Establish and Configure Your M365 Tenant

What does “establishing a tenant” actually mean?

Creating the tenant

When Marcus takes on the M365 Platform Lead role at Oakwood Financial, the tenant already exists — but it was set up hastily during a trial. Here’s what he needs to verify:

Decision	What to Check	Why It Matters
Tenant region	Settings > Organization profile > Data location	Determines data residency. Cannot be changed post-creation.
Default domain	oakwoodfinancial.onmicrosoft.com	Permanent. Used for admin accounts, fallback routing.
Tenant name	Organisation name in profile	Appears in emails, sharing invitations, and admin portals.
Release preferences	Settings > Org settings > Release preferences	Standard vs Targeted release. Targeted gives early access to features.

💡 Exam tip: Tenant region is permanent

The exam loves testing whether you know which decisions are reversible vs permanent. Tenant region (data residency) is set at creation and cannot be changed. The only way to move data to a different region is Multi-Geo (additional licensing) or tenant-to-tenant migration (painful and expensive). Domain names and org settings, by contrast, can be changed later.

Implementing and managing domains

Every M365 tenant gets a default *.onmicrosoft.com domain. For production use, you need custom domains.

The domain verification process

1. Add the domain in the Microsoft 365 admin center (Settings > Domains)
2. Verify ownership by adding a DNS record (TXT or MX) to your public DNS
3. Configure DNS records for M365 services:

DNS Record	Type	Purpose
MX	Mail exchange	Routes email to Exchange Online
CNAME (autodiscover)	Alias	Outlook client auto-configuration
TXT (SPF)	Sender verification	Prevents email spoofing
CNAME (DKIM)	Signature	Cryptographic email signing
TXT (DMARC)	Policy	Tells receivers how to handle failed SPF/DKIM
SRV	Service locator	Skype for Business/Teams federation (legacy)

Marcus’s domain challenge

Oakwood Financial has three domains: oakwoodfinancial.com (primary), oakwood.com.au (legacy), and oakwoodwealth.com (subsidiary). Marcus needs to:

• Verify all three — each needs its own TXT record
• Set one as default — oakwoodfinancial.com becomes the primary SMTP domain
• Keep legacy domains — users with @oakwood.com.au addresses can still receive email
• Plan for DKIM/DMARC on all domains — not just the primary

ℹ️ Deep dive: Why DMARC matters for the exam

DMARC (Domain-based Message Authentication, Reporting & Conformance) is increasingly tested on MS-102. Key points:

• DMARC builds on SPF and DKIM — it tells receiving mail servers what to do when both fail
• p=none — monitor only (start here)
• p=quarantine — send to junk
• p=reject — block the message entirely
• Microsoft recommends starting with p=none and moving to p=reject after monitoring
• DMARC reports are sent to the email address in the rua= tag

The exam may ask: “Marcus configures SPF and DKIM but email still gets spoofed. What should he add?” Answer: DMARC with at least p=quarantine.

Configuring organisation settings

The Microsoft 365 admin center (admin.microsoft.com) has two critical settings areas:

Organisation profile

Setting	Where	What It Controls
Organisation information	Settings > Org settings > Organization profile	Name, address, phone, technical contact
Release preferences	Same section	Standard or Targeted release track
Custom themes	Same section	Branding for the admin portal (logo, colours)
Help desk information	Same section	Custom support contact shown to users

Security and privacy settings

Setting	Where	What It Controls
Password expiration policy	Settings > Org settings > Security & privacy	Whether passwords expire (Microsoft now recommends no expiry with MFA)
Self-service password reset	Configured in Entra (covered in Module 12)	Whether users can reset their own passwords
Idle session timeout	Settings > Org settings > Security & privacy	Auto sign-out after inactivity
Customer Lockbox	Security & privacy	Requires approval before Microsoft support accesses your data
Privileged access	Security & privacy	Approval workflow for high-impact admin tasks

Standard Release vs Targeted Release

Feature	Standard Release	Targeted Release
Who gets features	All users, after validation	Selected users or entire org, before general availability
When features arrive	After targeted release validation	Days to weeks before standard
Best for	Production stability	Testing new features, preparing change management
Risk level	Low — features are validated	Medium — occasional bugs in early access
Exam relevance	Know it exists	Know how to configure and who to include

Priya’s global configuration challenge

At GlobalReach Corp, Priya configures release preferences differently:

• Targeted Release for select users — her team of 5 admins get features early
• Standard Release for everyone else — 20,000 users stay on stable builds
• This lets her team document changes and prepare training before features reach all users

💡 Exam tip: Customer Lockbox

Customer Lockbox is a frequently tested concept. It requires your explicit approval before Microsoft support engineers can access your tenant data. Without it, Microsoft can access data during support cases with internal approval only. The exam may ask: “What must Elena enable to ensure MedGuard Health controls when Microsoft accesses patient data?” Answer: Customer Lockbox.

Key concepts to remember

Question

What happens if you don't add a DMARC record for your custom domain?

Click or press Enter to reveal answer

Answer

Receiving mail servers have no policy for handling emails that fail SPF and DKIM checks. Spoofed emails using your domain may still be delivered. Microsoft recommends DMARC with at least p=quarantine.

Click to flip back

Question

Can you change a tenant's data residency region after creation?

Click or press Enter to reveal answer

Answer

No. The home data residency region is permanent. To store data in additional regions, you need Microsoft 365 Multi-Geo licensing. Full tenant migration to a different region requires tenant-to-tenant migration.

Click to flip back

Question

What is Customer Lockbox?

Click or press Enter to reveal answer

Answer

A feature that requires your organisation's approval before Microsoft support engineers can access your tenant data. Without it, Microsoft uses internal approval. Available in E5 or as an add-on.

Click to flip back

Question

What DNS record type is used to verify domain ownership in Microsoft 365?

Click or press Enter to reveal answer

Answer

A TXT record (preferred) or MX record. The TXT record contains a unique verification string provided by the M365 admin center. It proves you control the domain's DNS.

Click to flip back

Knowledge check

Knowledge Check

Marcus is setting up Oakwood Financial's M365 tenant. The company has offices in Sydney and Melbourne. He needs email to flow through Exchange Online and wants to prevent domain spoofing. Which combination of DNS records must he configure for the custom domain oakwoodfinancial.com?

AMX, SPF (TXT), DKIM (CNAME), and DMARC (TXT)BMX and A records onlyCCNAME (autodiscover) and SRV records onlyDSPF (TXT) and PTR records only

Check Answer

Knowledge Check

Priya wants to test new M365 features with her admin team before rolling them out to GlobalReach's 20,000 users. What should she configure?

AStandard Release for the entire organisationBTargeted Release for select users, adding only her admin teamCTargeted Release for the entire organisationDCreate a separate test tenant for feature evaluation

Check Answer

Knowledge Check

Elena needs to ensure that Microsoft support engineers cannot access MedGuard Health's tenant data without explicit approval from her team. Which feature should she enable?

AMicrosoft Entra Privileged Identity ManagementBConditional Access policiesCCustomer LockboxDAdministrative units

Check Answer

---

Next up: Monitoring Tenant Health and Network Readiness — keeping 20,000 users online means knowing about problems before they call you.