What We'll Do
Create the Microsoft 365 Business Premium tenant (without Teams, saving ~$2/user/month), verify the boardwalkrealestate.com domain, and create user accounts for every employee. From day one, the new environment will have multi-factor authentication, identity-based Conditional Access policies, and modern threat protection in place.
This is the foundation everything else builds on. Entra ID (Microsoft's cloud identity service) replaces your on-premises Active Directory. Instead of logging in to a local domain server, users will authenticate directly with Microsoft's cloud, which is protected by the same infrastructure that secures millions of enterprise accounts worldwide.
In the v1.0 proposal, security policies were enforced both at the identity layer (MFA, Conditional Access) and the device layer (Intune compliance, Autopilot). In v2.0, we do not manage devices. All security enforcement happens at the identity and application layer — who can sign in, from where, and under what conditions. This is simpler to deploy and does not require new PCs.
Licensing
| Service | Per User | Users | Monthly Cost |
|---|---|---|---|
| Microsoft 365 Business Premium (no Teams) | ~$20 | 20 | ~$400 |
| Defender for Office 365 P1 (mandatory) | $2 | 20 | $40 |
| Total Monthly | ~$440 |
Microsoft offers Business Premium without Teams at ~$20/user instead of $22. For a 20-person office that already communicates by phone and email, Teams is not a day-one requirement. This saves ~$40/month ($480/year). If Boardwalk decides to adopt Teams later, it can be added as a standalone license.
What's Included with Business Premium
Exchange Online
50 GB email per user, shared calendars, contacts, and company address book. This replaces Exchange 2013 entirely.
SharePoint & OneDrive
Cloud file storage with 1 TB per user. Company files live in SharePoint; personal files sync through OneDrive. Replaces the on-premises file server.
Entra ID & Conditional Access
Cloud identity with MFA, Conditional Access policies, and self-service password reset. Replaces Active Directory with zero on-premises infrastructure.
Defender for Business
Enterprise-grade endpoint protection available for users who install desktop Office. Replaces Vipre antivirus with significantly stronger coverage.
Password Policy
Password policy follows NIST SP 800-63B best practices: longer passwords, no arbitrary expiration, and a custom banned word list relevant to the business.
| Setting | Value | Rationale |
|---|---|---|
| Password expiration | OFF | Per NIST SP 800-63B — forced rotation leads to weaker passwords |
| Minimum length | 12 characters | SOP-004 requirement |
| Custom banned passwords | boardwalk, realestate, closing, listing, broker | Block predictable business-related passwords |
| Account lockout | 5 attempts / 30 minutes | SOP-004 requirement |
| Self-service password reset | Enabled (MFA verification required) | Reduces help desk calls |
Multi-Factor Authentication (MFA)
Every account requires MFA from day one. SMS-based MFA is explicitly disabled per security best practices.
| Method | Status | Notes |
|---|---|---|
| Microsoft Authenticator (push + number matching) | Enabled | Primary method for all users |
| FIDO2 security keys | Enabled | For admin accounts (phishing-resistant) |
| SMS | Disabled | SOP-004 prohibits SMS-based MFA (SIM swap risk) |
| Voice call | Disabled | Same risk profile as SMS |
Conditional Access Policies
Conditional Access policies control who can sign in, from where, and under what conditions. In the v2.0 model, all policies are identity-based — no device compliance checks, because we do not manage devices.
| Policy | Target | Condition | Action |
|---|---|---|---|
| Require MFA — All Users | All users, all apps | Any sign-in | Require MFA |
| Block Legacy Auth | All users, all apps | Legacy authentication clients | Block |
| Block Risky Sign-ins | All users, all apps | Medium+ sign-in risk | Block |
| Block Risky Users | All users, all apps | High user risk | Require password change |
| Admin MFA — Strict | Admins group | Any sign-in | Require phishing-resistant MFA (FIDO2) |
| Session Timeout — Standard | All users | Any | Sign-in frequency: 12 hours, no persistent browser |
| Session Timeout — Admin | Admins group | Any | Sign-in frequency: 1 hour |
| Block Foreign Countries | All users | Non-US locations | Block |
An employee signs in from home in New Hampshire → prompted for MFA → approved. That same credential is attempted from Russia at 2am → blocked automatically. A former employee's compromised credentials are tried from a known botnet → blocked by risky sign-in detection. Legacy email clients that cannot do MFA (like Outlook 2010) → blocked entirely. This is enterprise-grade identity security without touching a single device.
Setup Checklist
- Purchase Microsoft 365 Business Premium licenses (20 users, no-Teams SKU)
- Add Defender for Office 365 Plan 1 add-on (mandatory — primary email defense layer)
- Create M365 tenant at boardwalkrealestate.com domain
- Verify domain ownership via DNS TXT record at Network Solutions
- Create all user accounts in Entra ID (UPN: user@boardwalkrealestate.com)
- Configure password policy (12-char minimum, no expiration, custom banned words)
- Enable MFA for all users (Microsoft Authenticator, disable SMS/voice)
- Register FIDO2 security keys for admin accounts
- Create security groups mirroring current Active Directory structure
- Configure all 8 Conditional Access policies (see table above)
- Enable self-service password reset with MFA verification
- Configure Defender P1: Safe Links, Safe Attachments, anti-phishing impersonation protection
DNS Changes Required
During Phase 1, only one DNS change is needed at Network Solutions: a TXT record to verify domain ownership with Microsoft. Email (MX records) will not change until Phase 2. There will be no disruption to current email during this phase.
What Users Will Notice
Nothing yet. Phase 1 is entirely back-end setup. Users will continue using their existing computers and email without any changes during this phase. They will receive their new M365 credentials and a self-service setup guide when Phase 5 begins.