MFA failures, this event specifically flags NPS extension issues that surface when on-premises VPN is involved. If you see it, the NPS extension on your RADIUS server needs updating.
One of the biggest selling points of Microsoft 365 Business Premium is managing devices, Windows, Mac, iOS, and Android, from a single Intune console. But device enrollment is where things get complicated fast, especially in environments that have a mix of personal and company-owned devices.
For Windows 10/11 company-owned devices, the cleanest path is Windows Autopilot. In the Microsoft Intune admin center (endpoint.microsoft.com), go to Devices > Enrollment > Windows > Windows Autopilot and import your device hardware hashes. You get these from the OEM or by running this PowerShell on the device:
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo -OutputFile AutopilotHWID.csvUpload that CSV, assign the devices to a deployment profile, and users get a guided out-of-box experience that auto-enrolls them into Intune and applies your policies before they even hit the desktop.
For existing devices already in use, have users go to Settings > Accounts > Access work or school > Connect and sign in with their Microsoft 365 credentials. This triggers Azure AD join and automatic MDM enrollment. If enrollment fails with error 0x80180026, it almost always means the user's UPN in Azure AD doesn't match what they're typing at enrollment. Check their User Principal Name under Azure Active Directory > Users > [username] > Profile and make sure it matches the custom domain, not the *.onmicrosoft.com fallback.
After enrollment succeeds, confirm device compliance by going to Devices > All devices in the Intune admin center. A device showing Compliant means your policies are applying. Not compliant with a reason listed means a specific policy setting isn't met, click the device name and look under Device compliance to see exactly which check failed.
Microsoft Defender for Business ships inside Microsoft 365 Business Premium and it's genuinely excellent, but it doesn't configure itself. If you've assigned licenses and never touched the Defender settings, your endpoints are running with default protection only. That's not the same as the advanced anti-phishing, anti-ransomware, and attack surface reduction rules that make Defender for Business worth using.
Go to the Microsoft Defender portal at security.microsoft.com. Sign in as a global admin or security admin. In the left nav, go to Settings > Endpoints > Onboarding. Select Windows 10 and 11, choose your deployment method (Group Policy, Intune, or Local Script for small teams), and download the onboarding package. For Intune-managed devices, you can skip this manual step, go to Settings > Endpoints > Advanced features and toggle on Microsoft Intune connection. This pushes Defender onboarding to all enrolled devices automatically.
After onboarding, set up your security policies. In the Defender portal, navigate to Endpoints > Configuration management > Endpoint security policies. The most important ones to configure immediately:
- Antivirus: Enable cloud-delivered protection and automatic sample submission
- Attack Surface Reduction rules: Start with "Audit" mode to understand impact, then switch rules to "Block" one at a time, especially Block Office applications from creating child processes and Block executable content from email client and webmail
- Web protection: Enable network protection and web content filtering under Settings > Endpoints > Web content filtering
If a device isn't showing up in the Defender portal 24 hours after Intune enrollment, check Event Viewer on that machine under Applications and Services Logs > Microsoft > Windows > SENSE. Event ID 5 means the onboarding service started successfully. If you see Event ID 15 instead, the machine's clock is out of sync, more than a 5-minute difference from UTC breaks the SENSE service authentication entirely. Fix with w32tm /resync from an elevated command prompt.
Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which means you have access to Safe Links, Safe Attachments, and anti-phishing policies that go well beyond what the default Exchange Online Protection provides. Most small businesses never turn these on, and then wonder why someone clicked a phishing link and got their account compromised.
Go to the Microsoft Defender portal at security.microsoft.com. Navigate to Email & Collaboration > Policies & Rules > Threat policies. You'll see three sections you need to configure:
Anti-phishing: Click Anti-phishing and edit the default policy (or create a new one targeting all recipients). Under Phishing threshold & protection, set the threshold to 2 - Aggressive for most small business environments. Enable Mailbox intelligence and Impersonation protection, add your CEO, CFO, and any high-value contacts to the protected users list. These are the exact accounts attackers spoof in business email compromise attacks.
Safe Links: Under the default policy, ensure On: Safe Links checks a list of known, malicious links when users click links in email is enabled. Also enable Track user clicks and Let users click through to the original URL should be disabled for highest protection. The option Apply real-time URL scanning for suspicious links and links that point to files adds a small delay to link-clicks but catches zero-day phishing URLs that aren't yet on blocklists.
Safe Attachments: Set the action to Dynamic Delivery, this lets the email body through immediately while detonating the attachment in a sandbox, so users aren't waiting on every PDF. If an attachment is found malicious, it's quarantined and the user gets a replacement notification. Check Quarantine > Email weekly to review anything that got caught.
