Identity and device access prerequisites for password hash synchronization in your Microsoft 365 test environment
This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.
Identity and device access configurations are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Azure Active Directory (Azure AD).
This article describes how to configure a Microsoft 365 test environment that meets the requirements of the hybrid with password hash sync authentication prerequisite configuration for identity and device access.
There are ten phases to setting up this test environment:
- Create a simulated enterprise with password hash sync test environment
- Configure Azure AD seamless single sign-on
- Configure named locations
- Configure password writeback
- Configure self-service password reset for all user accounts
- Configure multifactor authentication for all user accounts
- Enable automatic device registration of domain-joined Windows computers
- Configure Azure AD password protection
- Enable Azure AD Identity Protection
- Enable modern authentication for Exchange Online and Skype for Business Online
Phase 1: Build out your simulated enterprise with password hash sync Microsoft 365 test environment
Follow the instructions in the password hash synchronization Test Lab Guide. Here is the resulting configuration.
Phase 2: Configure Azure AD seamless single sign-on
Follow the instructions in Phase 2 of the Azure AD Seamless Single Sign-on Test Lab Guide.
Phase 3: Configure named locations
First, determine the public IP addresses or address ranges used by your organization.
Next, follow the instructions in Configure named locations in Azure Active Directory to add the addresses or address ranges as named locations.
Phase 4: Configure password writeback
Follow the instructions in Phase 2 of the password writeback Test Lab Guide.
Phase 5: Configure self-service password reset
Follow the instructions in Phase 3 of the password reset Test Lab Guide.
When enabling password reset for the accounts in a specific Azure AD group, add these accounts to the Password reset group:
- User 2
- User 3
- User 4
- User 5
Test password reset only for the User 2 account.
Phase 6: Configure multi-factor authentication
Follow the instructions in Phase 2 of the multi-factor authentication Test Lab Guide for the following user accounts:
- User 2
- User 3
- User 4
- User 5
Test multi-factor authentication only for the User 2 account.
Phase 7: Enable automatic device registration of domain-joined Windows computers
Follow these instructions to enable automatic device registration of domain-joined Windows computers.
Phase 8: Configure Azure AD password protection
Follow these instructions to block known weak passwords and their variants.
Phase 9: Enable Azure AD Identity Protection
Follow the instructions in Phase 2 of the Azure AD Identity Protection Test Lab Guide.
Phase 10: Enable modern authentication for Exchange Online and Skype for Business Online
For Exchange Online, follow these instructions.
For Skype for Business Online:
Connect to Skype for Business Online.
Run this command.
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
- Verify that the change was successful with this command.
The result is a test environment that meets the requirements of the Active Directory with password hash sync prerequisite configuration for identity and device access.
Use Common identity and device access policies to configure the policies that build on the prerequisites and protect identities and devices.