Fix Microsoft 365 Business Premium Setup & Security Issues
Why This Is Happening
You picked up Microsoft 365 Business Premium for your team. The promise was simple: one subscription, everything handled , productivity apps, Teams, advanced security, device management, the works. Then reality hit. Licenses aren't applying correctly. The Defender for Business console shows no enrolled devices. Conditional Access policies you configured yesterday aren't blocking anything. Or maybe you're staring at a PowerShell output that keeps referencing a service plan called O365_BUSINESS_PREMIUM or the internal plan identifier o365 worldwide (6) and you have no idea why it's flagged as disabled on half your users.
I've seen this exact tangle on dozens of tenant setups. The frustrating part isn't that the problems are hard, it's that Microsoft 365 Business Premium error messages are almost deliberately unhelpful. "License conflict." "Service plan disabled." "Policy not applied." Great. Thanks for nothing.
Here's what's actually going on. Microsoft 365 Business Premium is a bundled subscription designed for small and medium-sized businesses with up to 300 users. Under the hood, that single license activates a stack of individual service plans, Exchange Online, Teams, SharePoint, Microsoft Defender for Business, Intune device management, Azure AD Premium P1, and several more. When you see o365 worldwide (6) in a license report or PowerShell output, that string is one of the internal service plan display names tied to the worldwide tenant provisioning tier for this SKU.
The most common reason things break: conflicting legacy licenses. If someone on your team previously had an Office 365 E1, E3, or even a standalone Exchange Online plan, those overlapping service plans clash with the new Business Premium assignment. Azure AD's licensing engine doesn't always surface a clean error, it just quietly disables the conflicting service plan on the new license, leaving users without features they should have.
The second most common cause: initial security configuration was skipped or only partially completed. Microsoft's setup wizard lets you click through without actually enabling the security defaults, Defender policies, or Intune enrollment profiles. You get a fully licensed tenant with essentially no security controls active, which is worse than it sounds because the license dashboard shows green checkmarks regardless.
Third cause, especially in hybrid or domain-joined environments: Azure AD Connect sync conflicts. If you're syncing from on-premises Active Directory, user attributes and group memberships can arrive in a state that blocks proper license assignment or Conditional Access policy evaluation.
None of this means your deployment is broken beyond repair. Every one of these issues has a clear fix. Let's go through them. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before going deep on anything, run a license health check from the Microsoft 365 Admin Center. This surfaces 80% of the problems I see in a single screen.
Go to admin.microsoft.com → Billing → Licenses. Click on your Microsoft 365 Business Premium subscription. Look at the assigned count vs. available count. If those numbers don't match what you expect, you likely have ghost assignments, licenses tied to deleted users or shared mailboxes that were never properly reclaimed.
Next, go to Users → Active Users, click any affected user, then select the Licenses and apps tab. Expand the Microsoft 365 Business Premium entry and look at the individual service plan toggles. If you see any service plans switched off, especially Microsoft Defender for Business, Microsoft Intune Plan 1, or Azure Active Directory Premium P1, that's your smoking gun. Toggle them on, save, and give it 15–30 minutes to propagate.
For users where that toggle fix doesn't stick, the conflict is usually a legacy license. Remove the old license entirely first, wait 5 minutes, then re-assign Business Premium clean. That sequence matters, removing and immediately reassigning in one action sometimes doesn't clear the conflict in time.
If you want to do this for multiple users at once, PowerShell is the faster path. Open PowerShell as Administrator and run:
Connect-MgGraph -Scopes "User.ReadWrite.All", "Organization.Read.All"
Get-MgUserLicenseDetail -UserId "user@yourdomain.com" | Select-Object SkuPartNumber, ServicePlansThis outputs every service plan and its provisioning status. Look for any plan showing Disabled or PendingInput under ProvisioningStatus. That's exactly what needs fixing.
