Edit

Identity and device access prerequisites for cloud only in your Microsoft 365 test environment

  • Article

This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.

Identity and device access configurations are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Microsoft Entra ID.

This article describes how to configure a Microsoft 365 test environment that meets the requirements of the cloud only prerequisite configuration for identity and device access.

There are eight phases to setting up this test environment:

  1. Build out your lightweight test environment
  2. Configure named locations
  3. Configure self-service password reset
  4. Configure multifactor authentication
  5. Enable automatic device registration of domain-joined Windows computers
  6. Configure Microsoft Entra password protection
  7. Enable Microsoft Entra ID Protection
  8. Enable modern authentication for Exchange Online and Skype for Business Online

Phase 1: Build out your lightweight Microsoft 365 test environment

Follow the instructions in Lightweight base configuration. Here is the resulting configuration.

The lightweight Microsoft 3656 Enterprise test environment.

Phase 2: Configure named locations

First, determine the public IP addresses or address ranges used by your organization.

Next, follow the instructions in Configure named locations in Microsoft Entra ID to add the addresses or address ranges as named locations.

Phase 3: Configure self-service password reset

Follow the instructions in Phase 3 of the password reset Test Lab Guide.

When enabling password reset for the accounts in a specific Microsoft Entra group, add these accounts to the Password reset group:

  • User 2
  • User 3
  • User 4
  • User 5

Test password reset only for the User 2 account.

Phase 4: Configure multi-factor authentication

Follow the instructions in Phase 2 of the multi-factor authentication Test Lab Guide for the following user accounts:

  • User 2
  • User 3
  • User 4
  • User 5

Test multi-factor authentication only for the User 2 account.

Phase 5: Enable automatic device registration of domain-joined Windows computers

Follow these instructions to enable automatic device registration of domain-joined Windows computers.

Phase 6: Configure Microsoft Entra password protection

Follow these instructions to block known weak passwords and their variants.

Phase 7: Enable Microsoft Entra ID Protection

Follow the instructions in Phase 2 of the Microsoft Entra ID Protection Test Lab Guide.

Phase 8: Enable modern authentication for Exchange Online and Skype for Business Online

For Exchange Online, follow these instructions.

For Skype for Business Online:

  1. Connect to Skype for Business Online.

  2. Run this command.

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
  1. Verify that the change was successful with this command.
Get-CsOAuthConfiguration

The result is a test environment that meets the requirements of the cloud-only prerequisite configuration for identity and device access.

Next step

Use Common identity and device access policies to configure the policies that build on the prerequisites and protect identities and devices.

See also

Additional identity Test Lab Guides

Deploy identity

Microsoft 365 for enterprise Test Lab Guides

Microsoft 365 for enterprise overview

Microsoft 365 for enterprise documentation