Initializing Ground Zero: Setting Up a New Microsoft 365 Tenant

4 min. read

The Ticket: The Ground-Up Build

A new client is spinning off from a parent company, or a startup just signed their managed services contract and needs their core infrastructure built from scratch. Before you can migrate a single email or configure an Intune policy, you have to lay the foundation. You need to create the initial Microsoft 365 tenant, generate the permanent routing domain, and establish the true Global Administrator account.

Pre-Flight Check

• Permissions: Access to a valid external email address and a payment method.
• Tools: A web browser. An Incognito or InPrivate window is strictly required.
• Impact: High. The routing domain and the data region selected during this process are permanent. They cannot be changed once the "Start Trial" button is clicked.

The Solution

1. Isolate the Session: Open your browser in Incognito or InPrivate mode. If you skip this, your browser will pass your existing MSP token to the Microsoft portal, and you will accidentally apply the trial to your own company's tenant.
2. Select the Plan: Navigate to the Microsoft 365 Business products page and select "Try free for one month" under your desired tier (Business Premium is highly recommended for MSP environments).
3. Set the Scale: Leave the user count set to 1 and select the monthly billing cycle. Click Next.
4. The Verification Email: Enter a valid, accessible external email address. Use the client's current non-Microsoft email or your MSP onboarding address. Click "Set up account".
5. Company Details: Enter the exact legal name of the company, a phone number, and the company size.
   • CRITICAL: Ensure the "Country or region" is perfectly accurate. This dictates the data residency compliance and cannot be altered later.
6. Create the Routing Domain: This is where you define the [company].onmicrosoft.com domain. Type the desired prefix (e.g., mycompany). Microsoft will verify if it is globally unique.
7. Create the Global Admin: Create the actual administrator login (e.g., [email protected]) and generate a highly secure password.
8. Billing Information: Add a credit card to file. Since this is a 30-day trial, you will not be charged today.
9. Finalize: Review the terms, check the required boxes, and click "Start trial".

The "Why" (Root Cause)

Why do we start with a trial and a .onmicrosoft.com domain instead of just typing in their custom website? Every Microsoft 365 tenant requires a fallback routing domain. Even after you verify their vanity domain (like mycompany.com), the .onmicrosoft.com address acts as the immutable backbone for the environment. It dictates the SharePoint root URL (e.g., mycompany.sharepoint.com) and provides a fail-safe login if the DNS records for the custom domain ever go offline.

We utilize the trial license approach to spin up the container without immediately incurring prorated retail charges. This grants the engineering team a 30-day sandbox to build the conditional access policies, establish the CSP (Cloud Solution Provider) partner relationship, and procure the final, cheaper licenses through the MSP's distributor.

Under the Hood (Technical Deep Dive)

When you click "Start trial", you are triggering a massive orchestration sequence within Azure. Microsoft is provisioning a dedicated partition within Entra ID (formerly Azure Active Directory).

The name you chose generates a globally unique Tenant ID, which is a fixed GUID that third-party applications will use to identify this client forever. The admin@[company].onmicrosoft.com account is injected with the "Company Administrator" role at the directory level. Behind the scenes, the Exchange Online directory structure is initialized, and the SharePoint Online root site provisioning is queued. Because it is reserving namespaces across multiple distributed SQL databases globally, the final loading screen can take several minutes to resolve.

RMM & Automation Tips

You cannot fully automate the credit card entry via an RMM agent, but your automation begins the second the tenant goes live.

• The Baseline Script: Never manually configure a new tenant. Once the admin account is active, connect via Microsoft Graph PowerShell. Run your MSP baseline script to instantly disable legacy authentication, enforce strict Conditional Access policies, strip out the standard Microsoft bloatware settings (like users creating their own Office 365 Groups), and set the default timezone before you even add the custom domain.

Troubleshooting & Edge Cases

• Edge Case 1: The Name is Taken. The .onmicrosoft.com domain must be globally unique. If your client is named "Apex", apex.onmicrosoft.com was taken twenty years ago. You will have to use something like apexholdings.onmicrosoft.com. Keep it highly professional, as this name will be visible to external users whenever they view a shared SharePoint or OneDrive link.
• Edge Case 2: The Billing Trap. If you use your MSP corporate card to start the trial, you must immediately transition the billing to your CSP portal. If you forget to remove the card or flip the licensing model, Microsoft will auto-charge that credit card at full retail price on day 31.
• Edge Case 3: The Phone Number Flag. Microsoft's anti-fraud system tracks phone numbers. If you use your personal cell phone to receive the SMS verification code for too many new tenants in a single week, Microsoft will block the creation process. Use a shared VoIP number that can receive texts for your deployment team.