Start with a full picture. You can't fix what you can't see, and the Admin Center UI doesn't show you cross-user conflicts at scale. Connect to Microsoft Graph and pull a full license report:
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.Read.All"
$users = Get-MgUser -All -Property DisplayName, UserPrincipalName, AssignedLicenses
foreach ($user in $users) {
$details = Get-MgUserLicenseDetail -UserId $user.Id
foreach ($sku in $details) {
$disabledPlans = $sku.ServicePlans | Where-Object { $_.ProvisioningStatus -eq "Disabled" }
if ($disabledPlans) {
Write-Output "$($user.UserPrincipalName) | SKU: $($sku.SkuPartNumber) | Disabled: $($disabledPlans.ServicePlanName -join ', ')"
}
}
}Save that output. Any user with a disabled service plan inside the SPB (Microsoft 365 Business Premium) SKU needs remediation. The plan names you're most likely to see disabled are MDATP_SERVERONBOARDING, INTUNE_A, or AAD_PREMIUM.
To remove a conflicting legacy SKU from a single user without touching their Business Premium assignment, identify the conflicting SKU's GUID first:
Get-MgSubscribedSku | Select-Object SkuPartNumber, SkuIdThen remove just that SKU:
Set-MgUserLicense -UserId "user@yourdomain.com" -RemoveLicenses @("LEGACY-SKU-GUID-HERE") -AddLicenses @()If the fix worked, re-running the audit script should show no disabled service plans for that user within 30 minutes.
Licensing is only half the problem. A fully licensed tenant with unconfigured security is a security liability, and this is where I see most small business admins stop short. Microsoft 365 Business Premium includes Defender for Business, Conditional Access via Azure AD Premium P1, and Microsoft Intune. None of these do anything useful out of the box without initial configuration.
Start in the Microsoft 365 Admin Center: go to Setup → Microsoft 365 Business Premium setup. If you see a banner saying "Complete your security setup," that means this was skipped during initial onboarding. Click through and don't skip the security sections this time.
For Defender for Business specifically, navigate to security.microsoft.com → Settings → Endpoints → Onboarding. If your device count reads zero here, no machines are actually being protected regardless of what the license dashboard says.
For Windows devices managed by Intune, the onboarding script path is:
Settings > Endpoints > Onboarding > Deployment Method: "Mobile Device Management / Microsoft Intune"Download the onboarding package, deploy it through Intune as a Win32 app or a PowerShell script policy, and target it at your device group. After deployment, give it up to 24 hours, devices check in on their own schedule. You can verify status at security.microsoft.com → Assets → Devices.
If everything worked correctly, you'll see enrolled devices listed there with a Sensor health state of Active.
I know this sounds like basic advice. But I've seen Business Premium tenants running for six months where MFA was never turned on, and the admin genuinely thought it was enabled because the license included it. The license includes the capability. You still have to turn it on.
The two ways to enforce MFA in Microsoft 365 Business Premium: Security Defaults (simpler, less control) or Conditional Access policies (recommended, requires Azure AD Premium P1 which is included in your license).
To check if Security Defaults are on: go to portal.azure.com → Azure Active Directory → Properties → Manage Security Defaults. If the toggle reads "Disabled," you are running without baseline MFA enforcement.
For most small businesses, a Conditional Access policy is the better path because it lets you exclude break-glass admin accounts and set location-based exceptions. Create one at portal.azure.com → Azure Active Directory → Security → Conditional Access → + New policy:
Name: Require MFA for All Users
Users: All users (exclude your break-glass account)
Cloud apps: All cloud apps
Grant: Require multi-factor authentication
Enable policy: OnAfter saving, test immediately with a non-admin account in a private browser window. You should see an MFA prompt. If you don't, check that Security Defaults are off, you can't run both simultaneously or they conflict and neither enforces correctly.
One of the most underused features in Microsoft 365 Business Premium is Intune device management. It's already in your license. It covers Windows, Mac, iOS, and Android. Most businesses set it up once and forget it, until a laptop gets stolen and they realize there's no remote wipe capability configured.
