As part of my Microsoft 365 learning journey, I wanted to go beyond individual labs and design a mini end-to-end project that combines multiple services together. The idea was to simulate how a real organization sets up users, groups, Teams, and guest access securely. Let's break it down!
🎯 Project Scenario
Imagine a small company setting up Microsoft 365 for the first time. The company needs:
- An HR staff member (Bob) who can help manage users.
- A normal employee (Charlie) with standard access.
- An external contractor (Eve) who collaborates as a guest without needing a license.
- A Global Admin (me) to configure and secure everything.
Step 1: User Setup
Kicked off by creating users in the Admin Center (admin.microsoft.com). This lays the foundation for everything else.
- Bob – HR Staff
- Created user: Users > Active users > Add a user.
- Details: First name "Bob", Last name "M", Username Bob.m@domain, manual password, no force change.
- Assigned Microsoft 365 license.
- Role: Assigned User Administrator via Manage roles – so Bob can handle password resets and user management without full admin power.
- My thoughts: Starting with roles early ensures delegation – HR doesn't need global access.
- Charlie – Normal Employee
- Similar creation: Standard user with license.
- No admin roles – just basic access.
- My thoughts: Keeps it simple; most users shouldn't have extras.
- Eve – Guest Contractor
- To create a "Guest user" we have to go to Entra id portal then under "New User" section we have to choose "Invite external user"
- Enter the guest’s email address (e.g.,
guestuser@gmail.com). Add a display name (e.g.,
Guest Collaborator).(Optional) Add a personal message to explain the invitation.
Knowledge drop: User setup in M365 uses Entra ID (formerly Azure AD) for identity management. Licenses control feature access (e.g., E5 for advanced security), and roles follow least privilege – give only what's needed to avoid risks like accidental deletes.
Step 2: Teams Setup
Jumped to teams.microsoft.com to set up a single Team for collaboration.
- External Collaboration Team: Created a new Team named "External Collaboration," added Bob (HR), Charlie (Employee), and Eve (Guest) as members.
-
To maintain control and reduce risk, I adjusted permissions according to the principle of least privilege:
-
Employees have only the rights needed to collaborate (post messages, edit files, create channels).
-
Owners (HR/Admin) retain moderation rights and structural control.
-
Guests are restricted to participation only (chatting, viewing, and editing shared files) without the ability to create or delete channels or apps.
-
- My thoughts: One Team simplifies things – Eve’s restricted scope keeps it secure and focused.
- Knowledge drop: Teams leverages Microsoft 365 groups for chat, meetings, and channels. Guest access lets externals like Eve join without licenses, restricting them to invited Teams for secure collaboration, such as sharing docs in channels without full tenant access.
Step 4: Threat Protection with Microsoft Defender
To beef up security, I configured Defender features in the Microsoft 365 Defender portal (security.microsoft.com).
- Configured Anti-phishing policies: Under Email & Collaboration click Policies & rules > Threat policies > Anti-phishing > + Create policy.
- Enabled anti phishing policy for Admin and HR. After the detection of phishing email, it will automatically send the email to users junk mail. There were many settings to explore like AI impersonation detection, adding internal custom domains for protection etc.
- Enabled Anti-malware policy: In Threat policies > Anti-Malware Policy > Create and enabled common attachment filters.
- Simulated phishing attacks: In Attack simulation training > Simulations > + Create simulation, ran a test campaign on users, monitored responses.
- My thoughts: Simulations were eye-opening – shows how users react; easy to set up but powerful for training.
Knowledge drop: Microsoft Defender for Office 365 protects against threats like phishing (anti-phishing blocks spoofed emails) and malware (Safe Attachments scans files, Safe Links rewrites URLs to check in real-time). Simulations train users without real risk, and alerts help quick response – essential for preventing data breaches in email-heavy collab.
Step 5: Security with Microsoft Entra (Azure AD)
Wrapped up with security configs in entra.microsoft.com.
- Enabled MFA for all users via Security > Authentication methods.
- Created Conditional Access policies: Basics > Conditional Access > New policy.
- For guests (Eve): Require trusted locations.
- For Name give a valid name, and for users select users.
- For Network, in Exclude tab choose all trusted networks and locations.
- On Grant page select "Require multifactor authentication".
- Excluded Global Admin (me) as best practice.
- Enabled "Block Legacy Authentication", "Require multifactor authentications for all users" from conditional access policy templates.
- My thoughts: Policies add smarts – block risky logins automatically.
Knowledge drop: MFA blocks 99% of account compromises by requiring a second factor. Conditional Access evaluates sign-ins (e.g., location, device) and enforces rules like block or require MFA. Excluding admins prevents lockouts during setup.
Post-Lab Wrap-Up: Reflections and Wins
This project demonstrates how external collaboration can be set up in Microsoft Teams securely and with control. Instead of enabling guest access across the board, I scoped permissions to a dedicated team, managed through a security group, and applied least privilege at every step. The result is a setup where external users can work efficiently with internal members while minimizing risks. This project not only shows practical skills in Microsoft 365 and Teams administration but also reinforces a key security principle: grant only what’s needed—nothing more.
