How to Set Up a Microsoft 365 SharePoint Site for a Small Business

by | Sep 12, 2025

Using Global Admin To Set Up Shared Microsoft 365 Services

If you are running a small business with Microsoft 365 and have around four employees, you might be tempted to let everyone use OneDrive for Business to share files. I is simple, familiar, and feels like using a personal folder. When it comes to managing shared resources, though, SharePoint is the better choice.

Sharepoint sites should be set up by a global administrator. Why? Because shared services like SharePoint are central to your business. They hold files, folders, and data that multiple people need to access. If these services are created by individual users, folders and files can become fragmented, hard to manage, and even insecure. When an individual who sets up a Sharepoint site leaves your business, the site could be compromised without careful modifications.

A global admin ensures:

  • Consistency in naming, structure, and permissions.
  • Security by controlling who can access what.
  • Scalability for future growth or integration with tools like Microsoft Teams.

Even if you are not IT-literate, Microsoft 365 makes it surprisingly easy to set up a SharePoint site. You do not need to write code or understand complex systems—just follow a few guided steps, and get the basic steps according to Micrsoft’s conventional advice.

Click on the headers below to learn more about Microsoft 365 Sharepoint. Click on images to view at full-sized resolution. For guidance about BoxTrapper, please contact us for help.

Why Not Just Use OneDrive for Business?

OneDrive for Business is great for personal work files. But it’s not designed for team collaboration. Here’s why SharePoint is better for shared work:

  • Centralized Access: Everyone knows where to find files.
  • Permission Control: You decide who sees what.
  • Integration: SharePoint works seamlessly with Microsoft Teams, Outlook, and other 365 apps.

Using OneDrive for shared files can lead to confusion, version conflicts, and accidental data loss. SharePoint avoids these problems by offering a structured, secure environment.

How to Set Up a SharePoint Site in Microsoft 365

If you have not worked with Sharepoint or shared resources before, we recommend that you establish a “sandbox” site that you can experimaent with. This way you can work with other capable users in your workgroup to test features and behaviours before embarking on a “production” Sharepoint site. Also, we can provide help where services need to be deployed rapidly, or when non-standard features are needed.

Follow the steps below for a global admin to create a SharePoint site:

  1. Log in to Microsoft 365 Admin Center
    1. Go to https://admin.microsoft.com and sign in with your global admin account.
  2. Open SharePoint Admin Center
    1. From the left-hand menu, choose “Admin centers” > “SharePoint.”
  3. Create a New Site
    1. Click “Create” > “Team site.” Give it a name like “Sales Team” or “Operations.”
  4. Assign Owners and Members
    1. Add yourself as the owner and include relevant employees as members.
  5. Set Permissions
    1. Decide who can edit, view, or manage files. You can always adjust these later.
  6. Start Uploading and Organizing Files
    1. Use folders to keep things tidy. You can also add document libraries, calendars, and lists.
  7. Connect to Microsoft Teams (Optional)
    1. If your team uses Teams, you can link the SharePoint site directly for easy access.
Why You Should Fragment Sites by Department or Role

Even in a small business, not everyone needs access to everything. Creating separate SharePoint sites for different teams or roles helps to:

  • Protect Confidential Information
    • For instance, HR files should not be visible to sales staff. Finance documents should be restricted.
  • Improve Security
    • Fewer people with access means fewer chances of accidental changes or leaks.
    • In the event of an external hack, segmented sites frustrate hacking attempts.
  • Simplify Collaboration
    • Each team gets a space tailored to their needs, without clutter from other departments.

Example structure

Organizations have differing needs so there is no uniform site structure that is “right”. However, most businesses have common “departments” that classify files and data, like:

  • Sales Site: For client proposals, CRM exports, and pitch decks.
  • Finance Site: For invoices, budgets, and payroll.
  • HR Site: For contracts, onboarding documents, and policies.
  • IT Site: for managing IT assets and connecting to external support

In this way, this kind of structured approach makes it easier to manage permissions, scale resources, and audit access later on.

