20 February 2026 · 8 min read · Arviteni
Most care homes pay for Microsoft 365 but only use email and Word. This guide covers the security features, licensing options, and configuration priorities that actually matter for care providers.
Most care homes run Microsoft 365. They use it for email, Word documents, and perhaps a shared OneDrive folder. What many do not realise is that their licence often includes security and device management features that would cost thousands to buy separately, and those features are sitting there unused and unconfigured.
This is one of the most common problems we see across care organisations. You are paying for Microsoft 365 Business Premium but getting the value of Business Basic. The gap between what you pay for and what you actually use is where some of the most important security improvements sit.
Microsoft 365 has several plans, and care homes often end up on the wrong one. Here is what matters.
Microsoft 365 Business Basic (around £4.60 per user per month) includes web and mobile versions of Office apps, Exchange Online email, OneDrive, SharePoint, and Teams. It is adequate for basic email and collaboration but includes almost no security or device management features.
Microsoft 365 Business Premium (around £16.60 per user per month) includes everything in Business Basic plus desktop Office apps, Intune device management, Conditional Access, Defender for Office 365, Azure Information Protection, and advanced threat protection. For care homes that handle sensitive data, this is the plan that matters. The security features in Business Premium directly support DSPT compliance and Cyber Essentials certification.
Microsoft 365 F1 and F3 (around £1.70 and £6.10 per user per month respectively) are designed for frontline workers. F1 provides Teams, Shifts, and basic web apps. F3 adds Intune device management and mobile Office editing. These plans are purpose-built for shift workers who need to communicate and access rotas but do not need full desktop Office.
The licensing strategy that works for most care homes is a mix: Business Premium for management and admin staff, and F1 or F3 for frontline care workers. A care home with 10 admin staff on Business Premium and 70 care workers on F1 would pay around £285 per month. The same home with Business Premium for everyone would pay over £1,300 per month. That is a saving of over £12,000 per year without reducing functionality where it matters.
If you are on Business Premium but have not configured these features, you are paying for protection you are not getting.
MFA requires a second form of verification when staff sign in, typically a prompt on their phone. Microsoft reports that MFA blocks 99.9% of account compromise attacks. It is free even on Business Basic through security defaults, yet many care homes still operate with passwords alone.
For care organisations, email compromise is the most common attack vector. A phishing email that tricks a care manager into entering their password gives an attacker access to email containing safeguarding referrals, resident information, and commissioner correspondence. MFA stops this.
Conditional Access policies evaluate signals like user identity, device compliance, and location before granting access. Practical policies for care homes include:
Without Conditional Access, you have no way to prevent staff from accessing sensitive care data on unmanaged personal devices, from unusual locations, or through insecure connection methods.
Included in Business Premium, Defender provides Safe Attachments (scanning email attachments in a sandbox before delivery), Safe Links (checking URLs at the time of click), and enhanced anti-phishing protection. This matters for care homes that receive attachments from GPs, pharmacies, local authorities, and families throughout the day.
Intune lets you manage and secure every device that accesses your organisation's data, whether it is a Windows laptop in the office, a shared tablet on a medication trolley, or a care worker's personal phone.
With Intune you can enforce BitLocker encryption on all Windows devices, require screen locks and minimum OS versions, deploy apps silently, and remotely wipe a device that is lost or stolen. For care homes where tablets move around the building and devices occasionally go missing, remote wipe capability alone justifies the configuration effort.
Windows Autopilot, which works with Intune, allows new devices to configure themselves on first boot. A replacement tablet can be shipped directly to the care home, and a care worker turns it on, signs in, and the device applies all security policies and installs all required apps automatically. No engineer visit required.
DLP policies detect and prevent the sharing of sensitive information. Microsoft 365 includes built-in detection for NHS numbers, National Insurance numbers, and other sensitive data types. A DLP policy can warn or block a care worker who accidentally tries to email a resident's care plan to a personal email address, or prevent bulk exports of resident data.
Start with monitoring mode to understand your data flows, then gradually introduce warnings and blocks for the highest-risk scenarios.
Shared accounts. Reception@, nurse-station@, and admin@ accounts shared between multiple staff members. This eliminates any audit trail of who did what, makes MFA meaningless, and violates DSPT requirements for individual accountability. Every person who accesses the system needs their own identity.
Not monitoring the admin portal. Microsoft 365 generates security alerts, sign-in anomalies, and compliance recommendations. If nobody is reviewing these, threats go unnoticed. Many care homes have no designated person monitoring their tenant's security posture.
No leavers process. When staff leave, which happens frequently in care with turnover rates of 25 to 35%, their accounts are not disabled promptly. Former employees may retain access to email, SharePoint, and Teams for weeks or months after leaving.
Using WhatsApp for work communication. Many care workers use personal WhatsApp groups to communicate about residents, share photos, and coordinate care. This puts sensitive data on personal, unmanaged devices with no organisational control or audit trail. Staff who leave retain chat history including resident information. Teams replaces this with a managed, auditable, compliant platform.
Over-licensing everyone. Buying Business Premium for every employee including domestic staff, kitchen workers, and part-time carers who only need to check a rota. F1 licences at £1.70 per user would be sufficient for many of these roles.
Microsoft Secure Score is a number that represents how well your Microsoft 365 tenant is configured for security. You can find it in the Microsoft 365 Defender portal. The score is calculated based on which security features you have enabled and how they are configured.
A newly created, unconfigured tenant typically scores 20 to 30%. A well-configured Business Premium tenant should target 70 to 80%. The dashboard shows you exactly which actions would improve your score and by how much, giving you a prioritised list of improvements.
Secure Score is useful for three things:
If your care home has Business Premium but has not configured the security features, the priority order is:
Each of these steps directly supports your DSPT submission and Cyber Essentials certification. The features are already included in your licence. They just need switching on and configuring properly.
The gap between what Microsoft 365 can do and what most care homes actually use it for is significant. Closing that gap does not require new software or additional licensing. It requires someone who understands both the Microsoft 365 platform and the realities of running a care home to configure it properly.
For care homes across the East Midlands, our managed IT service includes Microsoft 365 configuration, security hardening, and ongoing management as part of our partnership with care providers. We configure the features you are already paying for, so they actually protect the data you are responsible for.
Your Microsoft 365 licence is not just email. It is a security platform. The question is whether it is configured to work as one.