Start at intune.microsoft.com → Devices → Enrollment. For Windows, the fastest path is enabling Windows Automatic Enrollment via Azure AD join. Go to portal.azure.com → Azure Active Directory → Mobility (MDM and MAM) → Microsoft Intune → set MDM User scope to All.
Once that's done, any Windows 10/11 device that signs in with an Azure AD work account during setup (or through Settings → Accounts → Access work or school → Connect) will automatically enroll in Intune within minutes.
For existing devices already joined to on-premises Active Directory (hybrid joined), you need to verify that Azure AD Connect is configured for hybrid Azure AD join. Run this in PowerShell on your Azure AD Connect server:
Get-ADSyncSchedulerIf SyncCycleEnabled reads True and sync is running, hybrid-joined devices should appear in Intune within one to two sync cycles. If they don't after 48 hours, check Event Viewer → Applications and Services Logs → Microsoft → Windows → User Device Registration → Admin for Event ID 304 or 306, which indicate registration failures and their specific causes.
Microsoft 365 Business Premium defends against phishing and ransomware, but again, only if you've activated the right policies. The default Exchange Online Protection (EOP) policies are on by default. The enhanced Defender for Business policies are not.
Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies. Check each of the following:
- Anti-phishing: Click into the default policy. Ensure "Enable users to protect" lists your key executive accounts (CEO, CFO, finance team) for impersonation protection. Raise the phishing email threshold to 3, More aggressive if you've been seeing phishing slip through.
- Safe Attachments: Should be set to Block, not Monitor. Monitor mode logs threats but doesn't stop them.
- Safe Links: Confirm "Scan URLs in email messages" and "Scan URLs in Microsoft Teams messages" are both toggled on.
For ransomware protection specifically, Microsoft recommends a mail flow rule that blocks file extensions commonly used in ransomware delivery. Create it at admin.exchange.microsoft.com → Mail flow → Rules → + Add a rule:
Condition: Any attachment has these words in the file name
Extensions: .exe, .vbs, .js, .bat, .cmd, .ps1, .jar, .scr
Action: Block the message, Reject and include explanation
Explanation: "This attachment type is not permitted for security reasons."That rule alone blocks a significant portion of commodity ransomware delivery vectors that get past automated scanning. Once configured, test it by sending yourself an email with a renamed .txt file changed to .bat, it should be rejected within seconds.
Advanced Troubleshooting
If the steps above didn't fully resolve your situation, you're likely dealing with one of the more complex scenarios. Here's what to check.
Group Policy Conflicts with Intune MDM Enrollment
In domain-joined environments, on-premises Group Policy Objects (GPOs) frequently conflict with Intune MDM policies, and GPO wins by default unless you've configured the MDM enrollment precedence correctly. The symptom: devices enroll in Intune fine, but compliance policies report as "Not applicable" and configuration profiles never apply.
Open Group Policy Management on your domain controller and search for any GPOs that touch Computer Configuration → Administrative Templates → Windows Components → MDM. If a GPO is set to "Disable MDM enrollment," that's your culprit, it overrides the Azure AD automatic enrollment setting entirely.
The correct fix is not to delete that GPO blindly. Instead, scope it away from your Business Premium users by editing Security Filtering on the GPO to exclude the relevant security group, then target your Intune enrollment policy to the same group in Intune. That way domain-joined PCs that should remain GPO-managed stay that way, while your Business Premium users get Intune management.
Conditional Access Policy Evaluation Failures
If a Conditional Access policy isn't blocking what it should, the fastest diagnostic tool is Sign-in logs. Go to portal.azure.com → Azure Active Directory → Monitoring → Sign-in logs. Find the sign-in event that should have been blocked. Click into it and select the Conditional Access tab, this shows you exactly which policies evaluated, which matched, which didn't, and why.
Common finding: the policy is in Report-only mode instead of On. Report-only is a testing mode that logs what would happen but doesn't enforce anything. Switch to On after validating in report-only for a day or two.
