Prerequisite work for implementing identity and device access policies
This article describes prerequisites that need to be implemented before you can deploy the recommended identity and device access policies. This article also discusses the default platform client configurations we recommend to provide the best SSO experience to your users, as well as the technical prerequisites for conditional access.
Before implementing the recommended identity and device access policies, there are several prerequisites that your organization must meet. The following table details the prerequisites that apply to your environment.
|Configuration||Cloud only||Active Directory with password hash sync||Pass-through authentication||Federation with AD FS|
|Configure Password Hash Sync. This must be enabled to detect leaked credentials and to act on them for risk-based conditional access. Note: This is required regardless of whether your organization uses managed authentication, like pass-through authentication (PTA), or federated authentication.||Yes||Yes||Yes|
|Enable seamless single sign on to automatically sign users in when they are on their corporate devices connected to your corporate network.||Yes||Yes|
|Configure named networks. Azure AD Identity Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Azure AD named networks configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the corporate environment is given a higher risk score.||Yes||Yes||Yes||Yes|
|Register all users for self-service password reset (SSPR) and multi-factor authentication (MFA). We recommend you register users for Azure MFA ahead of time. Azure AD Identity Protection makes use of Azure MFA to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the Microsoft Authenticator app and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.||Yes||Yes||Yes||Yes|
|Enable automatic device registration of domain-joined Windows computers. Conditional access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Azure AD. This article discusses how to configure automatic device registration.||Yes||Yes||Yes|
|Prepare your support team. Have a plan in place for users that cannot complete MFA. This could be adding them to a policy exclusion group, or registering new MFA information for them. Before making either of these security-sensitive changes, you need to ensure that the actual user is making the request. Requiring users' managers to help with the approval is an effective step.||Yes||Yes||Yes||Yes|
|Configure password writeback to on-premises AD. Password writeback allows Azure AD to require that users change their on-premises passwords when a high-risk account compromise is detected. You can enable this feature using Azure AD Connect in one of two ways: either enable Password Writeback in the optional features screen of the Azure AD Connect setup wizard, or enable it via Windows PowerShell.||Yes||Yes||Yes|
|Enable Azure Active Directory Identity Protection. Azure AD Identity Protection enables you to detect potential vulnerabilities affecting your organization’s identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||Yes||Yes||Yes||Yes|
|Enable modern authentication for Exchange Online and for Skype for Business Online. Modern authentication is a prerequisite for using multi-factor authentication (MFA). Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business.||Yes||Yes||Yes||Yes|
Recommended client configurations
This section describes the default platform client configurations we recommend to provide the best SSO experience to your users, as well as the technical prerequisites for conditional access.
We recommend the Windows 10 (version 1703 or later), as Azure is designed to provide the smoothest SSO experience possible for both on-premises and Azure AD. Work or school-issued devices should be configured to join Azure AD directly or if the organization uses on-premises AD domain join, those devices should be configured to automatically and silently register with Azure AD.
For BYOD Windows devices, users can use Add work or school account. Note that Chrome-browser users on Windows 10 need to install an extension to get the same smooth sign-in experience as Edge/IE users. Also, if your organization has domain-joined Windows 7 devices, you can install Microsoft Workplace Join for non-Windows 10 computers Download the package to register the devices with Azure AD.
We recommend installing the Microsoft Authenticator app on user devices before deploying conditional access or MFA policies. At a minimum, the app should be installed when users are asked to register their device with Azure AD by adding a work or school account, or when they install the Intune company portal app to enroll their device into management. This depends on the configured conditional access policy.
We recommend users install the Intune Company Portal app and Microsoft Authenticator app before conditional access policies are deployed or when required during certain authentication attempts. After app installation, users may be asked to register with Azure AD or enroll their device with Intune. This depends on the configured conditional access policy.
We also recommend that corporate-owned devices (COD) are standardized on OEMs and versions that support Android for Work or Samsung Knox to allow mail accounts, be managed and protected by Intune MDM policy.
Recommended email clients
The following email clients support modern authentication and conditional access.
|Windows||Outlook||2016, 2013 Enable modern authentication, Required updates|
|iOS||Outlook for iOS||Latest|
|Android||Outlook for Android||Latest|
Recommended client platforms when securing documents
The following clients are recommended when a secure documents policy has been applied.
|Platform||Word/Excel/PowerPoint||OneNote||OneDrive App||SharePoint App||OneDrive Sync Client|
|Windows Phone 10||Not supported||Not supported||Not Supported||Not Supported||Not Supported|
|macOS||Public Preview||Public Preview||N/A||N/A||Not supported|
|Linux||Not supported||Not supported||Not supported||Not supported||Not supported|
* Learn more about using conditional access with the OneDrive sync client.
Office 365 client support
For more information about Office 365 client support, see the following articles:
- Office 365 Client App Support - Conditional Access
- Office 365 Client App Support - Mobile Application Management
- Office 365 Client App Support - Modern Authentication
Protecting administrator accounts
Azure AD provides a simple way for you to begin protecting administrator access with a preconfigured conditional access policy. In Azure AD, go to Conditional access and look for this policy — Baseline policy: Require MFA for admins. Select this policy and then select Use policy immediately.
This policy requires MFA for the following roles:
- Global administrators
- SharePoint administrators
- Exchange administrators
- Conditional access administrators
- Security administrators
For more information, see Baseline security policy for Azure AD admin accounts.
Additional recommendations include the following:
- Use Azure AD Privileged Identity Management to reduce the number of persistent administrative accounts. See Start using PIM.
- Use privileged access management in Office 365 to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
- Use administrator accounts only for administration. Admins should have a separate user account for regular non-administrative use and only use their administrative account when necessary to complete a task associated with their job function. Office 365 administrator roles have substantially more privileges than Office 365 services.
- Follow best practices for securing privileged accounts in Azure AD as described in this article.
Send feedback about: