← Back to blog

Microsoft 365 for Schools — How to Set It Up Right

Most schools have Microsoft 365. Fewer have it configured correctly. Here's what's included, what's missing, and how to avoid the most common mistakes.

A1 vs A3 — what's actually included?

Microsoft offers two main licenses for education: A1 (free) and A3 (paid). Many schools run on A1 and believe they have everything they need. That's true — partly.

A1 (free)

Includes web versions of Word, Excel, PowerPoint, and OneNote. Teams for chat, meetings, and classrooms. OneDrive with 1 TB storage per user. SharePoint for document management. Exchange Online for email. Web apps only — no installable desktop applications.

A3 (paid)

Everything in A1 plus: installable Office apps (Word, Excel, PowerPoint, Outlook) on up to 5 devices per user. Microsoft Intune for device management (MDM). Azure AD P1 (now Entra ID P1) with Conditional Access and advanced security rules. Windows upgrade to Education edition. Advanced compliance tools.

The critical difference for schools isn't the Office apps — it's Intune and Conditional Access. Without these two, you lack fundamental control over both devices and sign-ins.

Teams: more than chat

Teams is the hub of M365 for schools. It's where teachers create classrooms, share materials, assign work, and communicate with students and parents. But many schools only use a fraction of the functionality.

  • Assignments — create, distribute, and grade assignments directly in Teams
  • Class Notebook — OneNote notebooks with personal space per student
  • Insights — analytics tools showing student activity and engagement
  • SDS (School Data Sync) — automatic synchronization of classes and students from the school's administrative system

Intune: control over your devices

Intune is Microsoft's MDM solution (Mobile Device Management) and is included in the A3 license. With Intune, the school can:

  • Automatically enroll new devices at first boot (Autopilot/zero-touch)
  • Push apps, policies, and security settings centrally
  • Remote wipe lost or stolen devices
  • Require devices to be encrypted and up to date before accessing school data

For Sweden's digital national exams, Intune is also essential for deploying and configuring Safe Exam Browser on exam devices.

Common mistakes we see

When we conduct IT reviews for schools, we see the same mistakes over and over:

1. No MFA (multi-factor authentication)

This is the single biggest security issue. Without MFA, all it takes is a teacher's password leaking (via phishing or a data breach) for an attacker to gain full access to the school's environment. MFA should be enabled for all accounts — staff, administrators, and ideally students too.

2. No Conditional Access

Conditional Access (requires A3/Entra ID P1) lets you set rules like: "Admin accounts can only sign in from managed devices," "Sign-ins from abroad are blocked," "Unmanaged devices only get web browser access." Without this, all sign-ins are treated equally — regardless of risk.

3. Sharing links set to "Anyone"

In SharePoint and OneDrive, users can create sharing links. The default setting is often "Anyone with the link" — meaning anyone on the internet with the link gets access. We regularly find schools sharing student data, grading documents, and personnel records this way. Change the default to "Only people in your organization."

4. Global Admin for everyone

We see schools where five people have Global Administrator privileges — including accounts used daily. A Global Admin can delete the entire organization's data. Use the principle of least privilege: only grant the permissions needed for the task. Daily-use accounts should never be Global Admin.

How to set up M365 right

A proper Microsoft 365 setup for a school follows these steps:

  1. License selection — evaluate whether A1 is sufficient or if A3 is needed (you probably need A3 for Intune and Conditional Access)
  2. Identity and security — enable MFA for everyone, configure Conditional Access policies, limit Global Admin accounts
  3. School Data Sync — connect your student information system to M365 for automatic class management
  4. Device management — enroll all devices in Intune, configure Autopilot for new purchases
  5. SharePoint and OneDrive — set sharing policies to "Only in organization," structure SharePoint sites for staff and management
  6. Teams — create class teams automatically via SDS, train teachers on Assignments and Class Notebook
  7. Password policy — use longer passwords instead of forced changes every 90 days (Microsoft has recommended this since 2019)
  8. Backup — M365 is not a backup solution; implement third-party backup for email, OneDrive, and SharePoint

Why it's worth getting right from the start

A well-structured M365 environment saves time every day. Teachers don't have to troubleshoot sign-in issues. IT administrators get visibility and control. And the school is prepared for both GDPR audits and digital national exams.

At Strandholm Consulting, we've configured M365 for multiple schools and know exactly which settings are needed for a secure, efficient, and future-proof environment.

We help you set up M365 right

Book a review of your Microsoft 365 environment. We'll find security gaps and optimization opportunities.

Book an M365 review