After saving these policies, send a test phishing email to yourself using Microsoft Attack Simulator: Email & Collaboration > Attack simulation training. Run a Credential Harvest simulation to see how many users click through before training versus after. This isn't just a good practice, it's documentation you'll want if you ever need to demonstrate security posture to a client or auditor.
Advanced Troubleshooting
When the standard steps don't resolve things, you need to go deeper. Here's where I go when a Microsoft 365 Business Premium environment is genuinely misbehaving.
Sign-in diagnostic in Azure AD: Go to Azure Active Directory > Sign-in logs and filter by the affected user and the time window of the failure. Look at the Failure reason column. Common codes and what they actually mean:
AADSTS50020, User account from an identity provider doesn't exist in the tenant. The user's UPN doesn't match any account. Check for typos in the email address they're signing in with.AADSTS50034, The user account doesn't exist. Usually means the account was deleted or never created in your tenant.AADSTS65001, The user or admin hasn't consented to use the application. An admin needs to grant tenant-wide consent at Azure AD > Enterprise Applications > [App] > Permissions > Grant admin consent.AADSTS700016, Application not found in the directory. The app registration is missing or the client ID is wrong in whichever integration is calling the API.
Group Policy conflicts in hybrid environments: If you have an on-premises Active Directory domain joined to Microsoft 365 via Azure AD Connect, GPOs can conflict with Intune MDM policies. The golden rule: MDM wins over GPO for co-managed devices when the Intune workload is set to Intune pilot or Intune. Check this in the Microsoft Intune admin center > Devices > Co-management. If workloads are still set to Configuration Manager, your Intune policies are publishing but doing nothing.
Event Viewer for Office activation failures: If users get "Product activation required" errors after you've assigned licenses, open Event Viewer on their machine and go to Windows Logs > Application. Filter for Source = Microsoft Office. Event ID 1006 means Office can't reach the activation server, usually a proxy or firewall blocking *.officeapps.live.com. Event ID 2011 means the license token stored locally has expired. Fix with:
cscript "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" /rearmThen have the user open any Office app and sign in when prompted. If OSPP.VBS reports no rearms remaining, the license key needs to be reset via the admin center: Users > [user] > Licenses and apps > Remove license > Save > Re-assign license > Save.
Intune sync issues: If a device's Intune policies aren't updating, trigger a manual sync from the device itself: Settings > Accounts > Access work or school > [account] > Info > Sync. Or from PowerShell on the device:
Start-Process "intunemanagementextension://syncapp"Check the IntuneManagementExtension.log at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ for detailed sync errors.
You've followed every step here and something is still broken. Specific scenarios that genuinely require Microsoft's backend access: tenant provisioning errors where your admin center shows blank or throws 500 errors, license assignment failures that persist after 24 hours (Microsoft's provisioning pipeline may have a stuck job), or Azure AD Connect sync errors with code 0x8023134A that don't clear after a full sync cycle. Before you call, pull your tenant ID from Azure Active Directory > Overview and note the exact error codes and timestamps from sign-in logs, this cuts resolution time in half. Contact Microsoft Support through the admin center under Support > New service request so the ticket is automatically linked to your tenant.
Prevention & Best Practices
Once your Microsoft 365 Business Premium tenant is running cleanly, keeping it that way doesn't take much, but it does take consistency. The environments I've seen stay healthy over time all share a few habits.
First, don't use your global admin account for daily work. Create a separate admin account with a non-company email address (like a *.onmicrosoft.com address) specifically for tenant administration. Your regular account should only have user-level permissions. If that regular account gets phished, the attacker gets your email, not your entire tenant.
Second, review the Secure Score monthly. In the Microsoft Defender portal at security.microsoft.com, go to Secure Score. This gives you a ranked list of actions that would improve your security posture, with effort estimates for each. Don't try to fix everything at once. Pick two or three actions per month with a "Low" effort rating and work through them. Small, consistent improvements add up faster than periodic big projects.
Third, monitor admin role assignments. Go to Azure Active Directory > Roles and administrators and audit who has Global Administrator, Security Administrator, and Exchange Administrator roles. These should be limited to two or three people maximum. Every extra global admin is an attack surface. If someone left the company six months ago and still has a global admin role, that's not a theoretical risk.
Fourth, keep the Defender for Business security baselines up to date. Microsoft pushes new threat intelligence into their recommended policy configurations regularly. In the Defender portal, go to Endpoints > Configuration management and check if any of your security baselines show an Update available indicator. Applying the latest baseline takes about 60 seconds and keeps your protection current without manual research on your end.
