Microsoft 365 Setup Guide for Philippine Businesses: From Day One to Security Baseline
Most Philippine businesses set up Microsoft 365 by creating accounts and calling it done. This guide covers what a proper M365 setup actually looks like — the security configurations, compliance settings, and operational standards that protect your business.
Renz Gutierrez Belda
IT Support Specialist / Co-Founder
The 10 Settings Most Philippine Businesses Miss
In every Microsoft 365 audit we conduct, the same ten settings are consistently unconfigured. Not because business owners are careless — but because Microsoft does not configure them by default, and no one explains why they matter. 1. Audit Log: off by default. Without it, you cannot reconstruct what happened in a security incident. 2. Multi-Factor Authentication: not enforced by default on user accounts. The single most effective protection against compromised accounts. 3. Legacy Authentication blocked: older mail clients bypass MFA entirely. Most businesses have this open. 4. External email forwarding disabled: default settings allow any user to auto-forward all company email to a personal account — a significant data exfiltration risk. 5. Admin accounts separated from user accounts: most businesses use the Global Administrator account for daily email and Teams. 6. Shared mailboxes created as shared (not licensed user accounts): licensing money wasted and MFA gaps created. 7. Data Loss Prevention policies: no DLP rules means sensitive data can leave the organization via email with no alert or block. 8. Retention policies: Microsoft 365 is not a backup. Default settings delete email from Deleted Items in 30 days. 9. Conditional Access policies: the tool that makes every other security setting enforceable — most businesses with Business Premium licenses never configure it. 10. Break-glass admin account: a recovery account separate from any individual's identity, stored securely, accessible when all other admin accounts are locked out.
The Security Baseline Every Philippine Business Needs
A Microsoft 365 security baseline is the minimum set of configurations that protect the tenant against the most common attack vectors. For Philippine businesses, the baseline consists of five configurations. MFA for all users: configured via Conditional Access (not Security Defaults, which has limitations), using Microsoft Authenticator as the primary method and disabling SMS OTP, which is vulnerable to SIM swap attacks — a documented threat in the Philippines. Legacy Authentication blocked: a Conditional Access policy that blocks any authentication attempt using IMAP, POP3, or Basic Auth. Block External Email Forwarding: a mail flow rule that prevents any user from creating an auto-forward rule to an external address. Device Compliance Requirement: Conditional Access policy requiring that devices accessing Exchange and SharePoint are enrolled in Microsoft Intune and meet compliance policies (screen lock, disk encryption, OS update status). Privileged Identity Management: admin roles assigned only when needed and reviewed quarterly.
Licensing: What You Actually Need vs. What You Are Paying For
Microsoft 365 licensing in the Philippines is frequently misconfigured — either over-licensed (paying for Business Premium features that are not being used) or under-licensed (on Business Basic but using security features that require Business Premium). The decision tree: Business Basic (PHP 400/user/month approximately): appropriate for businesses that only need email, Teams, and web versions of Office apps. No desktop Office apps, no Intune, no Azure AD P1. Business Standard (PHP 850/user/month approximately): adds desktop Office apps and additional collaboration features. Still no Intune, no Conditional Access policies, no Azure AD P1. Business Premium (PHP 1,700/user/month approximately): adds Microsoft Intune, Defender for Business, Azure AD P1 (Conditional Access), and Azure Information Protection. If you have compliance requirements, operate in a regulated industry, or have a distributed team accessing company systems from personal devices, Business Premium is the correct license. The additional cost pays for itself in the security capability it enables.
About the Author
Renz Gutierrez Belda
IT Support Specialist / Co-Founder · GemuCube Solutions
IT Support professional with enterprise ITSM experience at NXTGEN Industries, TaskUs, and Intelegencia. PMP certified. Specialist in Microsoft 365, Azure AD, and AI data operations.
View full profileReady to implement this?
Book an M365 security audit — we will review your tenant configuration and give you a prioritized remediation list.
Schedule a discovery call and we will tell you exactly what we would build for your specific situation — no generic proposals, no pitch decks.
More Articles
Payroll System Development in the Philippines: What Every Business Owner Needs to Know
10 min read
Employee Portal Development: What to Build, What to Buy, and What to Avoid
9 min read
Business Automation in the Philippines: Where to Start, What to Automate, and What Not to Touch
10 min read