Summary

Setting up a SharePoint site in Microsoft 365 does nt require deep technical knowledge. Global admins are in the best position to create a secure, organized, and scalable environment for your team. Avoid the pitfalls of using OneDrive for shared work, and embrace SharePoint for what it’s built to do—collaborate securely and efficiently. It is no secret – Onedrive for one, Sharepoint for sharing.

If you are unsure where to start,  do not be afraid to get in touch. We have a wealth of experience and even if we do not have an immediate solution, our job is to know where to find the right answer fast.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including web design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

How to Set Up Microsoft Authenticator MFA for 365

by | Aug 31, 2025

Introduction: Why MFA Setup in Entra Matters

Multi-Factor Authentication (MFA) is the principal sign-in method for Microsoft 365 accounts. Microsoft Authenticator MFA for 365 setup establishes a vital layer of protection by requiring you to verify your identity using more than just a password. Your Microsoft 365 tenancy manages MFA from its Entra portal. not your Microsoft 365 admin dashboard.

This guide helps you understand how Microsoft Authenticator MFA for 365 setup works, including:

  • Logging into Microsoft Entra with your 365 credentials to configure Microsoft Authenticator.
  • Enabling SMS authentication (if your tenancy is configured to allow this).
  • Adding a second device for secondary/fallover access

Read our associated article discusses how to backup your MFA credentials. For support notes about restoring services to Microsoft 365 when your MFA credentials are lost, read this article.

Click open the headers below to learn how to create your MFA credentials. Please read through this entire article before starting the proceudure. Be sure to contact us for general advice if you are in doubt. Support options are available for professional assistance.

What Is Microsoft Entra and Why Use It for MFA?

MFA procedures are consistent with an industry move towards passwordless sign-ins. Consumer-level password protection in Gmail, Yahoo, and other platforms is convenient, but password protection alone is inadequate for meeting GDPR Compliance standards in commerce. Even consumer platforms like Gmail now encourage passwordless sign-in. MFA helps to:

  • Ensure your 365 account remains accessible
  • Helps build compliant GDPR practices
  • Reduce the risk of malicious infiltration and identity theft

Microsoft Entra centralizes your security settings, including MFA, passwordless login, and device authentication. If you are a Microsoft 365 user, you or your organization are already using Entra within your tenancy. So, you are not required to subscribe to Entra as an additional service for Microsoft Authenticator MFA for 365 setup.

Benefits of Using Entra for MFA

  • Centralized control over authentication methods
  • Enhanced security with multiple verification options
  • Flexibility to add or remove devices securely
  • Compatibility with SMS, app-based, and hardware token methods

Moving towards passwordless sign-in

The IT industry as a whole recognizes that password protection alone is flawed. So, MFA is increasingly adopted as industry players introduce secure passwordless security. This means that MFA, and similar technologies like 2FA, are here to stay. We can argue that you should adopt MFA to comply with GDPR. Instead, the bigger issue is the risk of catastrophic damage damage to your online identity and data. This way, the fact that MFA is “compliant” is incidental.

This is why MFA is the default sign-in method for Microsoft 365, so you and other users in your 365 tenancy users must configure at least one secure MFA method. This is most conveniently accomplished with Microsoft Authenticator app. SMS authentication is optional and we recommended that you use it as an secondary option for sign-in, especially if your tenancy supports SMS authentication. In situations where we have configured 365 MFA for you, or you retain us to support your Microsoft 365 tenancy, we usually configure support for SMS by default.

Step-by-Step: How to Set Up Microsoft Authenticator in Entra

reparation – what you need

MFA pairs your phone with your 365 account. So, you will need your mobile phone. Also, before you begin, check that your Microsoft 365 tenancy supports SMS authentication for end users and that you have access to your usual laptop or desktop computer. If you are not Global Administrator, you can check with your IT manager.

Allow for some flexibility in this workflow. For instance, it might be worth downloading Microsoft Authenticator App from either Apple App Store (iOS) or Google Play Store (Android) before you start. For instance, it is a good idea to check that your phone is capable of downloading Microsoft Authenticator before you begin. If your mobile phone is outdated or unsupported, Microsoft Authenticator App will not be available to you in your store. If so, consider upgrading your device or using SMS authentication.