- Enable Self-service password reset (SSPR) in Azure AD so users stop calling you for password resets, go to Azure AD > Password reset > Properties > Self service password reset enabled: All
- Turn on Unified audit logging in the Microsoft Purview compliance portal under Audit > Start recording user and admin activity, you need this for any incident investigation, and it's off by default in some tenants
- Block legacy authentication protocols (SMTP AUTH, IMAP, POP3) from the Exchange admin center under Settings > Org settings > Modern authentication, these protocols can't support MFA and are the most common vector for credential stuffing attacks
- Schedule a quarterly access review in Azure AD Identity Governance to automatically flag guest accounts, unused licenses, and stale group memberships before they become security or compliance problems
Frequently Asked Questions
Why should I choose Microsoft 365 Business Premium over the cheaper Microsoft 365 plans?
The honest answer: if you have even one person handling sensitive client data or financials, Business Premium pays for itself in what it prevents. The cheaper plans, Business Basic and Business Standard, give you the productivity apps, but they don't include Microsoft Defender for Business, Intune device management, or Azure AD Premium P1 for conditional access. Business Premium bundles all of that into one subscription for up to 300 users. You're not just buying better email, you're buying the ability to remotely wipe a stolen laptop, block sign-ins from unmanaged devices, and get automated threat detection that rivals what enterprise companies pay significantly more for. If the upgrade cost is the concern, price out buying Intune and Defender for Business as standalone add-ons, you'll find Business Premium is usually cheaper than assembling the pieces separately.
What's the difference between Security defaults and Conditional Access in Microsoft 365 Business Premium?
Security defaults are a pre-built set of baseline security policies Microsoft manages for you, they enforce MFA registration for everyone, block legacy auth, and require MFA for admin actions. They're a one-click "make this tenant more secure" option that's great for organizations that don't have dedicated IT. Conditional access is a fully configurable policy engine where you write your own rules: require MFA only when users sign in from outside your office network, block access from specific countries, require a compliant device before allowing access to SharePoint. The critical thing to know is that these two systems cannot run simultaneously, if you enable conditional access policies, you must disable Security defaults first, or they will conflict in unpredictable ways. If you're not sure which you're using, go to Azure AD > Properties > Manage Security defaults to check.
My users are getting MFA prompts every single time they sign in, how do I make it remember their devices?
This is the most common MFA complaint I hear and it has a straightforward fix. In the Microsoft Entra admin center (entra.microsoft.com), go to Identity > Protection > Conditional Access > Named locations and add your office IP ranges as trusted locations. Then in your MFA policy (or under Security > Multifactor authentication > Additional cloud-based MFA settings), enable Remember multi-factor authentication on trusted devices and set the days to 90. Users signing in from a recognized, compliant device at a trusted location won't be re-challenged for MFA on every session. If you want even more control, look into Persistent Browser Session policies under Conditional Access session controls, these let authenticated users stay signed in without daily re-authentication on managed devices.
What's new in Microsoft 365 Business Premium security for 2025?
Two significant updates landed in 2025. In March 2025, Microsoft made the Microsoft Defender Suite (previously called Microsoft 365 E5 Security) available as an add-on to Business Premium, this brings enterprise-grade identity protection, Defender for Identity, and Defender for Cloud Apps to businesses that were previously locked out of those capabilities by the enterprise-only pricing. Then in September 2025, that add-on was rebranded as the Microsoft Defender Suite for Business Premium, replacing the former E5 Security naming. If you were using the E5 Security add-on through a partner, check your subscription in the admin center under Billing > Your products to confirm the updated SKU is applied correctly.
How do I fix Microsoft 365 Business Premium not deploying apps to enrolled Windows devices?
When an app assigned in Intune isn't installing on enrolled Windows devices, the first place to look is the Intune Management Extension log at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log. Open it with a text editor and search for the app name or the error string Win32App. The most common failure reasons are: the device is in a user group but the app is assigned to a device group (or vice versa), the app detection rule isn't matching the actual installed path, or the device has a pending restart that's blocking the install agent. Force a manual Intune sync via Settings > Accounts > Access work or school > Sync, then wait 15 minutes and re-check the log. If you see a 0x87D13B6B error code, the app content in the Intune service is corrupted, re-upload the installer package and re-assign it.
Can I manage Mac and iPhone devices with Microsoft 365 Business Premium, or is it Windows-only?
You can manage all of them, Windows, macOS, iOS, and Android, from the same Intune console that's included with Business Premium. For Mac, download and deploy the Microsoft Intune Company Portal app (available from the Mac App Store or as a PKG from the Intune admin center), and users complete enrollment by opening the app and signing in with their Microsoft 365 credentials. For iOS and Android, users install the Company Portal app from the App Store or Google Play. Each platform has its own enrollment profile type in Intune, for corporate-owned iPhones, use Automated Device Enrollment (ADE) via Apple Business Manager, which gives you zero-touch deployment similar to Windows Autopilot. The key limitation to know: macOS devices enrolled through Intune can receive configuration profiles, app assignments, and compliance policies, but they cannot be Azure AD joined the same way Windows devices can, they use a separate Workplace Join mechanism instead.