Microsoft 365 Business Premium: Fix Setup & Security Issues
Why This Is Happening
I've worked through a lot of Microsoft 365 Business Premium deployments, and one thing I keep seeing is the same cluster of problems hitting small and mid-sized businesses right after they buy the subscription. The purchase goes smoothly. The email confirmation lands. Then someone logs in and immediately runs into a wall , licenses not applying correctly, security defaults behaving unexpectedly, Defender for Business showing devices as "unmanaged," or the Microsoft 365 admin center throwing cryptic errors about tenant configuration.
Here's the honest truth: Microsoft 365 Business Premium is not a simple "buy and done" product. It's a layered platform that bundles cloud productivity (Teams, Exchange Online, SharePoint, OneDrive) with enterprise-grade security tools (Microsoft Defender for Business, Azure AD Premium P1, Intune device management), all in a single subscription designed for businesses with up to 300 users. That depth is exactly what makes it powerful. It's also exactly what trips people up when they don't know what to configure first.
The most common root causes I see break down into three buckets:
1. License assignment gaps. When you buy Microsoft 365 Business Premium seats, licenses don't automatically assign themselves to every user. If someone in your tenant gets left on a legacy plan, say, Microsoft 365 Business Basic, they won't have access to Defender for Business or Intune. Their device won't be managed. Your security posture has a hole you probably don't know about yet.
2. Security defaults vs. Conditional Access confusion. Microsoft 365 Business Premium tenants created before October 2019 don't have Security Defaults enabled automatically. Newer tenants do. The problem: many admins assume MFA is on when it isn't, or they try to create Conditional Access policies and find them conflicting with Security Defaults, generating sign-in errors like AADSTS50076 or AADSTS53004 for end users.
3. Defender for Business not actually activated. Just having a Business Premium subscription doesn't mean Defender for Business is running. You have to go through an initial provisioning step in the Microsoft Defender portal (security.microsoft.com). I've seen tenants running for months under the impression they had endpoint protection, and they had nothing.
I know this is frustrating, especially when your work is blocked and Microsoft's error messages read like they were written for no one in particular. This guide walks you through every common issue, in plain language, with exact steps. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you go deep into troubleshooting, run this 5-minute audit. It catches 70% of Microsoft 365 Business Premium problems before you ever have to touch a registry key or Group Policy.
Open the Microsoft 365 admin center at admin.microsoft.com. Sign in with your Global Administrator account, not a delegated account, your actual GA. Go to Billing > Licenses. Look at your Microsoft 365 Business Premium line and check two things: the total number of purchased licenses, and how many are assigned. If those numbers don't match the number of users you want covered, that's your first problem. Unassigned licenses mean uncovered users.
Next, go to Users > Active Users. Click any user who's reporting problems. In their profile panel, scroll to Licenses and apps. Make sure "Microsoft 365 Business Premium" is checked, not just a sub-app like Exchange Online Plan 1. If they're only showing a component license, the full suite isn't active for them.
Then navigate to Security > Auth Methods > Authentication Methods (or go directly to entra.microsoft.com > Protection > Conditional Access). Check whether Security Defaults is set to Enabled. If it is, and someone is still getting MFA prompt errors, the issue is almost always that the user hasn't completed their MFA registration. Send them to aka.ms/mfasetup and have them register the Microsoft Authenticator app. That alone resolves roughly half of all sign-in complaints I hear from end users on new Business Premium tenants.
Finally, go to security.microsoft.com and check whether Microsoft Defender for Business shows onboarded devices. If the portal shows zero devices and your users have Windows 10/11 machines, Defender hasn't been provisioned correctly. Note that number, you'll fix it in Step 3 below.
License assignment sounds basic, but it's where most Business Premium deployments go sideways. Here's exactly how to confirm every user is properly licensed.
In the Microsoft 365 admin center (admin.microsoft.com), navigate to Users > Active Users. At the top of the user list, click Filters and filter by "Unlicensed users." If you see anyone who should be covered, delete that filter assumption immediately and audit every user individually, because partial licenses can still show a user as "licensed" while missing critical components.