 Workflow to Set Up MFA with Microsoft Authenticator for 365

  1. Log into Entra Security Info Portal with your laptop/desktop computer:
    1. Visit https://mysignins.microsoft.com/security-info
    2. Sign in using your Microsoft 365 credentials.
  2. Add Microsoft Authenticator:
    1. Click + Add sign-in method
    2. Choose Authenticator App
    3. Follow the prompts to install the app on your mobile device
    4. When you reach a screen showing a QR phone, set your computer aside with the QR code displaying on screen
  3. Configure your mobile phone:
    1. On your mobile device, go to the App Store (iOS) or Google Play (Android).
    2. Search for Microsoft Authenticator and install it.
    3. With Microsoft Authenticator App open:
      1. click + (i.e. add account) at top right or left of your screen
      2. click open the option to scan QR code
      3. Allow permissions for your app to use your camera
      4. Scan the QR code showing on your computer screen with your phone
      5. go back to your computer and click Next

microsoft authenticator qr code

Remember to click (below the QR code) on your computer after you have scanned the QR Code with your phone.

 

 

Once you have successfully scanned the QR code with your phone and clicked <Next> on your computer’s security center page (below the QR code), the process is complete. There are two more steps for you to take:

  1. Test your configuration:
    1. Entra will send you an MFA input code to test the setup as soon as the server detects the succesful QR scan. The procedure operates in the same way as SMS verification, but using Microaoft Authenticator App. The graphic at the top of this article demontrates what you can expect to see. Having gone to so much trouble to get this far, allow yourself the thrill of seeing this work – it is actually pretty cool!
  2. Review Microsoft Authenticator App settings, and also your mobile phone settings if necessary to choose personal preferences. For instance:
    1. You may want verification to include the added security of validating your fingerprint or retina.
    2. In some instances, your phone might ask you to sing into your phone before you can access Authenticator. Some people prefer this. Others prefer to bypass their phone sign-in screen so that they can respond to their MFA codes faster. This is a matter for personal preference.
    3. Lastly, you should enable backups and accept periodic updates.

Additional authentication methods using Microsoft Authenticator MFA for 365

The steps above are needed to minimally configure Microsoft Authenticator MFA setup. Read the next section to learn how to add optional authentication using SMS for redundancy.

Also, you can configure Microsoft Authenticator MFA for 365 with a second mobile phone. This is useful where in situations where an email account is shared between two geographically separate offices. Also, setting up Microsoft Authenticator MFA for 365 on an extra phone might be useful in situations where the first phone is at risk of loss or damage.

Create another Global Administrator account

Another way to protect access to your tenancy is to create another Global Administrator. You do not need to have a Microsoft 365 license to add a Global Administrator, and in large organizations the principal Global Administrator does not even use an email account – that way sensitive server-side functions can be handled without the usual risks associated with an email-enabled user. There are some considerations that need addressing to elevate privileges to enable some seucurity functions that are normally reserved for the tenancy owner. We can help configure a secondary Gloabl Administrator.

MFA - What To Do If You Change Your Phone

The easiest way to configure a new mobile phone is to do setup Microsoft Authenticator on your new phone while the old one is still working. With both phones available:

  • Log into your security info page with your laptop/desktop
  • Click + Add sign-in method
  • Choose Authenticator App
  • generate a QR code and set the computer aside for the time being

On your NEW phone:

  • Install Authenticator and select Work or School account.
  • Scan the QR code shown on your computer.
  • Approve the authentication request on your new device.
  • Remove the old device from the Security Info page.
Enable SMS Authentication (Optional but Recommended)

If your organization allows SMS as an MFA method:

  1. In the Security Info portal, click + Add sign-in method
  2. Select “Phone”
  3. Enter your mobile number and choose Text me a code
  4. Enter the verification code received via SMS when your mobile phone receives it

SMS is considered less secure than app-based authentication. So, by default, Microsoft Authenticator app will use MFA using either available WiFi or mobile phone signal to authenticate your Microsoft 365 sign-ins. SMS is a valuable backup method—especially if your primary device is unavailable.

