Identity and device access prerequisites for pass-through authentication in your Microsoft 365 test environment

This Test Lab Guide can only be used for Microsoft 365 Enterprise test environments.

Identity and device access configurations are a set of configurations and conditional access policies to protect access to all services that are integrated with Azure Active Directory (Azure AD), including Office 365 and Enterprise Mobility + Security (EMS) in Microsoft 365 Enterprise.

This article describes how you can configure a Microsoft 365 test environment that meets the requirements of the Pass-through authentication prerequisite configuration for identity and device access.

There are eight phases to setting up this test environment:

  1. Build out your simulated enterprise with pass-through authentication Microsoft 365 test environment
  2. Configure Azure AD seamless single sign-on
  3. Configure named locations
  4. Configure password writeback
  5. Configure self-service password reset
  6. Configure multifactor authentication
  7. Enable Azure AD Identity Protection
  8. Enable modern authentication for Exchange Online and Skype for Business Online

Phase 1: Build out your simulated enterprise with pass-through authentication Microsoft 365 test environment

Follow the instructions in Pass-through authentication.

Here is the resulting configuration.

The simulated enterprise with pass-through authentication test environment

Phase 2: Configure Azure AD seamless single sign-on

Follow the instructions in Phase 2 of the Azure AD Seamless Single Sign-on Test Lab Guide.

Phase 3: Configure named locations

First, determine the public IP addresses or address ranges used by your organization.

Next, follow the instructions in Configure named locations in Azure Active Directory to add the addresses or address ranges as named locations.

Phase 4: Configure password writeback

Follow the instructions in Phase 2 of the password writeback Test Lab Guide.

Phase 5: Configure self-service password reset

Follow the instructions in Phase 3 of the password reset Test Lab Guide.

When enabling password reset for the accounts in a specific Azure AD group, add these accounts to the Password reset group:

  • User 2
  • User 3
  • User 4
  • User 5

Test password reset only for the User 2 account.

Phase 6: Configure multi-factor authentication

Follow the instructions in Phase 2 of the multi-factor authentication Test Lab Guide for the following user accounts:

  • User 2
  • User 3
  • User 4
  • User 5

Test multi-factor authentication only for the User 2 account.

Phase 7: Enable Azure AD Identity Protection

Follow the instructions in Phase 2 of the Azure AD Identity Protection Test Lab Guide.

Phase 8: Enable modern authentication for Exchange Online and Skype for Business Online

For Exchange Online, follow these instructions.

For Skype for Business Online:

  1. Connect to Skype for Business Online.

  2. Run this command.

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
  1. Verify that the change was successful with this command.
Get-CsOAuthConfiguration

The result is a test environment that meets the requirements of the Pass-through authentication prerequisite configuration for identity and device access.

Next step

Use Common identity and device access policies to configure the policies that build on the prerequisites and protect identities and devices.

See also

Additional identity Test Lab Guides

Phase 2: Identity

Microsoft 365 Enterprise Test Lab Guides

Microsoft 365 Enterprise deployment

Microsoft 365 Enterprise documentation