For bulk license assignment via PowerShell (faster for tenants with 50+ users), open PowerShell as Administrator and run:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All", "Organization.Read.All"
# Get the Business Premium SKU ID
Get-MgSubscribedSku | Where-Object {$_.SkuPartNumber -like "*BUSINESS_PREMIUM*"} | Select SkuId, SkuPartNumber
# Assign license to a specific user
$userId = "user@yourdomain.com"
$skuId = "YOUR_SKU_ID_FROM_ABOVE"
Set-MgUserLicense -UserId $userId -AddLicenses @{SkuId = $skuId} -RemoveLicenses @()After running the assignment, wait 2–5 minutes for the license to propagate. Then have the user sign out completely from all Microsoft apps (including mobile), clear their browser cache or use a fresh InPrivate window, and sign back in at portal.microsoft.com. If it worked, they'll see the full suite of apps in their app launcher, including Teams, Outlook, and the security-related apps. If they still see a limited set, check whether there's a conflicting license from a legacy subscription. Having both a Business Basic and a Business Premium license on the same user can cause unexpected behavior, and you'll want to remove the lower-tier license.
MFA is one of the most important security controls in Microsoft 365 Business Premium, and it's also the source of the most end-user complaints. The error codes AADSTS50076 (MFA required but not satisfied) and AADSTS53004 (user hasn't completed MFA registration) are the ones I see most often.
First, determine which MFA enforcement method your tenant is using. Go to entra.microsoft.com, navigate to Overview > Properties, then scroll to the bottom and click Manage Security Defaults. If Security Defaults is On, all users in your tenant are required to register for MFA within 14 days of their first sign-in, and all admin accounts are required to use MFA on every sign-in immediately. This is the right setting for most small businesses on Business Premium.
If you've turned Security Defaults off and instead created Conditional Access policies, make sure you haven't left a gap. Check Protection > Conditional Access > Policies and confirm you have at least one policy targeting All users with Grant > Require multi-factor authentication enabled. A common mistake is creating a policy that excludes the break-glass admin account and accidentally scoping it too narrowly, leaving certain users unprotected.
For users who are locked out because they lost their MFA device or authenticator app, you can issue a temporary bypass. In the Microsoft Entra admin center, go to Users > [the affected user] > Authentication Methods. Click Require re-register MFA. This forces them to re-register on their next sign-in without locking them out entirely. Have them go to aka.ms/mfasetup immediately after you do this. Don't use the per-user MFA bypass for more than 24 hours, it's a temporary tool, not a permanent solution.
Microsoft Defender for Business is included in every Microsoft 365 Business Premium subscription, but it doesn't activate itself. I've audited businesses that had been on Business Premium for six months with zero endpoint protection because no one had gone through the onboarding steps. Here's how to fix that.
Navigate to security.microsoft.com and sign in as a Global Administrator or Security Administrator. The first time you visit, you may see an onboarding wizard, follow it. If you don't see a wizard, go to Settings > Endpoints > Onboarding.
For Windows 10/11 devices, the fastest onboarding method for a small business is the local script. In the Defender portal, go to Settings > Endpoints > Onboarding, select Windows 10 and 11 as the OS, and choose Local Script as the deployment method. Download the script. Then on each device that needs onboarding, open PowerShell as Administrator and run:
# Run from the directory where you downloaded the onboarding script
.\WindowsDefenderATPLocalOnboardingScript.cmdThe script runs silently and registers the device with your Defender for Business tenant. After about 5 minutes, the device should appear in Assets > Devices in the Defender portal with a status of Active. If a device shows as Can be onboarded but never moves to Active, check that Windows Defender Antivirus Service is running (services.msc, look for "Microsoft Defender Antivirus Service") and that the device has internet connectivity to *.ods.opinsights.azure.com and *.oms.opinsights.azure.com on port 443.
For Mac, iOS, and Android devices, Microsoft 365 Business Premium covers those too. Mac onboarding uses a similar script from the Defender portal. Mobile devices (iOS/Android) are managed through Intune, which is covered in Step 4.
Microsoft Intune is included with Microsoft 365 Business Premium, and it's how you enforce security policies on Windows, Mac, iOS, and Android devices. If devices aren't enrolling properly, or if you're getting the error 0x80180026 (enrollment blocked) or 0x8018002a (device limit reached), here's what to check.
First, confirm Intune is licensed and the MDM authority is set correctly. In the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), go to Devices > Overview. If you see a prompt about setting your MDM authority, click it and select Microsoft Intune. This is a one-time setting and it's critical, without it, no device enrollment works.
