Microsoft 365 governance for SMBs — pragmatic, not perfectionist

M365 is the largest piece of SaaS in most SMBs. This guide walks through the governance layers — identity, licensing, MFA, Conditional Access, data, retention — covering what's truly essential and what can wait.

Microsoft 365 touches everything in a typical SMB — email, files, calendar, Teams, SharePoint. Good governance isn't optional; it's a prerequisite. The good news: there's a manageable subset that works for SMBs.

What do you absolutely need?

1. MFA on all accounts. See rolling out MFA.
2. Company ownership of devices. Basic Intune unlocks access control options. See Intune basics.
3. Licences matched to roles. No E3 for interns, no E1 for sales. See licence management.
4. Global Admin discipline. 2–3 people, dedicated admin accounts. See PAM article.
5. Conditional Access for critical apps. See Conditional Access explained.

What's nice to have?

• PIM (just-in-time admin) — consider this at > 30 employees.
• DLP (Data Loss Prevention) — once you have a clear picture of your data-leak risks.
• Retention policies — when someone says "this must never be deleted" or "this must be deleted" at tenant level.
• Sensitivity labels — when clients require documents to be classified.

Identity as the single source of truth

Entra ID is the one place you want to get right. Users created here flow everywhere, security groups tie roles to licences and apps, and Conditional Access builds on top of that. Integrate security groups with your access management tool.

SharePoint and Teams: separate stories

SharePoint permissions affect the content of files, not just "who can log in". See SharePoint permissions. Teams guest access has its own rules — see Teams external guests.

Further reading: guest access, mailbox delegation, OneDrive sharing policy, retention policies, M365 admin roles explained.