Prerequisite work for implementing Zero Trust identity and device access policies
This article describes the prerequisites admins must meet to use recommended Zero Trust identity and device access policies, and to use Conditional Access. It also discusses the recommended defaults for configuring client platforms for the best single sign-on (SSO) experience.
Before using the Zero Trust identity and device access policies that are recommended, your organization needs to meet prerequisites. The requirements are different for the various identity and authentication models listed:
- Hybrid with password hash sync (PHS) authentication
- Hybrid with pass-through authentication (PTA)
The following table details the prerequisite features and their configuration that apply to all identity models, except where noted.
|Configure PHS. This must be enabled to detect leaked credentials and to act on them for risk-based Conditional Access. Note: This is required regardless of whether your organization uses federated authentication.||Cloud-only||Microsoft 365 E3 or E5|
|Enable seamless single sign-on to automatically sign users in when they are on their organization devices connected to your organization network.||Cloud-only and federated||Microsoft 365 E3 or E5|
|Configure named locations. Azure AD Identity Protection collects and analyzes all available session data to generate a risk score. We recommend you specify your organization's public IP ranges for your network in the Azure AD named locations configuration. Traffic coming from these ranges is given a reduced risk score, and traffic from outside the organization environment is given a higher risk score.||Microsoft 365 E3 or E5|
|Register all users for self-service password reset (SSPR) and multifactor authentication (MFA). We recommend you register users for Azure AD Multifactor Authentication ahead of time. Azure AD Identity Protection makes use of Azure AD Multifactor Authentication to perform additional security verification. Additionally, for the best sign-in experience, we recommend users install the Microsoft Authenticator app and the Microsoft Company Portal app on their devices. These can be installed from the app store for each platform.||Microsoft 365 E3 or E5|
|Enable automatic device registration of domain-joined Windows computers. Conditional Access will make sure devices connecting to apps are domain-joined or compliant. To support this on Windows computers, the device must be registered with Azure AD. This article discusses how to configure automatic device registration.||Cloud-only||Microsoft 365 E3 or E5|
|Prepare your support team. Have a plan in place for users that cannot complete MFA. This could be adding them to a policy exclusion group, or registering new MFA information for them. Before making either of these security-sensitive changes, you need to ensure that the actual user is making the request. Requiring users' managers to help with the approval is an effective step.||Microsoft 365 E3 or E5|
|Configure password writeback to on-premises AD. Password writeback allows Azure AD to require that users change their on-premises passwords when a high-risk account compromise is detected. You can enable this feature using Azure AD Connect in one of two ways: either enable Password Writeback in the optional features screen of Azure AD Connect setup, or enable it via Windows PowerShell.||Cloud-only||Microsoft 365 E3 or E5|
|Configure Azure AD password protection. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization. Default global banned password lists are automatically applied to all users in an Azure AD tenant. You can define additional entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.||Microsoft 365 E3 or E5|
|Enable Azure Active Directory Identity Protection. Azure AD Identity Protection enables you to detect potential vulnerabilities affecting your organization's identities and configure an automated remediation policy to low, medium, and high sign-in risk and user risk.||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
|Enable modern authentication for Exchange Online and for Skype for Business Online. Modern authentication is a prerequisite for using MFA. Modern authentication is enabled by default for Office 2016 and 2019 clients, SharePoint, and OneDrive for Business.||Microsoft 365 E3 or E5|
|Enable continuous access evaluation for Azure AD. Continuous access evaluation proactively terminates active user sessions and enforces tenant policy changes in near real-time.||Microsoft 365 E3 or E5|
Recommended client configurations
This section describes the default platform client configurations we recommend to provide the best SSO experience to your users, as well as the technical prerequisites for Conditional Access.
We recommend Windows 11 or Windows 10 (version 2004 or later), as Azure is designed to provide the smoothest SSO experience possible for both on-premises and Azure AD. Work or school-issued devices should be configured to join Azure AD directly or if the organization uses on-premises AD domain join, those devices should be configured to automatically and silently register with Azure AD.
For BYOD Windows devices, users can use Add work or school account. Note that users of the Google Chrome browser on Windows 11 or Windows 10 devices need to install an extension to get the same smooth sign-in experience as Microsoft Edge users. Also, if your organization has domain-joined Windows 8 or 8.1 devices, you can install Microsoft Workplace Join for non-Windows 10 computers. Download the package to register the devices with Azure AD.
We recommend installing the Microsoft Authenticator app on user devices before deploying Conditional Access or MFA policies. At a minimum, the app should be installed when users are asked to register their device with Azure AD by adding a work or school account, or when they install the Intune company portal app to enroll their device into management. This depends on the configured Conditional Access policy.
We recommend users install the Intune Company Portal app and Microsoft Authenticator app before Conditional Access policies are deployed or when required during certain authentication attempts. After app installation, users may be asked to register with Azure AD or enroll their device with Intune. This depends on the configured Conditional Access policy.
We also recommend that organization-owned devices are standardized on OEMs and versions that support Android for Work or Samsung Knox to allow mail accounts, be managed and protected by Intune MDM policy.
Recommended email clients
The following email clients support modern authentication and Conditional Access.
|Windows||Outlook||2019, 2016, 2013|
|iOS||Outlook for iOS||Latest|
|Android||Outlook for Android||Latest|
|macOS||Outlook||2019 and 2016|
Recommended client platforms when securing documents
The following clients are recommended when a secure documents policy has been applied.
|Platform||Word/Excel/PowerPoint||OneNote||OneDrive App||SharePoint App||OneDrive sync client|
|Windows 11 or Windows 10||Supported||Supported||N/A||N/A||Supported|
|Linux||Not supported||Not supported||Not supported||Not supported||Not supported|
Microsoft 365 client support
For more information about client support in Microsoft 365, see the following articles:
- Microsoft 365 Client App Support - Conditional Access
- Microsoft 365 Client App Support - Multi-factor authentication
Protecting administrator accounts
For Microsoft 365 E3 or E5 or with separate Azure AD Premium P1 or P2 licenses, you can require MFA for administrator accounts with a manually-created Conditional Access policy. See Conditional Access: Require MFA for administrators for the details.
For editions of Microsoft 365 or Office 365 that do not support Conditional Access, you can enable security defaults to require MFA for all accounts.
Here are some additional recommendations:
- Use Azure AD Privileged Identity Management to reduce the number of persistent administrative accounts.
- Use privileged access management to protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
- Create and use separate accounts that are assigned Microsoft 365 administrator roles only for administration. Admins should have their own user account for regular non-administrative use and only use an administrative account when necessary to complete a task associated with their role or job function.
- Follow best practices for securing privileged accounts in Azure AD.
Configure the common Zero Trust identity and device access policies
Submit and view feedback for