For the enrollment limit error (0x8018002a), check how many devices each user is allowed to enroll. By default, each user can enroll up to 15 devices, but your tenant may have this set lower. Go to Devices > Enrollment > Device limit restrictions and verify the limit policy assigned to your users. For most small businesses, the default 15-device limit is fine. If you need to change it, click on the restriction, select Properties, and edit the limit.
For Windows Autopilot enrollment issues (relevant if you're deploying new PCs), run this PowerShell command on the device to check its hardware hash and make sure it's registered:
# Install the required module if not present
Install-Module -Name Get-WindowsAutoPilotInfo -Force
# Get the hardware hash and upload to Autopilot
Get-WindowsAutoPilotInfo -OnlineIf enrollment succeeds but compliance policies aren't applying, go to Devices > [the device] > Device configuration and click Sync. Then check the last sync time, if it's more than 8 hours old, the device may have connectivity issues reaching Intune endpoints. The required network endpoints for Intune are documented at aka.ms/intuneendpoints. Ensure your firewall isn't blocking *.manage.microsoft.com on port 443.
Once licensing, MFA, Defender, and Intune are sorted, the remaining issues are almost always app-specific. Teams not loading, Exchange Online mailboxes not appearing, SharePoint saying "Access Denied", these all have specific fixes.
For Teams sign-in failures (error code CAA20004 or a blank screen after sign-in), the most common cause is a corrupted credentials cache. On Windows, close Teams completely (right-click the system tray icon and select Quit). Then run:
# Clear Teams credentials cache, run in PowerShell as the affected user (not admin)
Remove-Item -Path "$env:APPDATA\Microsoft\Teams" -Recurse -Force
Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Teams" -Recurse -ForceThen relaunch Teams. It'll re-download its local app data and prompt for a fresh sign-in. This resolves the blank screen issue in about 80% of cases.
For Exchange Online mailbox provisioning delays, new users sometimes wait up to 24 hours for their mailbox to appear. But if it's been longer than that, check in the Exchange admin center (admin.exchange.microsoft.com) under Recipients > Mailboxes. If the mailbox isn't listed, the license may not have applied properly. Go back to the admin center, remove the Business Premium license from the user, wait 60 seconds, and re-add it. This kicks off the mailbox provisioning pipeline again.
For SharePoint "Access Denied" (error SPO-0 or -2130575342), check whether the user's account has been added to the SharePoint site's permissions explicitly, or whether they're relying on group-based access. Go to the SharePoint admin center (admin.microsoft.com/sharepoint), find the site, and verify under Site permissions that the user or their group has at least Visitor access. Also check whether the tenant-level external sharing settings are inadvertently blocking internal users, this can happen if a guest policy is misconfigured.
Advanced Troubleshooting
If the steps above didn't fully resolve your issue, you're likely dealing with one of the more complex scenarios that affects Microsoft 365 Business Premium in domain-joined or hybrid environments. These require a bit more digging.
Hybrid Azure AD Join Issues
If your business has on-premises Active Directory and you've connected it to Azure AD via Azure AD Connect, devices may be in a "Hybrid Azure AD Joined" state. This sounds fine, until Conditional Access policies start blocking those devices with error AADSTS50158 because they can't satisfy device compliance requirements. Run this on the affected Windows device to check its join state:
dsregcmd /statusLook for the AzureAdJoined and DomainJoined values. If AzureAdJoined : NO but DomainJoined : YES, the hybrid join isn't working. The most common cause is that Azure AD Connect isn't syncing device objects, or the Service Connection Point (SCP) in on-premises AD isn't configured. To check the SCP, open PowerShell with Domain Admin rights and run:
$scp = New-Object System.DirectoryServices.DirectoryEntry;
$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,$((Get-ADRootDSE).configurationNamingContext)"
$scp.KeywordsIf that returns nothing, your SCP isn't set up. Run the Azure AD Connect configuration wizard again and make sure Device Options > Configure Hybrid Azure AD join is enabled.
Event Viewer for Sign-In and Policy Errors
For persistent sign-in failures, Event Viewer is your best diagnostic tool. On the affected machine, open Event Viewer (run eventvwr.msc) and navigate to Applications and Services Logs > Microsoft > Windows > AAD > Operational. Event ID 1098 indicates a successful device registration. Event ID 1081 or 1097 indicates a failed registration attempt and includes a sub-error code. Cross-reference those sub-error codes at aka.ms/aadautherrors for exact remediation steps.