Add a Second Device for Secondary Access

Sometimes, it helps to include a second mobile device to authenticate your Microsoft 365 sign-in. This might be necessary where authentication is necessary from two geographically separate locations. In this situation, the same mobile phone cannot be at the each location simultaneously. Also, a second phone might help avoid lockouts. This is optional, and not usually necessary However, if you need to include a second device for authenticating you can configure
Microsoft Authenticator MFA for 365 with this additional step:

  1. Install Microsoft Authenticator on your second mobile phone
  2. Log into https://mysignins.microsoft.com/security-info from your desktop/laptop computer
  3. Add a new sign-in method and repeat the QR code scan process
    1. Be sure to scan the QR code with your SECOND DEVICE per the workflow outlined above
  4. Verify the second device by approving a test notification

This ensures you can still access your account if your principal mobile phone is lost or damaged.

When SMS is enabled, notice that when trying to sign in with an Autheticator code you will find options in your Authenticator pop up that provide for authentication by other means. This way, if MFA does not authenticate, you can opt to receive a conventional SMS/text.

Summary and Next Steps

Setting up and managing Microsoft Authenticator MFA for 365 helps to secure access to your Microsoft 365 account. If your organization has documentation for compliance, you should update it with your procedures so that you have a stated policy giverning sign-ins.  

Next step – backup your MFA credentials

For added security, you can backup your Microsoft Authenticator App sign-in accounts. Even if your mobile phone is configured to backup your data, MFA credentials are excluded from Android/iOS backups unless provisioned in Microsoft Authenticator App.

Read this article to learn how to back up your Microsoft Authenticator settings and avoid losing access. Remember, MFA is now a user-level utility and admins/global admins cannot intervene on a user’s behalf. So, it is important to be sure that organizational users have MFA credential backups to ensure rapid restoration of services if they lose or damage their mobile phones.

Also, consider a stress test to learn what you need to be able to demonstrate to Microsoft if your Global Administrator loses MFA credentials. Read this article to learn about force majeur MFA recovery.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

How to Back Up MFA Credentials with Microsoft Authenticator Backup

by | Aug 29, 2025

Introduction: Why Microsoft Authenticator Backup is Essential

Multi-Factor Authentication (MFA) is a critical security layer for Microsoft 365 and other cloud services. If your mobile device is lost, stolen, or replaced, you risk losing access to your accounts unless your MFA credentials are backed up. Microsoft Authenticator backup enables you to restore your MFA settings to a new device.

Where does Microsoft Authenticator backup my credentials?

MFA backups are not saved in Microsoft 365 accounts. This is because:

  1. Microsoft Authenticator can store credentials for your personal sign-ins too.
  2. If you are locked out of Microsoft 365, you cannot recover the credentials to restore them. 

Depending on whether you use Android or iOS, Microsoft Authenticator offers different backup options—each designed to keep your credentials secure and recoverable. If you have a personal Microsoft account, you are already equipped to make Microsoft Authenticator backups.

You can configure Microsoft Authenticator to back up to iCloud and Google Drive too. If you are blocked from your iCloud/Google/Microsoft account (i.e. you have lost your password), there is still a partial workaround – see guidance under “alternative method” header. This requires you to have your existing device handy.

Click open the headers below to learn how to backup your MFA credentials. Please read through this entire article before starting the proceudure. Be sure to contact us for general advice if you are in doubt. Support options are available for professional assistance.

Microsoft Authenticator MFA Backup Features

Your MFA credentials are always excluded from your device’s usual iOS or Android backup precudures. So, Microsoft Authenticator MFA backup has to be enabled and scheduled using your Microsoft Authenticator App. This way, your MFA keys can be protected with enhanced securitization. When you configure Microsoft Authenticator MFA Backup, your app will include MFA accounts for other services that you rely on for OTP (One Time Passcode) or TOTP (Time-based OTP), too.

