Identity and device access prerequisites for password hash synchronization in your Microsoft 365 test environment

This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.

Identity and device access configurations are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Azure Active Directory (Azure AD).

This article describes how to configure a Microsoft 365 test environment that meets the requirements of the hybrid with password hash sync authentication prerequisite configuration for identity and device access.

There are ten phases to setting up this test environment:

  1. Create a simulated enterprise with password hash sync test environment
  2. Configure Azure AD seamless single sign-on
  3. Configure named locations
  4. Configure password writeback
  5. Configure self-service password reset for all user accounts
  6. Configure multifactor authentication for all user accounts
  7. Enable automatic device registration of domain-joined Windows computers
  8. Configure Azure AD password protection
  9. Enable Azure AD Identity Protection
  10. Enable modern authentication for Exchange Online and Skype for Business Online

Phase 1: Build out your simulated enterprise with password hash sync Microsoft 365 test environment

Follow the instructions in the password hash synchronization Test Lab Guide. Here is the resulting configuration.

The simulated enterprise with password hash synchronization test environment.

Phase 2: Configure Azure AD seamless single sign-on

Follow the instructions in Phase 2 of the Azure AD Seamless Single Sign-on Test Lab Guide.

Phase 3: Configure named locations

First, determine the public IP addresses or address ranges used by your organization.

Next, follow the instructions in Configure named locations in Azure Active Directory to add the addresses or address ranges as named locations.

Phase 4: Configure password writeback

Follow the instructions in Phase 2 of the password writeback Test Lab Guide.

Phase 5: Configure self-service password reset

Follow the instructions in Phase 3 of the password reset Test Lab Guide.

When enabling password reset for the accounts in a specific Azure AD group, add these accounts to the Password reset group:

  • User 2
  • User 3
  • User 4
  • User 5

Test password reset only for the User 2 account.

Phase 6: Configure multi-factor authentication

Follow the instructions in Phase 2 of the multi-factor authentication Test Lab Guide for the following user accounts:

  • User 2
  • User 3
  • User 4
  • User 5

Test multi-factor authentication only for the User 2 account.

Phase 7: Enable automatic device registration of domain-joined Windows computers

Follow these instructions to enable automatic device registration of domain-joined Windows computers.

Phase 8: Configure Azure AD password protection

Follow these instructions to block known weak passwords and their variants.

Phase 9: Enable Azure AD Identity Protection

Follow the instructions in Phase 2 of the Azure AD Identity Protection Test Lab Guide.

Phase 10: Enable modern authentication for Exchange Online and Skype for Business Online

For Exchange Online, follow these instructions.

For Skype for Business Online:

  1. Connect to Skype for Business Online.

  2. Run this command.

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
  1. Verify that the change was successful with this command.
Get-CsOAuthConfiguration

The result is a test environment that meets the requirements of the Active Directory with password hash sync prerequisite configuration for identity and device access.

Next step

Use Common identity and device access policies to configure the policies that build on the prerequisites and protect identities and devices.

See also

Additional identity Test Lab Guides

Identity roadmap

Microsoft 365 for enterprise Test Lab Guides

Microsoft 365 for enterprise overview

Microsoft 365 for enterprise documentation