Establish and Configure Your M365 Tenant
Create a Microsoft 365 tenant, add custom domains, and configure organisation settings — the foundational decisions that shape everything else.
What does “establishing a tenant” actually mean?
A tenant is your organisation’s private corner of the Microsoft cloud.
Think of it like signing the lease on a new office building. The building (Azure infrastructure) already exists — you’re claiming a floor, putting your name on the door, adding your logo, setting the door codes, and deciding which rooms people can access. That lease agreement is your tenant — a dedicated, isolated instance of Microsoft 365 tied to your organisation’s identity.
The first three decisions — region, domain, and org settings — are permanent or expensive to change later. Get them right now.
Creating the tenant
When Marcus takes on the M365 Platform Lead role at Oakwood Financial, the tenant already exists — but it was set up hastily during a trial. Here’s what he needs to verify:
| Decision | What to Check | Why It Matters |
|---|---|---|
| Tenant region | Settings > Organization profile > Data location | Determines data residency. Cannot be changed post-creation. |
| Default domain | oakwoodfinancial.onmicrosoft.com | Permanent. Used for admin accounts, fallback routing. |
| Tenant name | Organisation name in profile | Appears in emails, sharing invitations, and admin portals. |
| Release preferences | Settings > Org settings > Release preferences | Standard vs Targeted release. Targeted gives early access to features. |
Exam tip: Tenant region is permanent
The exam loves testing whether you know which decisions are reversible vs permanent. Tenant region (data residency) is set at creation and cannot be changed. The only way to move data to a different region is Multi-Geo (additional licensing) or tenant-to-tenant migration (painful and expensive). Domain names and org settings, by contrast, can be changed later.
Implementing and managing domains
Every M365 tenant gets a default *.onmicrosoft.com domain. For production use, you need custom domains.
The domain verification process
- Add the domain in the Microsoft 365 admin center (Settings > Domains)
- Verify ownership by adding a DNS record (TXT or MX) to your public DNS
- Configure DNS records for M365 services:
| DNS Record | Type | Purpose |
|---|---|---|
| MX | Mail exchange | Routes email to Exchange Online |
| CNAME (autodiscover) | Alias | Outlook client auto-configuration |
| TXT (SPF) | Sender verification | Prevents email spoofing |
| CNAME (DKIM) | Signature | Cryptographic email signing |
| TXT (DMARC) | Policy | Tells receivers how to handle failed SPF/DKIM |
| SRV | Service locator | Skype for Business/Teams federation (legacy) |
Marcus’s domain challenge
Oakwood Financial has three domains: oakwoodfinancial.com (primary), oakwood.com.au (legacy), and oakwoodwealth.com (subsidiary). Marcus needs to:
- Verify all three — each needs its own TXT record
- Set one as default —
oakwoodfinancial.combecomes the primary SMTP domain - Keep legacy domains — users with
@oakwood.com.auaddresses can still receive email - Plan for DKIM/DMARC on all domains — not just the primary
Deep dive: Why DMARC matters for the exam
DMARC (Domain-based Message Authentication, Reporting & Conformance) is increasingly tested on MS-102. Key points:
- DMARC builds on SPF and DKIM — it tells receiving mail servers what to do when both fail
- p=none — monitor only (start here)
- p=quarantine — send to junk
- p=reject — block the message entirely
- Microsoft recommends starting with
p=noneand moving top=rejectafter monitoring - DMARC reports are sent to the email address in the
rua=tag
The exam may ask: “Marcus configures SPF and DKIM but email still gets spoofed. What should he add?” Answer: DMARC with at least p=quarantine.
Configuring organisation settings
The Microsoft 365 admin center (admin.microsoft.com) has two critical settings areas:
Organisation profile
| Setting | Where | What It Controls |
|---|---|---|
| Organisation information | Settings > Org settings > Organization profile | Name, address, phone, technical contact |
| Release preferences | Same section | Standard or Targeted release track |
| Custom themes | Same section | Branding for the admin portal (logo, colours) |
| Help desk information | Same section | Custom support contact shown to users |
Security and privacy settings
| Setting | Where | What It Controls |
|---|---|---|
| Password expiration policy | Settings > Org settings > Security & privacy | Whether passwords expire (Microsoft now recommends no expiry with MFA) |
| Self-service password reset | Configured in Entra (covered in Module 12) | Whether users can reset their own passwords |
| Idle session timeout | Settings > Org settings > Security & privacy | Auto sign-out after inactivity |
| Customer Lockbox | Security & privacy | Requires approval before Microsoft support accesses your data |
| Privileged access | Security & privacy | Approval workflow for high-impact admin tasks |
| Feature | Standard Release | Targeted Release |
|---|---|---|
| Who gets features | All users, after validation | Selected users or entire org, before general availability |
| When features arrive | After targeted release validation | Days to weeks before standard |
| Best for | Production stability | Testing new features, preparing change management |
| Risk level | Low — features are validated | Medium — occasional bugs in early access |
| Exam relevance | Know it exists | Know how to configure and who to include |
Priya’s global configuration challenge
At GlobalReach Corp, Priya configures release preferences differently:
- Targeted Release for select users — her team of 5 admins get features early
- Standard Release for everyone else — 20,000 users stay on stable builds
- This lets her team document changes and prepare training before features reach all users
Exam tip: Customer Lockbox
Customer Lockbox is a frequently tested concept. It requires your explicit approval before Microsoft support engineers can access your tenant data. Without it, Microsoft can access data during support cases with internal approval only. The exam may ask: “What must Elena enable to ensure MedGuard Health controls when Microsoft accesses patient data?” Answer: Customer Lockbox.
Key concepts to remember
Knowledge check
Marcus is setting up Oakwood Financial's M365 tenant. The company has offices in Sydney and Melbourne. He needs email to flow through Exchange Online and wants to prevent domain spoofing. Which combination of DNS records must he configure for the custom domain oakwoodfinancial.com?
Priya wants to test new M365 features with her admin team before rolling them out to GlobalReach's 20,000 users. What should she configure?
Elena needs to ensure that Microsoft support engineers cannot access MedGuard Health's tenant data without explicit approval from her team. Which feature should she enable?
🎬 Video coming soon
Next up: Monitoring Tenant Health and Network Readiness — keeping 20,000 users online means knowing about problems before they call you.