Microsoft Authenticator Backup features

Microsoft Authenticator Backup procedures are easy to schedule. You only need to be able to provide Microsoft Authenticator with your credentials when you configure backups for either a Microsoft personal account, iCloud account. Features include:

  • You can connect to a Microsoft personal account, iCloud.
  • iCloud and iCloud Keychain can handle backups automatically.
  • Work and school accounts are supported.
  • No admin action is required for organizations.
  • Third-party TOTP credentials (like Google, Amazon, etc.) are included.

Android vs iCloud considerations

  • On Android, backup is stored in the Microsoft cloud and tied to your Microsoft personal account.
  • On iOS, backup is stored in iCloud and iCloud Keychain. Microsoft account backup is no longer supported on iOS
  • Backups are not cross-compatible between Android and iOS. You cannot restore an Android backup on an iPhone or vice versa.

How Microsoft Entra Portal Supports MFA Management

Microsoft Entra ID (formerly Azure AD) uses a unified Authentication Methods Policy. This service is included in Microsoft 365 and it streamlines MFA setup and backup across all user types. Remember, Microsoft Authenticator MFA is a user-level process. This means that Global Administrators cannot configure MFA for you. Entra ID facilitates:

  • Centralized control of MFA, SSPR, and passwordless options.
  • Granular policy settings for different user groups.
  • Future-proof integration with Microsoft’s evolving identity tools.
  • Easier onboarding and recovery for users.
Step-by-Step: How To Configure Microsoft Authenticator MFA Backup

Configure Microsoft Authenticator Backup with a Microsoft Personal Account

  • Open Microsoft Authenticator App on your mobile device.
  • Click open the Hamburger icon (usually top right of your App’s screen).
  • Click open Settings from the drop down list.
  • Input your Microsoft (personal) account credentials.
  • Review preferences and save settings.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials using a new iOS or Android device, install Microsoft Authenticator, open the app, and sign into your personal Microsoft account. You will be prompted to restore accounts from backup. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Configure Microsoft Authenticator Backup: iOS/iCloud Backup

  • iOS 16 or later is required – check your device first.
  • Enable iCloud and iCloud Keychain in your mobile device’s device settings.
  • Open Microsoft Authenticator.
  • Go to Settings > iCloud Backup in the Authenticator app and enable backup.
    • This will back up your account names and TOTP (Time-based One-Time Password) credentials to iCloud.
  • To verify that backup is enabled:
    • Open Authenticator > Settings > iCloud Backup.
    • Confirm that the status shows “Backup is on”.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials with a new iOS device, install Microsoft Authenticator and sign in to iCloud in App settings. Your Microsoft Authenticator accounts will be restored automatically. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Configure Microsoft Authenticator Backup: Android

  • Open Microsoft Authenticator.
  • Tap the three-dot menu > Settings.
  • Enable Cloud Backup.
  • Sign in to your Microsoft personal account when prompted.Go to Settings > Cloud Backup in the Authenticator app and enable backup.
    • This will back up your account names and TOTP (Time-based One-Time Password) credentials to your Microsoft account.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials to a new Android device, install Microsoft Authenticator and sign in to your Microsoft personal account in App settings. Your Microsoft Authenticator accounts will be restored automatically. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Alternative Method: No Microsoft, iCloud, or Google account?

If you do not use iCloud or a microsoft account, follow this manual method:

  1. On your old device, go to Microsoft MFA Setup.
  2. Authenticate and access the Security Info page
  3. Click Add sign-in method > Microsoft Authenticator
  4. On your new phone, install Authenticator and select Work or School account.
  5. Scan the QR code shown on your computer.
  6. Approve the authentication request on your new device.
  7. Remove the old device from the Security Info page.

This method works for users who only use work accounts and want to avoid linking personal Microsoft accounts. However, it is not as robust as the settings detsailed above and should be considered as an option of last resort. For instance, this option might only be in contemplation if you had already lost your old device, which you need for this workflow. Instead, use one of the options above.