Microsoft 365 Defender Suite Add-On (September 2025)
As of September 2025, Microsoft replaced the former Microsoft 365 E5 Security add-on with the new Microsoft Defender Suite for Business Premium. If you were using the old E5 Security add-on and your advanced features stopped working after the September 2025 update, you need to purchase the new Defender Suite for Business Premium add-on through your Microsoft 365 admin center under Billing > Purchase Services. Search for "Defender Suite for Business Premium." The old E5 Security licenses don't automatically convert.
PowerShell Diagnostic Script
This script checks your tenant's most common misconfiguration points and prints a quick-reference report:
Connect-MgGraph -Scopes "Policy.Read.All","Directory.Read.All"
# Check Security Defaults
$policy = Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy
Write-Host "Security Defaults Enabled: $($policy.IsEnabled)"
# Check MFA registration for all users
Get-MgReportAuthenticationMethodUserRegistrationDetail |
Select-Object UserPrincipalName, IsMfaRegistered, IsMfaCapable |
Format-Table -AutoSizeIf you've completed all the steps above and are still seeing errors, especially around tenant provisioning failures, license assignment errors that persist after re-assignment, or Defender for Business devices that won't onboard despite correct configuration, it's time to escalate. Don't spend more than 2 hours banging against a tenant-level provisioning issue; some of these require Microsoft backend tools to fix. Contact Microsoft Support and open a ticket specifically under "Microsoft 365 Business Premium, License / Provisioning." Have your tenant ID ready (find it at admin.microsoft.com > Settings > Org settings > Organization profile > Tenant ID). Also be prepared to share your Azure AD Connect version if you're in a hybrid setup.
Prevention & Best Practices
I've seen businesses go from constant Microsoft 365 Business Premium fire-fighting to near-zero issues by building a few habits into their admin routine. None of these are complicated, they just require consistency.
The biggest preventable problem is reactive license management. When someone joins the company, their license assignment should happen on day one, not day three or day ten. Build a simple onboarding checklist that includes: assign Business Premium license, add user to the Intune enrollment group, verify MFA registration within 48 hours, and confirm the device appears in the Defender portal. That four-step checklist eliminates the most common support tickets I see from new Business Premium customers.
On the security side, Microsoft publishes a set of baseline security recommendations specifically for Business Premium called the "Microsoft 365 for business security best practices." You don't have to invent your own security posture, Microsoft has done the work for you. The guidance follows the Zero Trust model, which means treating every sign-in and every device as potentially untrusted until verified. In practical terms, that means: MFA on every account, device compliance policies enforced before granting access to company data, and email protection rules for phishing and ransomware in the Microsoft Defender portal under Email & Collaboration > Policies & Rules.
One area that gets consistently overlooked: the Cybersecurity Awareness training built into Microsoft 365 Business Premium via Attack Simulator (part of Microsoft Defender for Office 365 Plan 1, which is included in your subscription). Go to security.microsoft.com > Email & Collaboration > Attack simulation training and run a simulated phishing campaign quarterly. It takes about 20 minutes to set up and it's one of the highest-ROI security activities a small business can do.
Also make sure you understand what the Microsoft Defender Suite for Business Premium add-on (available since September 2025) covers if your security needs are growing. The base Business Premium plan is excellent for most businesses under 300 users, but if you're in healthcare, legal, or financial services and handle regulated data, the add-on gives you significantly more capability, including advanced identity protection, Microsoft Defender for Cloud Apps, and enhanced SIEM integration.
- Enable Security Defaults on day one if you're not using custom Conditional Access policies, it's the fastest way to get MFA protection across your entire tenant.
- Run the Microsoft Secure Score dashboard weekly (
security.microsoft.com > Secure Score) and work through the recommended actions in order of impact. - Set up a break-glass admin account (a second Global Admin with a strong password, no MFA, stored securely offline) before you configure Conditional Access, it prevents accidental lockouts.
- Review device compliance status in Intune monthly (
endpoint.microsoft.com > Devices > Compliance) and remediate any devices showing as "Not Compliant" before they're automatically blocked from accessing company resources.
Frequently Asked Questions
Why should I choose Microsoft 365 Business Premium over Business Standard or Business Basic?
