Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
microsoft-365-copilot-privacy | Microsoft 365 Copilot Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/microsoft-365-copilot-privacy.md | Title: "Data, Privacy, and Security for Microsoft Copilot for Microsoft 365" +description: "Learn how Microsoft Copilot for Microsoft 365 uses data and how it stores and protects that data." --description: "Learn how Microsoft Copilot for Microsoft 365 uses data and how it stores and protects that data." +ms.localizationpriority: high ++- privacy-microsoft365 +- privacy-copilot hideEdit: true Last updated 03/04/2024 |
admin | Resolve Site Urls | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/resolve-site-urls.md | To clean up the environment, go back to the application's **Certificates & secre The following is the PowerShell script for Update-Report. ```PowerShell- [Parameter(Mandatory=$true)] + param( + [Parameter(Mandatory=$true)] [string]$tenantId, [Parameter(Mandatory=$true)] [string]$clientId, |
enterprise | Automate Licenses Group Membership Microsoft 365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/automate-licenses-group-membership-microsoft-365-test-environment.md | - Title: "Automate licensing and group membership for your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 12/09/2019----- scotvorg-- M365-identity-device-management--- TLG-- Ent_TLGs -description: "Configure group-based licensing and dynamic group membership in your Microsoft 365 for enterprise test environment." ---# Automate licensing and group membership for your Microsoft 365 for enterprise test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --Group-based licensing automatically assigns or removes licenses for a user account based on group membership. Dynamic group membership adds or removes members to a group based on user account properties, such as **Department** or **Country**. This article steps you through demonstrations of both adding and removing group members in your Microsoft 365 for enterprise test environment. --Setting up auto-licensing and dynamic group membership in your Microsoft 365 for enterprise test environment involves two phases: --- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Configure and test dynamic group membership and automatic licensing](#phase-2-configure-and-test-dynamic-group-membership-and-automatic-licensing)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). - -## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you want to only test automated licensing and group membership in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to test automated licensing and group membership in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing automated licensing and group membership doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. It's provided here as an option so that you can test automated licensing and group membership and experiment with it in an environment that represents a typical organization. - -## Phase 2: Configure and test dynamic group membership and automatic licensing --First, create a new group named Sales, and add a dynamic group membership rule so that user accounts with the **Department** set to **Sales** automatically join the Sales group. --1. In a private instance of your internet browser, sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) with the global administrator account of your Microsoft 365 E5 test lab subscription. -2. On a separate tab of your browser, go to the Azure portal at [https://portal.azure.com](https://portal.azure.com). -3. In the Azure portal, enter **groups** in the search box, and then select **Groups**. -4. in the **All groups** pane, select **New group**. -5. In **Group type**, select **Microsoft 365**. -6. In **Group name**, enter **Sales**. -7. In **Membership type**, select **Dynamic user**. -8. Select **Dynamic user members**. -9. In the **Dynamic membership rules** pane: - - Select the **department** property. - - Select the **Equals** operator. - - In the **Value** box, enter **Sales**. -10. Select **Save**. -11. Select **Create**. --Next, configure the Sales group so that members are automatically assigned the Microsoft 365 E5 license. --1. Select the **Sales** group, and then select **Licenses**. -2. In the **Update license assignments** pane, select **Microsoft 365 E5**, and then select **Save**. -3. In your browser, close the Azure portal tab. --Next, test dynamic group membership and automatic licensing on the User 4 account: --1. From the **Microsoft Office Home** tab in your browser, select **Admin**. -2. From the **Microsoft 365 admin center** tab, select **Active users**. -3. On the **Active users** page, select the **User 4** account. -4. On the **User 4** pane, select **Edit** for **Product licenses**. -5. On the **Product licenses** pane, disable the **Microsoft 365 E5** license, and then select **Save** > **Close**. -6. In the properties of the User 4 account, verify that no product licenses have been assigned and there are no group memberships. -7. For **Contact information**, select **Edit**. -8. In the **Edit Contact information** pane, select **Contact information**. -9. In the **Department** box, enter **Sales**, and then select **Save** > **Close**. -10. Wait a few minutes, and then periodically select the **Refresh** icon in the upper-right of the User 4 account pane. --In time, you should see the: --- **Group memberships** property updated with the **Sales** group.