Enable SMS Authentication (Optional but Recommended)

If your organization allows SMS as an MFA method:

  1. In the Security Info portal, click + Add sign-in method
  2. Select “Phone”
  3. Enter your mobile number and choose Text me a code
  4. Enter the verification code received via SMS when your mobile phone receives it

SMS is considered less secure than app-based authentication. So, by default, Microsoft Authenticator app will use MFA using either available WiFi or mobile phone signal to authenticate your Microsoft 365 sign-ins. SMS is a valuable backup method—especially if your primary device is unavailable.

Add a Second Device for Secondary Access

Sometimes, it helps to include a second mobile device to authenticate your Microsoft 365 sign-in. This might be necessary where authentication is necessary from two geographically separate locations. In this situation, the same mobile phone cannot be at the each location simultaneously. Also, a second phone might help avoid lockouts. This is optional, and not usually necessary However, if you need to include a second device for authenticating you can configure
Microsoft Authenticator MFA for 365 with this additional step:

  1. Install Microsoft Authenticator on your second mobile phone
  2. Log into https://mysignins.microsoft.com/security-info from your desktop/laptop computer
  3. Add a new sign-in method and repeat the QR code scan process
    1. Be sure to scan the QR code with your SECOND DEVICE per the workflow outlined above
  4. Verify the second device by approving a test notification

This ensures you can still access your account if your principal mobile phone is lost or damaged.

When SMS is enabled, notice that when trying to sign in with an Autheticator code you will find options in your Authenticator pop up that provide for authentication by other means. This way, if MFA does not authenticate, you can opt to receive a conventional SMS/text.

Summary and Next Steps

Microsoft Authenticator Backup is a simple way for you to securely safeguard your MFA credentials. You can save your MFA credentials using your personal Microsoft account, iCloud, or Google Drive. Microsoft Entra ID security portal centralizes authentication policies, so managing MFA is simple and robust.

Whether you are a Microsoft 365 user, IT admin, or someone who values account security, do make sure your Authenticator app is backed up. It is the best way to avoid lockouts and keep your digital life secure. You can check your Microsoft Authenticator App settings occasionally to check when your last backup was made.

Stress Test

Even with good backup practices, things can still go wrong. Read our guidance in this article to understand what happens if MFA credentials fail and you cannot access 365. We recommend you review this guidance to learn how to deal with an eventuality in situations where a Global Administrator’s MFA credentials fail. Usually, monitoring backups is adequate, but if you are responsible for a multi-user tenancy it is worth testing a scenario to understand how to respond if the worst happens.

For instance, much of the information that Microsoft would ask for to restore access is easily found in a Global Administrator’s 365 dashboard. If your Microsoft 365 dashboard is not accessible, though, how would you compile the information needed to help restore services?

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

Locked Out of Your Microsoft 365 Account? Here’s What to Do When MFA Recovery Fails

by | Aug 27, 2025

Introduction: Contacting Microsoft for Account Recovery

Despite best practices like setting up Microsoft Authenticator, enabling SMS fallback, configuring secondary devices, and using physical backup options – nothing is bulletproof and you could still find yourself locked out of your Microsoft 365 account. Emergency MFA recovery via Microsoft typically happens when:

  • Your mobile device used for MFA is lost or damaged beyond repair.
  • No backup or secondary authentication method is available.
  • Recovery codes were never generated or stored securely.
  • There is not another Global Administrator for your tenancy to revert to for help.

If this happens to a member of staff, Global Administrator can usually restore services. What do you do if YOU are Global Administrator, though? When this happens, contacting Microsoft is the last resort. Be prepared: the process is strict, time-consuming, and necessarily designed to protect your data. This article explains how to prepare for Microsoft intervention. You can avoid this difficult prospect by following our guidelines in this article:

Also, read about enabling secondary devices to reduce the risk of MFA recovery problems in this article:

Click open the headers below to learn about MFA Recovery if you cannot access your Microsoft 365 tenancy. Please read through this entire article before engage Microsoft for restoration of service. Be sure to contact us for general advice if you are in doubt. Support options are available for professional assistance.