The short answer: Business Premium is the only tier that includes Microsoft Defender for Business, Intune device management, Azure AD Premium P1, and Azure Information Protection. Business Standard gives you the Office apps and Teams, but zero endpoint security or device management. If you're handling any kind of sensitive business data, customer records, financial documents, anything confidential, Business Premium is the tier where the security tools actually exist. I've had clients on Business Standard who thought they were protected because they had Microsoft 365; they weren't. Business Premium, by contrast, gives you a genuine layered security stack: identity protection, endpoint detection and response, email filtering for phishing and malware, and device compliance enforcement, all managed from a single admin portal. For up to 300 users, it's the most complete security-plus-productivity bundle Microsoft offers without jumping to enterprise licensing.
How do I check what's new in Microsoft 365 Business Premium security, what changed recently?
Microsoft publishes a "What's new in security" page for Microsoft 365 for business that covers all recent additions to Business Basic, Standard, and Premium. The biggest recent change is from September 2025: the old Microsoft 365 E5 Security add-on (introduced in March 2025) has been replaced by the new Microsoft Defender Suite for Business Premium add-on. If you were relying on the E5 Security add-on for advanced capabilities, check your license status under Billing > Licenses and look into transitioning to the new Defender Suite for Business Premium. The March 2025 release also brought expanded identity protections, Defender for Cloud Apps access, and better SIEM integration. Microsoft also moved all learning hub resources (Ninja training, learning paths) from the Defender portal to learn.microsoft.com in July 2024, so update any bookmarks your team uses for training.
My Microsoft 365 Business Premium license is assigned but Defender for Business isn't showing my devices, what's wrong?
This is almost always one of two issues. First: Defender for Business hasn't been provisioned for your tenant. Go to security.microsoft.com and look for an onboarding prompt. If you see it, complete it. Second: devices have been enrolled in Intune but haven't been onboarded to Defender separately via the local script or Intune policy. Being in Intune and being onboarded to Defender are two different things. In the Defender portal under Settings > Endpoints > Onboarding, download the appropriate onboarding package for your OS and run it on each unprotected device. After about 5 minutes the device should appear as Active in Assets > Devices. If a device is showing as "Can be onboarded" but never transitions to Active, check that Windows Defender Antivirus isn't disabled by a third-party antivirus product, Defender for Business requires it to be active.
Can Microsoft 365 Business Premium manage Mac, iPhone, and Android devices, not just Windows?
Yes, this is one of the clearest advantages of Business Premium over lower tiers. Through Microsoft Intune (included in the subscription), you can enforce compliance policies, push configuration profiles, remotely wipe devices, and require encryption on Windows, macOS, iOS, and Android. For Mac, you deploy the Intune Company Portal app and run the Defender for Business onboarding script for macOS from security.microsoft.com > Settings > Endpoints > Onboarding. For iOS and Android, users install the Intune Company Portal from the App Store or Google Play and enroll from there. Mobile device management through Intune does require that you've set Microsoft Intune as your MDM authority in the Endpoint Manager admin center, confirm this under Devices > Overview before you start enrolling non-Windows devices.
How many users can I have on Microsoft 365 Business Premium?
Microsoft 365 Business Premium is licensed for businesses with up to 300 users. Each user needs an individual seat license. If your headcount is approaching or exceeds 300, you'll need to look at Microsoft 365 E3 or E5 enterprise plans, which don't have a user cap. The 300-user ceiling is a hard technical limit on the subscription, Microsoft won't allow you to add a 301st user on Business Premium. That said, 300 seats covers the vast majority of small and medium-sized businesses, and the Business Premium plan gives you security features that rival (and in some areas exceed) what larger companies get on older enterprise plans. For most SMBs, hitting the 300-seat ceiling is a good problem to have.
I set up MFA but users keep getting locked out after switching phones, how do I fix this without disabling MFA?
Don't disable MFA, that's not the answer. Instead, use the MFA re-registration workflow built into Microsoft Entra. In the Entra admin center (entra.microsoft.com), go to Users > [affected user] > Authentication Methods and click Require re-register MFA. This lets the user log in once with just their password and then immediately set up MFA on their new device via aka.ms/mfasetup. To prevent this from happening repeatedly, make sure users have registered at least two authentication methods, the Microsoft Authenticator app plus a backup phone number or FIDO2 key. Under Protection > Authentication Methods > Policies, you can enforce registration of multiple methods during the initial setup process. Also consider enabling the Temporary Access Pass feature for device transitions, it generates a short-lived passcode that bypasses MFA for a defined window, giving users a clean way to re-register without requiring admin intervention every time.