-- **Product licenses** property updated with the **Microsoft 365 E5** license.--See these articles to deploy dynamic group membership and automatic licensing in production: --- [Group-based licensing in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal)-- [Dynamic groups in Microsoft Entra ID](/azure/active-directory/users-groups-roles/groups-create-rule)--## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Azure Ad Identity Protection Microsoft 365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/azure-ad-identity-protection-microsoft-365-test-environment.md | - Title: "Microsoft Entra ID Protection for your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 12/10/2019----- scotvorg-- M365-identity-device-management--- TLG-- Ent_TLGs -description: "Configure Microsoft Entra ID Protection and analyze the current accounts in your Microsoft 365 for enterprise test environment." ---# Microsoft Entra ID Protection for your Microsoft 365 for enterprise test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --You can use Microsoft Entra ID Protection to detect potential vulnerabilities that affect your organizationΓÇÖs identities, configure automated responses, and investigate incidents. This article describes how to use Microsoft Entra ID Protection to view the analysis of your test environment accounts. --Setting up Microsoft Entra ID Protection in your Microsoft 365 for enterprise test environment involves two phases: --- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Use Microsoft Entra ID Protection](#phase-2-use-azure-ad-identity-protection)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). - -## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you want to only test Microsoft Entra ID Protection in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to test Microsoft Entra ID Protection in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing Microsoft Entra ID Protection doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the Internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. It is provided here as an option so that you can test Microsoft Entra ID Protection and experiment with it in an environment that represents a typical organization. - -<a name='phase-2-use-azure-ad-identity-protection'></a> --## Phase 2: Use Microsoft Entra ID Protection --1. Open a private instance of your browser and sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com) with the global administrator account of your Microsoft 365 for enterprise test environment. -2. In the Azure portal, type **identity protection** in the search box, and then select **Microsoft Entra ID Protection**. -3. In the **Identity Protection - Overview** blade, select each report to see what it's reporting. -4. Under **Notify**, select **Users at risk detected alerts**. -5. In the **Users at risk detected alerts** pane, select **Medium**. -6. For **Emails are sent to the following users**, select **Included** and verify that your global admin account is in the list of selected members. -7. Select **Save**. --Under **Protect**, select various polices to see how to configure them. If you create and activate a policy, make sure that it's not blocking access for all users, or you might not be able to sign in. To prevent this, exclude specific user accounts, such as global admins. --For further testing and experimentation, see [Simulating risk events](/azure/active-directory/active-directory-identityprotection-playbook). --## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Cloud Adoption Test Lab Guides Tlgs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-adoption-test-lab-guides-tlgs.md | - Title: "Test Microsoft 365 with Test Lab Guides (TLGs)"--- Previously updated : 11/14/2019---- MET150--- scotvorg-- Ent_O365-- Strat_O365_Enterprise-- CSH--- Ent_TLGs-- seo-marvel-apr2020 -description: "Summary: Use these Test Lab Guides (TLGs) to set up demonstration, proof of concept, or dev/test environments for Microsoft 365." ---# Test Microsoft 365 with Test Lab Guides (TLGs) --TLGs help you quickly learn about Microsoft products. They're great for situations where you need to evaluate a technology or configuration before you decide whether it's right for you and before you begin the design, planning, and rollout to users. The "I built it out myself and it works" hands-on experience helps you understand the deployment requirements of a new product or solution so you can better plan for hosting it in production. - -TLGs also create representative environments for development and testing of applications, also known as dev/test environments. - -![Test Lab Guides in the Microsoft Cloud.](../media/24ad0d1b-3274-40fb-972a-b8188b7268d1.png) - -## Microsoft 365 dev/test environment --Use these articles to build your Microsoft 365 dev/test environment: - -- [The lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md)- - Create a Microsoft 365 Enterprise E5 trial subscription. --- [The simulated enterprise base configuration](simulated-ent-base-configuration-microsoft-365-enterprise.md)- - Create a simplified intranet running in Microsoft Azure infrastructure services and a Microsoft 365 Enterprise E5 trial subscription. -- This is optional and needed if you want to build a simulated enterprise configuration for hybrid identity. - -For additional TLGs that apply to both Office 365 and Microsoft 365, go to [Test Lab Guides](m365-enterprise-test-lab-guides.md). - -## Related topics --[Microsoft 365 solution and architecture center](../solutions/index.yml) - -[Hybrid solutions](hybrid-solutions.md) |