What Microsoft Needs to Verify Your Identity

To recover your account if it is blocked, Microsoft must validate that you are the rightful owner of the tenancy. MFA Recovery involves:

  • Filling out the Microsoft’s online questionnaire at:
  • Providing a working email address:
    • This is where Microsoft will send updates about your recovery request.
  • Answering detailed questions about your account usage, including:
    • Services used (365 licenses types and quantities)
    • Previous passwords
    • Billing information
    • Devices and locations used to access the account

Verification is not easy – document and prepare a procedure

Microsoft’s online recovery form will detail more fully what you need to complete the document. Microsoft can take 24 hours or as long as several days or weeks to validate your identity. This is because of the catastrophic risk that both you face if Microsoft mistakenly provides MFA recovery credentials to a malicious party. So, Microsoft has no choice. ID verification is going to be laborious.

Therefore, even for legitimate tenancy owners, verification can be problematic. Larger organizations maintain thorough documentation to comply with GDPR, and occasionally they run stress tests to evaluate preparedness for this kind of eventuality. If you maintain thorough docuentation, verification will be easier to accomplish. If your GDPR compliance practices are well prepared, you may already have documented procedures.

Step-by-Step: MFA Recovery Workflow

Recovering access to your tenancy is not easily accomplished. This is because you are asking Microsoft for access to not just to your tenancy, but to Global Administrator privileges. Giving MFA Recovery credentials to the wrong entity could have catastrophic consequences for your business. Therefore, Microsoft have to be sure that you are the legitimate Microsoft 365 tenancy owner.

 

How to apply for MFA Recovery/restoration of access

  1. Try the Sign-In-Helper to try all alternative sign-in options.
    1. Microsoft Account Recovery Code
  2. Prepare your information:
    1. Use a computer and location previously associated with your account:
      1. This helps Microsoft match geography and known hardware from past connections.
    2. Gather as much detail as possible about your account history.
  3. Complete Microsoft’s online recovery form:
    1. Submit the form via the Account Recovery Portal
    2. Expect a preliminary response within 24 hours.
  4. If recovery fails:
    1. You may retry twice per day
      1. Review unsuccesful recovery guidance

How Long Does Successful MFA Recovery Take?

  • Initial response: Within 24 hours.
  • Full recovery can take several days depending on the accuracy of your information and the complexity of your account.
  • Retry limit: Up to 2 attempts per day.
Summary - Prevention Is Better Than Cure

Microsoft’s MFA recovery process is intentionally rigorous. Microsoft enforces strict verification to protect sensitive data and prevent unauthorized access. Tenancy owners are strongly encouraged to:

If you have followed the guidance in Comstat’s setup and backup articles, this situation should be avoidable. Hopefully you are here to prepare a test-run for a GDPR Compliance stress test. If you are here because your credentials have failed, Microsoft’s MFA recovery form is your best hope.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

Create a Microsoft 365 Exchange Online connector

by | Aug 15, 2025

Configuring Microsoft 365 Connector for Web Server Email Relay

Use this summary to successfully configure a Microsoft 365 Exchange Online connector to relay email from a cPanel web server.

Some web server applications might not be equipped to connect to Microsoft 365 to relay email from your web server If you use Multifactor Authentication (MFA) to login to your email and 365 services.

Instead, an Exchange Online connector recognizes your web server as a legitimate mail server within your Micrsosoft 365 email environment. This means that a properly configured Exchange online connector relays email via Microsoft 365 to recipients without having to deal with MFA.

This article shows you how to configure an Exchange Online connector in Microsoft 365 to accept incoming traffic from your web server on port 25 using TLS. This assumes that your web server application, such as Clientexec, is:

  • properly configured to send email using SMTP on port 25.
  • your web server’s email routing configuration is established for “remote mailer”.
  • your web server uses a static IP address
    • in our default web server congiuration, you will need to contact us to arrange an IP address, which is subject to annually renewable cost.

Click open the headers below to find out more about how you can properly configure your Microsoft Exchange connector on your server.