Microsoft Defender for Business Sensor Showing Inactive
If a device enrolled correctly but shows Sensor health: Inactive in the Defender portal, check two things. First, verify the Defender service is running on the machine:
Get-Service -Name "Sense" | Select-Object Name, Status, StartTypeIt should show Running and Automatic. If it's stopped, start it with Start-Service Sense. Second, check the Windows Security Center for any third-party antivirus that's registered as the primary AV, Defender passive mode means the sensor reports but doesn't actively scan. For full protection, either remove the third-party AV or configure Defender to run in active mode via Intune policy.
License Provisioning Errors in Event Viewer
For license assignment failures that don't surface in the Admin Center UI, check Event Viewer on the user's machine under Applications and Services Logs → Microsoft → Windows → AAD → Operational. Event ID 1098 indicates an error during device registration. Event ID 1002 means the Primary Refresh Token (PRT) failed to issue, which breaks Single Sign-On for all Microsoft 365 apps even if the license looks fine in the portal.
Fixing PRT issues usually requires re-running dsregcmd /join from an elevated command prompt and then restarting the device. Run dsregcmd /status first to confirm the current Azure AD join state before touching anything.
If your tenant is under a license provisioning hold (you'll see a banner in the Admin Center saying "Action required, your subscription is at risk"), contact Microsoft Support directly and immediately. These holds can be triggered by billing issues, suspicious activity flags, or compliance reviews, and some require Microsoft-side intervention that no admin action can resolve. Similarly, if Defender for Business shows devices as onboarded but threat signals are missing for more than 72 hours after confirmed onboarding, that's a backend telemetry pipeline issue that Microsoft's support team needs to investigate on the tenant side.
Prevention & Best Practices
Most Microsoft 365 Business Premium headaches I see are preventable. Not by doing anything exotic, just by doing the basic hygiene steps that the setup wizard rushes you past.
The single most important habit: run a monthly license audit. People leave. Roles change. Licenses pile up on inactive accounts. Every disabled service plan in that monthly audit report is a potential security gap or a feature that a user thinks they have but doesn't. Set a calendar reminder and make it a 30-minute task, the PowerShell script from Step 1 runs in under two minutes on a 100-user tenant.
Second: use the Microsoft Secure Score dashboard as your ongoing security checklist. It lives at security.microsoft.com → Exposure management → Secure score. Every recommended action is specific, ranked by impact, and directly tied to features in your Business Premium license. A fresh Business Premium tenant typically scores around 30–40%. Getting to 60%+ for a small business is achievable in a weekend and makes an enormous difference in actual threat resistance.
Third: never assign licenses individually if you have more than 10 users. Group-based licensing via Azure AD groups is far more reliable and auditable. Create a group called "M365 Business Premium Users," assign the license to the group, and manage membership rather than per-user assignments. When someone gets a conflicting legacy license, it's immediately visible in the group's license health report instead of buried in individual user settings.
Fourth: test your Conditional Access policies in Report-only mode for 48 hours before enabling them. This is not just caution, it's essential. A policy that accidentally blocks your own admin account will lock you out of the tenant. Always have a break-glass account that's excluded from all CA policies, stored securely offline, and tested monthly to confirm it still works.
- Enable the Microsoft Defender for Business default policies under security.microsoft.com → Configuration management → Endpoint security policies, they're pre-built for SMB environments and activate in under five minutes
- Turn on Self-Service Password Reset (SSPR) in Azure AD to cut helpdesk tickets for password resets, it's included in your AAD Premium P1 license and takes about 10 minutes to configure
- Download and distribute Microsoft's Digital Threats Guide (available as PDF or PowerPoint from the Microsoft 365 security admin docs) to your team, user awareness is still the most cost-effective security control
- Subscribe to the Microsoft 365 Message Center digest email (Admin Center → Health → Message Center → Preferences) so you hear about feature changes before they affect your users, not after
Frequently Asked Questions
Why should I choose Microsoft 365 Business Premium over cheaper Microsoft 365 plans?