enterprise | Cloud Only Prereqs M365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-only-prereqs-m365-test-environment.md | - Title: "Identity and device access prerequisites for cloud only in your Microsoft 365 test environment"--- NOCSH-- Previously updated : 04/23/2019----- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise- -description: Create a Microsoft 365 environment to test identity and device access with the prerequisites for cloud only authentication. ---# Identity and device access prerequisites for cloud only in your Microsoft 365 test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --[Identity and device access configurations](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Microsoft Entra ID. --This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [cloud only prerequisite configuration](../security/office-365-security/zero-trust-identity-device-access-policies-prereq.md#prerequisites) for identity and device access. --There are eight phases to setting up this test environment: --1. Build out your lightweight test environment -2. Configure named locations -3. Configure self-service password reset -4. Configure multifactor authentication -5. Enable automatic device registration of domain-joined Windows computers -6. Configure Microsoft Entra password protection -7. Enable Microsoft Entra ID Protection -8. Enable modern authentication for Exchange Online and Skype for Business Online --## Phase 1: Build out your lightweight Microsoft 365 test environment --Follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). -Here is the resulting configuration. --![The lightweight Microsoft 3656 Enterprise test environment.](../media/lightweight-base-configuration-microsoft-365-enterprise/Phase4.png) - -## Phase 2: Configure named locations --First, determine the public IP addresses or address ranges used by your organization. --Next, follow the instructions in [Configure named locations in Microsoft Entra ID](/azure/active-directory/reports-monitoring/quickstart-configure-named-locations) to add the addresses or address ranges as named locations. --## Phase 3: Configure self-service password reset --Follow the instructions in [Phase 3 of the password reset Test Lab Guide](password-reset-m365-ent-test-environment.md#phase-3-configure-and-test-password-reset). --When enabling password reset for the accounts in a specific Microsoft Entra group, add these accounts to the **Password reset** group: --- User 2-- User 3-- User 4-- User 5--Test password reset only for the User 2 account. --## Phase 4: Configure multi-factor authentication --Follow the instructions in [Phase 2 of the multi-factor authentication Test Lab Guide](multi-factor-authentication-microsoft-365-test-environment.md#phase-2-enable-and-test-multi-factor-authentication-for-the-user-2-account) for the following user accounts: --- User 2-- User 3-- User 4-- User 5--Test multi-factor authentication only for the User 2 account. --## Phase 5: Enable automatic device registration of domain-joined Windows computers --Follow [these instructions](/azure/active-directory/devices/hybrid-azuread-join-plan) to enable automatic device registration of domain-joined Windows computers. --<a name='phase-6-configure-azure-ad-password-protection'></a> --## Phase 6: Configure Microsoft Entra password protection --Follow [these instructions](/azure/active-directory/authentication/concept-password-ban-bad) to block known weak passwords and their variants. --<a name='phase-7-enable-azure-ad-identity-protection'></a> --## Phase 7: Enable Microsoft Entra ID Protection --Follow the instructions in [Phase 2 of the Microsoft Entra ID Protection Test Lab Guide](azure-ad-identity-protection-microsoft-365-test-environment.md#phase-2-use-azure-ad-identity-protection). --## Phase 8: Enable modern authentication for Exchange Online and Skype for Business Online --For Exchange Online, follow [these instructions](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later). --For Skype for Business Online: --1. Connect to [Skype for Business Online](/SkypeForBusiness/set-up-your-computer-for-windows-powershell/set-up-your-computer-for-windows-powershell). --2. Run this command. -- ```powershell - Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed - ``` --3. Verify that the change was successful with this command. -- ```powershell - Get-CsOAuthConfiguration - ``` --The result is a test environment that meets the requirements of the [cloud-only prerequisite configuration](../security/office-365-security/zero-trust-identity-device-access-policies-prereq.md#prerequisites) for identity and device access. --## Next step --Use [Common identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-common.md) to configure the policies that build on the prerequisites and protect identities and devices. --## See also --[Additional identity Test Lab Guides](m365-enterprise-test-lab-guides.md#identity) --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Data Classification Microsoft 365 Enterprise Dev Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/data-classification-microsoft-365-enterprise-dev-test-environment.md | - Title: "Data classification for your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 