Which Microsoft 365 plan do dental practices need?

Business Premium (£17.75/user/month). Premium's Intune device management, Defender for Business and Entra ID P1 are practically essential given CQC, DSPT and GDPR expectations for handling special category health data.

Is Microsoft 365 covered by the NHS DSPT?

Yes. Microsoft holds NHS DSPT certification for Microsoft 365. UK tenant data sits in UK and Republic of Ireland data centres, satisfying NHS data residency expectations.

Microsoft 365 for Dental Practices UK (2026): CQC-Ready Setup

Last updated: April 2026

UK dental practices have a specific Microsoft 365 problem: CQC inspection asks about IT security, you handle special category health data, and your practice management system is the centre of everything. Get the wrong tier and you're fighting the CQC's IT questions for the next inspection.

Get the right one and most of the IT side of CQC compliance is already evidenced for you.

The right plan: Business Premium (no, really)

For dental practices, the answer is almost always Microsoft 365 Business Premium at £17.75 per user per month. Not Standard. Not Basic. Premium.

Here's why this is non-negotiable for dental:

CQC's Key Lines of Enquiry include "are systems and processes in place to protect people from harm?" and "is information about people's care managed in line with current legislation?" — both require evidence of device management and access controls. Premium has Intune. Standard doesn't.
NHS Data Security and Protection Toolkit (DSPT) assertions are easier to satisfy with Premium's audit logging, conditional access and Defender for Business already in place.
GDPR Article 32 ("appropriate technical measures") expects a risk-based approach — health data is special category, the bar is higher.
Cyber insurance for dental practices increasingly requires endpoint protection, MFA enforcement, and device controls. Premium delivers all three.

The £17.75 price is small money compared to a CQC visit going badly or a notifiable data breach.

What you also need

Defender for Office 365 Plan 1

£1.72/user/month add-on. Catches phishing emails impersonating suppliers (dental labs, equipment finance companies, GDC, BDA). Worth it.

Microsoft 365 backup

Microsoft does not back up your tenant against staff mistakes. Add a third-party backup (SpinBackup, Datto SaaS, Acronis) at around £3.50/user/month. For dental practices handling appointment data, treatment notes via email, and patient consent forms, this is non-optional.

Practice management system on-premise OR cloud — both fine

Microsoft 365 sits alongside your dental software:

Software of Excellence (Exact): usually on-premise on a practice server. Microsoft 365 handles email + general docs separately. Manage the Windows machines via Intune.
Dentally: cloud-based, single sign-on with Microsoft 365 supported.
iSmile: on-premise; Outlook + Office work alongside.
EXACT (Henry Schein): as above for SoE.
R4: on-premise; standard Microsoft 365 coexistence.
Carestream / Apteryx: imaging platforms; integrate with Microsoft 365 calendar for appointment-based imaging.
Open Dental: cloud or on-premise; integrates with Microsoft 365.

Your practice management system should never be ditched in favour of Microsoft 365 — they do different jobs. Microsoft 365 handles email, productivity, secure file storage, identity and device control. Your PM software handles clinical records and appointments.

The patient communication problem

Reception staff routinely email patient communications — appointment reminders, treatment plans, finance details, post-op care. The default Microsoft 365 setup doesn't stop someone CC'ing the wrong person on a sensitive email.

What helps:

Sensitivity labels (Azure Information Protection — included in Premium): label emails as "Patient Confidential" so Outlook reminds the sender if external recipients are added
Data loss prevention rules: warn if NHS numbers, NI numbers, or specific patterns appear in outgoing email
Patient communication via the practice management system rather than ad-hoc Outlook — most modern systems have integrated patient portal messaging

For dental practices, the safest pattern is "appointment-related communications via PM system, general business email via Microsoft 365." Mixing the two is where data leaks happen.

Multi-site / group practices

Multi-site groups have a particular challenge: staff move between sites, IT needs to follow them. Without Intune (Premium tier), every device move is a manual headache.

With Intune:

Staff sign into any practice computer with their Microsoft 365 account, get their personalised setup
Lost laptop at one site? Remote-wipe just the work data, retain personal photos
New starter? Provision their account once centrally, available at every site
Leaver? Disable their account once, blocks access at every site

For groups of 3+ practices, Intune pays for itself in IT admin time alone.

What we'd quote

Single-site practice (5 staff: principal, associate, hygienist, 2 reception)

5 × Business Premium (£88.75)
5 × Defender for Office 365 P1 (£8.60)
5 × Microsoft 365 backup (£17.50)
Microsoft stack: ~£115/month
Plus VoIP for reception phones with call recording (~£60/month for 5 extensions)

2-surgery practice (12 staff)

12 × Business Premium (£213)
12 × Defender for Office 365 P1 (£20.64)
12 × backup (£42)
Microsoft stack: ~~£275/month (~~£3,300/year)
Plus VoIP with main number, IVR, call recording (~£140/month)

Group practice (3 sites, 25 staff)

25 × Business Premium (£444)
25 × Defender for Office 365 P1 (£43)
25 × backup (£87.50)
Microsoft stack: ~£575/month
Plus multi-site VoIP, central reception (~£300/month)
10% bundle saves ~£690/year

CQC and DSPT — what to actually do

You can't buy compliance off the shelf, but Microsoft 365 Business Premium gives you the tools to evidence the technical side:

Conditional access policies — document them; export the policy summary; show CQC inspector
Device compliance policies (Intune) — show the list of compliant vs non-compliant devices
Defender for Business reports — show recent threat detection and remediation
Audit logs — show who accessed which patient-related files when
MFA enforcement reports — show that every account uses multi-factor authentication

DSPT toolkit assertions about IT security map directly to the controls Premium provides. We can help compile the evidence pack at audit time.

FAQs

Does Microsoft 365 satisfy CQC's IT security expectations?

Microsoft 365 Business Premium, configured properly, gives you the technical controls (device management, access control, endpoint protection, audit logging) that CQC's KLOEs around information security look for. It doesn't substitute for written policies and staff training, but it provides the underlying evidence.

Is Microsoft 365 covered under the NHS DSPT?

Microsoft holds NHS DSPT certification for Microsoft 365. UK tenant data is stored in UK and Republic of Ireland data centres, satisfying NHS data residency expectations.

Can I use Microsoft Teams for patient consultations?

Yes — Microsoft 365 Business Premium includes Teams meetings, which can be used for video consultations. Recording must be configured carefully (consent, retention) and patient identifiable information should not be discussed in chat. Most practices use a dedicated tele-dental platform alongside Teams for general internal use.

Does my practice management system replace Microsoft 365?

No — they do different jobs. PM systems handle clinical records, appointments and treatment planning. Microsoft 365 handles email, identity management, general file storage, and device control. You need both.

What about backup of my dental software's data?

Your practice management system has its own backup arrangement (cloud or local) — that handles clinical and appointment data. The third-party Microsoft 365 backup we recommend covers email, OneDrive and SharePoint — your business documents, not your clinical records.