1. Verify proper admin privileges in 365

Before you create an Exchange online connector, make sure your Microsoft 365 admin account has the correct permissions, even if you are already a Global Administrator:

  • Go to Microsoft 365 Admin Center > Roles > Admin Roles
  • Assign your account, or the user you want to authorize  to <Organization Management> if not already enabled

To add your user account to Organization Management role, click open Organization Management and add your user account. If you belong to a group, you can add that group to this role too.

 

365 admin roles - organization management

This role is required to access and configure TLS settings in connectors. Without this role, TLS options may be hidden even in the new Exchange Admin Center.

2. Access the New Exchange Admin Center

Use the Microsoft 365’s modern interface to create and edit an Exchange Online connector:

Note:  be sure you are logged in to the new Exchange Admin Center. The legacy admin center will not support the options you need. Log into the new Exchange admin centre for managing roles and mailflow > connectors. You can tell by checking that the path in your browser navigation bar includes the link above.

3. Create a New Connector

Use these settings:

  • From: Partner organization
  • To: Microsoft 365
  • Purpose: Accept email from your web server

Important configuration steps:

  • Connector Type: Must be set to Partner (not Internal)
  • Sender IP Address: Add your web server’s public IP address
  • TLS settings:
    • Require TLS: Must be checked
    • Require that the subject name of the certificate matches this domain name: Must be checked
    • the domain name you enter must also be registered in your Microsoft 365 tenancy.

Exchange Online connector TLS setting

If you do not see these TLS preferences, you either have insufficient privileges, or you have chosen the wrong type of connector

The last preference enforces certificate validation during an SMTP handshake

4. Testing the Connector from the Web Server

Verify DNS and SMTP Connectivity

On your web server, use teh Linux “dig command to confirm mailflow routing using SSH or cPanel’s terminal. This demonstrates that by showing a Microsoft IP address in output, the outgoing message is not intercepted by Exim or other processes on your web server.

# Check MX records
dig “yourdomainname.com” MX

Use openSSL to confirm TLS handshake with SMTP server with SSH or terminal. You may need to llok up your mailhost in 365. Usually it looks like “yourdomainname-com” rather than “yourdomainname.com”

openssl s_client -starttls smtp -connect “yourmailhost”.mail.protection.outlook.com:25

Send a test email via PHP using a script like:

$to = “insert valid 365 email address”;
$subject = “Test Email from Web Server”;
$message = “This is a test message.”;
$headers = “From: insert email address”;

if (mail($to, $subject, $message, $headers)) {
echo “Email sent successfully.”;
} else {
echo “Email sending failed.”;
}

Use different From: and To: addresses to avoid spoofing or loopback issues. Also, this can be saved as a script, uploaded to public_html on your web server, and run via a browser by pointing yout browser to the php file you have saved. Delete the file after testing.

5. Verify Connector Status with PowerShell

.Use Windows PowerShell 5.1 with the Exchange Online Management Module. Powershell 7.x does not currently carry the inventory of commandlets used for Exchange Online that v5.1 supports. If you are not familiar with Powershell, find help on checking and enabling “ExecutionPolicy” to enable scripts to run. Also, you may need to install a module called Connect-ExchangeOnline.

 

# Connect with MFA
Connect-ExchangeOnline -UserPrincipalName youradmin@yourdomain.com
# List connectors
Get-InboundConnector | Format-Table Name, ConnectorType, Enabled, RequireTLS, TlsSenderCertificateName
# Detailed view
Get-InboundConnector -Identity “YourConnectorName” | FL Name, ConnectorType, Enabled, RequireTLS, TlsSenderCertificateName, SenderDomains
6. Understand Sent Items Behavior

Emails sent via the connector:

  • Do not appear in Sent Items of the mailbox listed in the From: field
  • Are treated as externally relayed messages, not user-initiated
Summary

Microsoft 365 connectors are powerful but require

  • properly configured 365 admin roles
  • TLS enforcement
  • Correct connector type and IP configuration
  • Careful testing from the sending server

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.