Microsoft 365 Management: The Complete Guide

Microsoft 365 is the productivity backbone for roughly seventy percent of Canadian businesses with fewer than two hundred employees. It is also the most consistently under-utilized and under-secured platform we encounter. The pattern is the same in almost every environment: the business is paying for capabilities that nobody has turned on, security defaults that should be enforced are not, and the backup story is held together by the assumption that Microsoft is taking care of things they are not.

This guide is the practical reference for running M365 properly. It is not a feature catalog. It is the configuration, security, backup, migration, and cost-optimization playbook for a typical Canadian SMB in 2026.

What Microsoft 365 Is

Microsoft 365 is the umbrella product that replaced Office 365 in 2020. It bundles productivity apps (Word, Excel, PowerPoint, Outlook), cloud services (Exchange Online, SharePoint, OneDrive, Teams), identity and device management (Azure AD, Intune), and security tooling (Defender for Office, Defender for Business). Depending on the subscription tier, it also includes Windows licensing.

The shift from Office 365 was not just a rename. Microsoft expanded the platform to cover the full operational stack a business needs: identity, device management, security, and compliance, in addition to the productivity apps. For most SMBs, the practical consequence is that Microsoft 365 Business Premium replaces a stack of point solutions that previously had to be bought and integrated separately. Our piece on Microsoft 365 vs Google Workspace covers how it stacks up against the main alternative for SMBs.

Licensing Tiers and What Each Includes

For Canadian SMBs, the relevant Microsoft 365 plans split into Business and Enterprise. Business plans cap at three hundred users; Enterprise plans have no user cap and unlock advanced security and compliance features.

Microsoft 365 Business Basic (CAD $8.10/user/month as of 2026) includes web and mobile Office apps, Exchange Online, SharePoint, OneDrive, and Teams. No desktop Office apps, no advanced security, no device management. Suitable only for light-touch users who live in web apps.

Microsoft 365 Business Standard (CAD $16.50/user/month) adds the desktop Office suite. Still no advanced security or device management. Reasonable for businesses with strong existing security elsewhere.

Microsoft 365 Business Premium (CAD $30.80/user/month) is the right choice for most SMBs. Adds Defender for Office 365 (advanced email security), Defender for Business (EDR), Intune device management, Azure AD Premium P1 (conditional access, MFA enforcement), and Windows 11 Enterprise. This single SKU replaces a separate antivirus product, a separate device management product, a separate email security product, and a separate identity provider.

Enterprise plans (E3, E5) add Office on five devices per user (versus the Business plan limits), unlimited mailboxes, advanced compliance tools, and at the E5 tier, Defender for Endpoint Plan 2 and broader Microsoft 365 E5 Compliance capabilities. Most businesses do not need Enterprise until they hit three hundred users or specific compliance requirements force it.

The Big Four: Exchange, SharePoint, Teams, Intune

Of the dozens of services in Microsoft 365, four account for most of the practical value and most of the configuration work.

Exchange Online is the email engine. The configuration choices that matter are anti-spam and anti-phishing policies (Defender for Office 365 if licensed), mailbox audit logging (off in some legacy tenants), mailbox sharing and delegation policies, and retention policies that align with your records management approach.

SharePoint and OneDrive are the file storage engines. SharePoint hosts team and project sites; OneDrive holds user-specific files. Both ship with extremely permissive default sharing settings that need to be tightened in most environments. External sharing should be limited to specific external partners or specific approved domains, not anyone with the link. Storage growth needs active management; we cover this in our SharePoint archiving guide.

Teams is the collaboration and communications hub: chat, meetings, voice calling, and the file-sharing surface tied to SharePoint sites. Teams governance is consistently the weakest part of M365 deployments. Most businesses end up with hundreds of orphaned teams, unclear ownership, and content sprawl. Establish a team creation policy, define naming conventions, and set automatic archival of stale teams.

Intune manages devices: Windows, Mac, iOS, Android. Configuration profiles enforce security baselines, compliance policies gate access to apps, and Autopilot turns new devices into provisioned, secured assets without IT having to touch them. Intune is the part of M365 most under-deployed in SMBs and one of the highest-value once it is in place.

Security Baseline: What to Harden First

Microsoft 365 defaults are conservative for good reasons: aggressive defaults break legitimate workflows. The downside is that businesses leave critical security off because nobody turned it on after onboarding. The order to fix this is well-established:

1. Enable MFA for every user via Security Defaults (free, one-click) or Conditional Access (more granular control, requires Business Premium or higher)
2. Block legacy authentication protocols that bypass MFA
3. Configure anti-phishing policies including impersonation protection
4. Enable mailbox audit logging on every mailbox
5. Tighten external sharing on SharePoint and OneDrive
6. Configure DKIM signing for all sending domains
7. Configure DMARC at quarantine or reject (not just monitor)

These steps take a few hours and shift your Microsoft Secure Score by twenty to thirty points in most environments. Our piece on 7 Microsoft 365 security settings every business should enable walks through each in detail.

For the broader cybersecurity picture, including how M365 security fits into a complete defensive posture, see our cybersecurity guide for Canadian SMBs.

