At this point, the server’s infrastructure is all set. We’ve set up the on-premise domain, servers, file sharing, permissions, group policies, and remote desktop services. What is missing now? The email and office apps so our amazing Team can start working. That’s what this chapter is all about.
Microsoft 365 Set up
There are many Email systems available but our selection is Microsoft 365, easy to deploy, manage, verify, and troubleshoot.
Let’s start by creating an Azure tenant account on Azure (We can do so by using a personal Microsoft account or with any other email provider).
NOTE: We won’t delve into how to create an Azure account today but we will focus on the configuration afterward, for how to create an Azure account see: How to create an Azure account.
Once we have our Azure account, we also get access to the Microsoft 365 Admin Center, which will help us manage the whole Microsoft 365 suite.
Whenever a new Azure/Microsoft 365 tenant is created, we will be provided with a default domain which is your email ending in .onmicrosoft.com:
Connecting our domain to Microsoft 365
Now for our emails, we don’t want to have a domain ending in .onmicrosoft.com, we want to have our domain: beyondbaremetal.com.
Let’s connect our domain:
Navigate to Microsoft 365 Admin Center > Settings > Domains:
We can see our domain with the email used to create it ending in .onmicrosoft.com
Let’s select now Add Domain:
It will ask for the domain name we want to connect:
In our case: beyondbaremetal.com, then select Use this domain:
Now we have to prove we own the domain by following one of those options, for our case we will select Add a TXT record to the domain’s DNS records:
We will see the required TXT record to add:
in our case, our DNS registrar and Nameservers are with Namecheap. Let’s login there, locate our domain, and add the record:
After the records are added and the ownership of the domain has been verified, we continue by connecting the domain, for this case, we will select Add your own DNS records:
Notice we are requested to add: MX, CNAME, and TXT (SPF) records:
We also have the option to add records for Skype for Business and Intune, we won’t add them for now.
Let’s log in again to Namecheap and add those records:
MX Record:
CNAME Record:
TXT (SPF) Record:
Finally, Our domain setup is complete:
We can also verify by navigating to Settings > Domains:
We can select our domain and confirm:
Now we can go back to Users > Active Users to set the domain for our users as beyondbaremetal.com:
We can select now our domain beyondbaremetal.com:
All set:
Now let’s create the rest of the Staff with the proper domain:
Finally, let’s assign a license so everyone can use the Email and Microsoft 365 apps:
We signed up for a free 30-day trial of Microsoft 365 Business Standard license:
NOTE: for more information about license trials please visit: Microsoft 365 Free One-Month Trial
NOTE 2: For more information about license types and pricing please visit: Microsoft 365 plans and pricing
All set, the rest of the Staff emails will be created later.
DNS Records
Before continuing with the setup I’d like to take a moment to discuss the DNS records we added.
MX (Mail Exchanger) Record:
It tells the Mail Servers over the Internet that Our Email provider is Microsoft 365.
We can confirm that with tools like MXToolBox:
TXT Records:
MS Domain Verification:
- Proves domain ownership
SPF (Sender Policy Framework):
Prevents email spoofing
Email authentication method
Specifies authorized mail servers
Helps prevent email spoofing
CNAME Record:
Autodiscover for Outlook
- Enables automatic email client configuration
Additional CNAME Records:
DKIM (DomainKeys Identified Mail):
Email Authentication
Adds cryptographic signature to emails
Helps prevent email tampering
Emails on domains without DKIM set up tend to end in the junk folder.
Let’s set it up:
Navigate to: Policies & Rules > Threat Policies > Email authentication settings:
Select our domain: beyondbaremetal.com
Let’s set to Enabled:
We will be provided with 2 CNAMEs that we have to set on our domain’s DNS portal, in this case, Namecheap, after that, we can go back and verify it’s enabled:
All set:
Additional TXT Record:
DMARC (Domain-based Message Authentication, Reporting, and Conformance):
Builds on SPF and DKIM
Provides reporting and policy enforcement
Helps prevent email phishing
Emails on domains without DMARC set up tend to end in the junk folder
The setup is entirely on the Domain DNS portal, in our case Namecheap:
Notice the value is DMARC1; p=none
The possible values are:
none: Monitoring mode (no action taken)quarantine: Suspicious emails sent to spamreject: Completely block unauthenticated emails
We will set the policy to none for now:
Testing
Let’s have a user login via Outlook Web:
We will get prompted to set up Multifactor Authentication:
Notice we can select Ask later (for 14 days) but let’s add it now, hit Next:
We will be required to download either a Microsoft Authenticator app or a third-party Authenticator app to our phone:
Once downloaded on our phone we will be shown a QR code, we can open the app (select Set up a work or school account) and scan it:
Next, a random number will show on the screen, we will have to enter it on the app on our phone:
Once entered correctly a confirmation message will show:
And we are in:
We can test emails now.
Some external users emailed: charles@beyondbaremetal.com and delivered successfully to the Inbox:
We can also test sending an email from our user and verify on Sent Items:
From the Exchange Admin Center, we can navigate to Mail Flow > Message trace:
We can see external emails to our domain being delivered successfully:
We can see the test email from our user to an external one delivered as well:
As a final test, we can open login to BBM-WS01 to Install Microsoft Office 365 apps, and open Outlook desktop and since the user has the Microsoft 365 Standard license assigned, he will be able to work using the desktop version as well:
Let’s open office.com and log in:
Select Install Microsoft 365 Apps:
Open the installer - OfficeSetup:
Let’s now wait for it to install:
After installed, let’s open Outlook and sign in:
Now we have access to Outlook desktop:
From here the user is able to work normally on his emails, send, receive, delete, and so on.
Conclusion
Today, we've successfully set up Microsoft 365 for Beyond Bare Metal with the domain: beyondbaremetal.com, configuring domain connections, DNS records, and email authentication. We've established a secure email infrastructure with SPF, DKIM, and DMARC, reviewed how to verify email flows with Exchange Online message trace, demonstrated user onboarding with Multi-Factor Authentication, finally tested with Outlook web and desktop, confirming emails for our organization are working correctly.
The next steps will be expanding on the Microsoft 365 setup with additional features for Security, Groups, and Rules.
Stay tuned for more content.
Thanks for reading!
Link to the series 👉 https://beyondbaremetal.hashnode.dev/series/beyond-bare-metal-setup