Microsoft 365 for Nonprofits: A Setup Checklist That Pays Off

A small UK charity gets approved for Microsoft's nonprofit programme, installs Outlook and Teams, and considers the work done. Two years later their staff are sharing files through personal OneDrives, their domain is unprotected from spoofing, their licences are over-assigned, and they have never touched the security baseline. The grant is good. The configuration is the work.

This is the setup checklist most charities never get given. Run through it in a focused two-day sprint and you will land with a tenant that is secure, organised, properly licensed and ready to grow.

Phase 1: Tenant essentials (half a day)

Verify and harden the domain

1. Add and verify your primary domain (yourcharity.org.uk) in Microsoft 365 admin centre.
2. Publish SPF, DKIM and DMARC records using Microsoft's exact instructions. Do not skip DMARC; start with p=none and tighten in a few weeks.
3. Enable Modern Authentication tenant-wide (it should be by default on any tenant created after 2022, but verify).
4. Disable legacy authentication protocols (POP, IMAP, SMTP AUTH for users) in the Authentication policies. This single step blocks most credential-stuffing attacks against Office 365 accounts.

Set up the security baseline

1. Enable security defaults if you have fewer than 20 staff, or build a Conditional Access policy set if you need more nuance.
2. Require MFA for every account, including the admin account. Use the Microsoft Authenticator app, not SMS where possible.
3. Create a break-glass administrator account with a long random password, store the password in a sealed envelope in your office safe, and exclude it from MFA so you can recover access if everything else fails.
4. Enable mailbox audit logging for every mailbox (often off by default for older tenants).

Phase 2: Licensing and accounts (half a day)

Most charities over-license. A clean licence model saves money and reduces breach surface.

• Assign Business Premium to staff who need full Outlook, Teams, SharePoint and security features (usually all paid staff).
• Assign Microsoft 365 Apps for Nonprofits (free) to regular volunteers who need Word/Excel/Outlook in a browser. They do not need a Business Premium seat.
• Assign Exchange Online Plan 1 or Microsoft 365 Business Basic to staff who only need email (rare, but exists).
• For shared mailboxes (info@, fundraising@, donations@), use the free shared mailbox feature, not a paid licence with a shared password.

Audit licences quarterly. The two most common waste patterns: leavers still licensed (should be removed within 30 days) and volunteers given a paid licence when the free one would do.

Phase 3: Files and collaboration (one day)

SharePoint structure

Create a SharePoint site for each persistent team or function. A small charity rarely needs more than:

• Fundraising
• Operations and finance
• Communications
• Services or programmes
• Trustees (with restricted access)

Each site gets a Document Library, a few Lists for tasks and trackers, and a Microsoft Teams channel connected to it. Avoid creating one Team per project; you will end up with hundreds. Use channels inside the main team sites instead.

OneDrive and migration

OneDrive holds individual working files. The two anti-patterns to fix at the start: team files stored in a single person's OneDrive, and personal copies of shared files saved locally that drift from the master version.

Migrate any existing shared file store (Dropbox, Google Drive, on-prem file server) using the free Microsoft Migration Manager. Plan for one weekend per 100 GB and verify access rights at the end.

Phase 4: Teams and meetings

1. Set guest-access policy: allow external guests to join meetings, but require approval for membership of teams.
2. Enable cloud recording for meetings, with automatic transcription where useful.
3. Configure a default Teams meeting policy with lobby on for external participants.
4. Add your branded background image and lobby music if you want a polished feel for supporter-facing meetings.

Phase 5: Maintenance rhythm

A 90-minute admin sit-down once a month covers the recurring tasks that keep the tenant healthy. Designate one staff member as the M365 lead, even if they are not technical, and give them this list:

• Leavers: deactivate accounts, transfer OneDrive contents to manager, remove licence.
• Joiners: create account, assign licence, add to teams, enrol device in Intune or run the manual security baseline.
• Licence audit: confirm assigned licences match active users.
• Security report: review the Microsoft Defender for Office 365 weekly summary and the Secure Score change for the month.
• Backup verification: confirm your third-party backup tool (Microsoft 365 native retention is not a backup) completed clean runs.

On backups, briefly

Microsoft 365 retains deleted items and supports restoration for a limited period, but the platform terms specifically state that Microsoft is not responsible for the long-term backup of your data. For trustee-level peace of mind, run a third-party backup (Datto, Barracuda, Veeam for M365, AvePoint or similar) on a daily schedule with 12-month retention. Charity pricing usually puts this under 200 pounds a year for a small team.

Microsoft 365 done well is one of the best deals in UK charity infrastructure. Done partially, it is a vector for breaches and frustration in roughly equal measure.

The next 90 days

1. Days 1 to 14: Phase 1 (tenant essentials) and Phase 2 (licensing).
2. Days 15 to 45: Phase 3 (files and collaboration), in parallel with team training sessions.
3. Days 46 to 75: Phase 4 (Teams policy and meetings). Decommission any duplicated tools (separate Zoom accounts, separate file-sharing tools).
4. Days 76 to 90: Phase 5 (maintenance rhythm) embedded as a recurring monthly diary entry for the named M365 lead.

Ninety days, a tenant that works, costs that match what you actually use, and a security posture that survives a regulator inspection. The Microsoft grant rewards the charities that finish the setup, not just the ones that accept it.