Why You Still Need to Back Up Microsoft 365

The single most common Microsoft 365 misconception is that Microsoft backs up your data. They do not, at least not the way you think they do. Microsoft maintains infrastructure redundancy. They do not protect you against your own users deleting things, a malicious insider purging mailboxes, ransomware encrypting OneDrive files, or a misconfigured retention policy aging content out before you wanted.

The default retention windows are short: deleted items in Exchange retain for 14 days and then become recoverable for 14 more by an administrator before permanent deletion. OneDrive and SharePoint files retain in a recycle bin for 93 days. A malicious actor with admin credentials can shrink those windows in seconds.

Third-party Microsoft 365 backup is now standard practice for businesses that take their data seriously. We cover what to look for in a backup solution and how restoration works in our piece on how to back up Microsoft 365.

Migration Patterns (Google Workspace, On-Prem Exchange)

Most Microsoft 365 migrations fall into one of three patterns.

Google Workspace to Microsoft 365 is the most common migration we run. Tools like BitTitan MigrationWiz and SkyKick handle mail, calendars, contacts, and Drive files cleanly for most SMB sizes. The non-obvious work is in identity (provisioning the new tenant, mapping accounts, enforcing MFA from day one), retention (do you migrate archived data or leave it in Google), and external dependencies (any apps that integrate with Google identity need to be re-integrated). Most migrations of fewer than fifty users complete in two to three weeks of part-time work, with a single weekend cutover.

On-prem Exchange to Exchange Online is a different shape. Hybrid Exchange configurations let you co-exist for an extended period during migration. The complications are usually historical: very large mailboxes, public folders, mail flow rules nobody documented, and connector configurations that have drifted over years.

Tenant-to-tenant migrations (acquisitions, divestitures, brand consolidations) are the trickiest. They require coordination of identity, mail flow, SharePoint content, and Teams data, often under tight cutover windows because both tenants are operating businesses simultaneously. Plan for a phased approach and budget more time than you think.

Identity and Azure AD Integration

Azure Active Directory (recently renamed Microsoft Entra ID) is the identity layer underneath Microsoft 365. For most SMBs, Azure AD is also the practical identity provider for third-party apps via SAML or OIDC. Configuring Azure AD as your primary identity provider, with conditional access policies and MFA enforcement, gives you consistent identity controls across both Microsoft and non-Microsoft apps.

Conditional access deserves specific attention. The policies most SMBs should enforce are: require MFA for all users, require compliant or hybrid-joined devices for sensitive apps, block sign-ins from countries you do not do business in, and require additional verification for high-risk sign-ins. Each of these is a few clicks in the Azure portal but they collectively shut down ninety-nine percent of credential-based attacks.

License Cost Optimization

Microsoft 365 license costs creep up. The usual sources are over-licensing (users assigned higher tiers than they need), unused licenses sitting on terminated employees, duplicate licensing where M365 features overlap third-party tools that are still being paid for, and shared device users (frontline staff, kiosks) on full-price licenses when F1 or F3 Frontline plans would do.

A quarterly license audit catches most of this. Identify users who have not signed in for more than thirty days and confirm whether they are active. Identify users on Business Premium who do not use the desktop apps. Identify shared workstations that could move to a Frontline plan. The savings are often substantial.

Common Pitfalls

The default tenant configuration. Microsoft 365 tenants set up without a planned configuration accumulate technical debt fast. Default SharePoint sharing, default Teams creation policies, default mailbox retention, default audit settings. Each is a future incident waiting to happen.

Microsoft Defender misconfigured. Defender for Office 365 ships with baseline policies but most environments need custom anti-phishing rules to catch CEO and finance impersonation. The default is permissive on purpose; the safe configuration requires deliberate work.

Storage explosion. SharePoint storage is generous but not unlimited. Microsoft charges premium rates once you exceed your tenant allocation. Most businesses hit this wall around year three without realizing storage is growing exponentially. The fix is content lifecycle policies and active archival.

Orphaned Teams and SharePoint sites. Without governance, both accumulate at the rate users create them. Establish a Team creation policy (admin approval, or guardrails like required ownership and naming conventions), and run a quarterly review of orphaned and inactive sites.

Email signatures. Centralized signature management is one of the easiest wins for brand consistency and one of the most overlooked security controls. See why email signature management matters.

Microsoft 365 and Canadian Compliance

Microsoft 365 has Canadian data residency. Customer content for Canadian tenants is stored in Canadian data centers (Toronto and Quebec City), which simplifies PIPEDA, PHIPA, and similar compliance positions significantly. The metadata story is more complex; some service metadata may transit other regions, which matters for the most sensitive workloads.

For specifics on how Microsoft 365 supports Canadian compliance regimes, see our compliance guide for Ontario businesses.

Getting Expert Help

Most Canadian SMBs end up running Microsoft 365 well below its capability because the platform is genuinely complex and the cost of trial-and-error is high. ClayGen's Microsoft 365 management service handles configuration, security hardening, backup, license optimization, migrations, and ongoing support. We start with an assessment of where your tenant stands today and a prioritized plan for what to fix first.

The supporting articles after this section go deeper on the specific topics covered above. If you want a walkthrough of your specific tenant, book a discovery call.