The core reason is that Business Premium bundles advanced security on top of the productivity apps, specifically Microsoft Defender for Business, Azure AD Premium P1 for Conditional Access, and Microsoft Intune for device management. The cheaper Business Basic and Business Standard plans give you Teams, email, and Office apps, but none of the security layer. For any business handling client data, financial records, or anything sensitive, running without Defender and Intune is a real risk. The price difference is roughly $12–15 per user per month, and the security features alone would cost significantly more purchased separately. For businesses up to 300 users, it's genuinely the most cost-effective complete security stack Microsoft offers.
What does "o365 worldwide (6)" mean in my license report or PowerShell output?
That string is an internal service plan display name that shows up in license detail reports, particularly when you query via Microsoft Graph API or the older MSOnline PowerShell module. It's tied to the core Office 365 productivity service plan within the Microsoft 365 Business Premium SKU, specifically the worldwide provisioning tier. You'll see it listed as Enabled when everything is working correctly. If it shows Disabled or PendingInput, it usually means there's a conflicting legacy license on the account that's blocking the service plan from activating, removing the conflicting license and re-assigning Business Premium clean resolves it in the majority of cases.
Microsoft Defender for Business is included in my subscription but the portal shows no protected devices, what's wrong?
Licensing a feature and activating it are two separate things in Microsoft 365. Defender for Business requires explicit device onboarding, the license doesn't automatically protect devices the moment it's assigned. Go to security.microsoft.com → Settings → Endpoints → Onboarding, choose your deployment method (Intune is the most common for Business Premium customers), download the onboarding package, and deploy it to your devices. After deployment, check security.microsoft.com → Assets → Devices and look for a Sensor health state of "Active", that's how you know onboarding actually worked. Give it up to 24 hours after deployment before troubleshooting further.
Can I add the Microsoft Defender Suite add-on to Microsoft 365 Business Premium, and what does it actually add?
Yes, as of March 2025, Microsoft made the Microsoft Defender Suite (formerly Microsoft 365 E5 Security) available as a paid add-on to Business Premium subscriptions. It was renamed to "Microsoft Defender Suite for Business Premium" in September 2025. The add-on gives you capabilities that are normally only available in enterprise E5 licenses: Microsoft Defender for Identity (protection against on-premises Active Directory attacks), Microsoft Defender for Cloud Apps (shadow IT discovery and app governance), and Defender for Office 365 Plan 2 (automated investigation and response). For most small businesses, the base Business Premium security is sufficient. The add-on makes sense if you've had an incident, you're in a regulated industry, or you have a dedicated security team that will actually use the advanced capabilities.
My Conditional Access policy says it's enabled but users aren't being prompted for MFA, why?
Three likely culprits. First, check if Security Defaults are also enabled, you cannot run Security Defaults and Conditional Access policies simultaneously. If Security Defaults are on, CA policies are effectively ignored for MFA enforcement. Turn Security Defaults off if you're using CA policies. Second, check if the policy is set to "Report-only" instead of "On", report-only mode logs what would happen but doesn't enforce anything. Third, open Azure AD Sign-in logs and find a recent sign-in from the affected user. Click the Conditional Access tab on that event, it shows you exactly which policies evaluated and why each one matched or didn't. That view has saved me hours of guessing on CA policy debugging.
What's the right way to manage Microsoft 365 Business Premium licenses for a growing team?
Switch to group-based licensing as soon as possible, it's much cleaner than per-user assignment at any scale above about 10 people. Create a security group in Azure AD called something like "M365 Business Premium Users," assign the Business Premium license to that group, and manage who gets the license by managing group membership. When someone joins, add them to the group. When someone leaves, remove them and disable their account, the license releases automatically. This approach also makes your monthly license audit dead simple: you can see the entire licensed population in one group view, and any service plan conflicts surface at the group level rather than buried in individual user records.