12/10/2019----- scotvorg-- M365-security-compliance--- Ent_TLGs-- admindeeplinkMAC-- admindeeplinkDEFENDER -description: Use this Test Lab Guide to create and use retention labels on documents in your Microsoft 365 for enterprise test environment. ---# Data classification for your Microsoft 365 for enterprise test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --This article describes how to configure data classification using retention labels in your Microsoft 365 for enterprise test environment. --Classifying data in your test environment involves three phases: -- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Create retention labels](#phase-2-create-retention-labels)-- [Phase 3: Apply retention labels to documents](#phase-3-apply-retention-labels-to-documents)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) --> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). - -## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you just want to configure retention labels in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to configure retention labels in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing retention labels doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. It's provided here as an option so that you can test automated licensing and group membership and experiment with it in an environment that represents a typical organization. --## Phase 2: Create retention labels --In this phase, create the retention labels for the different levels of retention for SharePoint Online documents folders: --1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> with your global admin account. -1. From the **Home - Microsoft 365 security** tab of your browser, select **Classification** > **Retention labels**. -1. Select **Create a label**. -1. In the **Name your label** pane, enter **Internal Public** in **Name your label**, and then select **Next**. -1. In the **File plan descriptors** pane, select **Next**. -1. In the **Label settings** pane, if needed, set **Retention** to **On**, and then select **Next**. -1. In the **Review your settings** pane, select **Create the label**. -1. Repeat steps 3-7 for additional labels with these names: - - Private - - Sensitive - - Highly Confidential -1. In the **Retention labels** pane, select **Publish labels**. -1. In the **Choose labels to publish** pane, select **Choose labels to publish**. -1. In the **Choose labels** pane, select **Add** and select all four labels. -1. Select **Add**, and then select **Done**. -1. On the **Choose labels to publish** pane, select **Next**. -1. On the **Choose locations** pane, select **Next**. -1. On the **Name your policy** pane, enter **Example organization** in **Name**, and then select **Next**. -1. On the **Review your settings** pane, select **Publish labels**. - -It might take a few minutes for the retention labels to be published. --## Phase 3: Apply retention labels to documents --In this phase, you discover the default retention label behavior for files in the Documents folder of a SharePoint Online site and manually change the retention label of a document. --First, create a sensitive-level SharePoint Online team site: - -1. Using a private instance of your browser, sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> using your global admin account. -1. In the list of tiles, select **SharePoint**. -1. On the new **SharePoint** tab in your browser, select **Create site**. -1. On the **Create a site** page, select **Team site**. -1. In the **Team site name** box, enter **SensitiveFiles**. -1. In the **Team site description** box, enter **SharePoint site for sensitive files**. -1. In **Privacy settings**, select **Private - only members can access this site**, and then select **Next**. -1. In the **Who do you want to add?** pane, select **Finish**. - -Next, configure the Documents folder of the SensitiveFiles team site for the Sensitive retention label. - -1. In the **SensitiveFiles** tab of your browser, select **Documents**. -1. Select the **Settings** icon, and then select **Library settings**. -1. Under **Permissions and Management**, select **Apply label to items in this list or library**. If this option doesn't appear, your retention labels aren't yet published. Try this step at a later time. -1. In **Settings-Apply Label**, select **Sensitive** in the drop-down box, and then select **Save**. --Next, create a new document in the SensitiveFiles site and change its retention label. - -1. In the documents folder, select **New** > **Word document**. -1. Enter some text in the blank document. Wait for the text to be saved. -1. On the menu bar, select **Shared Documents**. -1. Next to the **Document.docx** file name, select the vertical ellipsis, and then select **Details**. -1. In the right pane, in the **Properties** section, under **Apply retention label**, note that the document has had the **Sensitive** retention label automatically applied. -1. Click **Edit all**. -1. In the **Document.docx** pane, under **Apply retention label**, select the **Highly Confidential** label, and then select **Save**. --## Next step --Explore additional [information protection](m365-enterprise-test-lab-guides.md#information-protection) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Enroll Ios And Android Devices In Your Microsoft Enterprise 365 Dev Test Environ | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/enroll-ios-and-android-devices-in-your-microsoft-enterprise-365-dev-test-environ.md | - Title: "Enroll iOS/iPadOS and Android devices in your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 11/19/2020----- scotvorg-- M365-identity-device-management- -description: Use this Test Lab Guide to enroll devices in your Microsoft 365 test environment and manage them remotely. ---# Enroll iOS and Android devices in your Microsoft 365 for enterprise test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --This article describes how to enroll and test basic mobile device management capabilities for iOS/iPadOS and Android devices in your Microsoft 365 for enterprise test environment. --Enrolling iOS/iPadOS and Android devices in your test environment involves three phases: -- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Enroll your iOS/iPadOS and Android devices](#phase-2-enroll-your-ios-and-android-devices)-- [Phase 3: Manage your iOS/iPadOS and Android devices remotely](#phase-3-manage-your-ios-and-android-devices-remotely)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). --## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you want to enroll iOS/iPadOS and Android devices in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to enroll iOS/iPadOS and Android devices in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing automated licensing and group membership doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. It's provided here as an option so that you can test automated licensing and group membership, and you can experiment with it in an environment that represents a typical organization. --## Phase 2: Enroll your iOS and Android devices --If you're considering a mobile device management (MDM) solution to manage your devices, you can use Microsoft Intune. When working with any MDM provider, including Intune, devices are "enrolled". When enrolled, they receive the features and settings you configure. --In Intune, there are a few ways to enroll your iOS/iPadOS and Android devices. You can choose the enrollment option that works best for your organization. For more information and guidance, see the following articles: --- [Deployment guide: Enroll iOS and iPadOS devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados)-- [Deployment guide: Enroll Android devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-android)--If you're ready to use Intune for device management, and want some guidance, then the following information may help: --- [Device management overview](/mem/intune/fundamentals/what-is-device-management)-- [Tutorial: Walkthrough the Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)-- [Deployment guide: Setup or move to Microsoft Intune](/mem/intune/fundamentals/deployment-guide-intune-setup)--## Phase 3: Manage your iOS and Android devices remotely --Microsoft Intune provides remote lock and passcode reset feature. If someone loses their device, you can remotely lock the device. If someone forgets their passcode, you can remotely reset it. --- To remotely lock an iOS/iPadOS or Android device, see [Remotely lock devices with Intune](/mem/intune/remote-actions/device-remote-lock).-- To remotely reset the passcode, see [Reset or remove a device passcode in Intune](/mem/intune/remote-actions/device-passcode-reset).--For additional tasks you can run remotely, see [available device actions](/mem/intune/remote-actions/device-management#available-device-actions). - -## Next step --Explore additional [mobile device management](m365-enterprise-test-lab-guides.md#mobile-device-management) features and capabilities in your test environment. --## See Also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) - -[Device compliance policies for your Microsoft 365 for enterprise test environment](mam-policies-for-your-microsoft-365-enterprise-dev-test-environment.md) - -[Microsoft 365 for enterprise overview](microsoft-365-overview.md) |
enterprise | Federated Identity For Your Microsoft 365 Dev Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/federated-identity-for-your-microsoft-365-dev-test-environment.md | - Title: "Federated identity for your Microsoft 365 test environment"-- NOCSH--- Previously updated : 05/26/2019---- MET150--- scotvorg-- Ent_O365-- Strat_O365_Enterprise--- TLG-- Ent_TLGs -description: "Summary: Configure federated authentication for your Microsoft 365 test environment." ---# Federated identity for your Microsoft 365 test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --Microsoft 365 supports federated identity. This means that instead of performing the validation of credentials itself, Microsoft 365 refers the connecting user to a federated authentication server that Microsoft 365 trusts. If the user's credentials are correct, the federated authentication server issues a security token that the client then sends to Microsoft 365 as proof of authentication. Federated identity allows for the offloading and scaling up of authentication for a Microsoft 365 subscription and advanced authentication and security scenarios. - -This article describes how to configure federated authentication for your Microsoft 365 test environment, resulting in the following: --![The federated authentication for Microsoft 365 test environment.](../media/federated-identity-for-your-microsoft-365-dev-test-environment/federated-tlg-phase3.png) - -This configuration consists of: - -- A Microsoft 365 E5 trial or production subscription.- -- A simplified organization intranet connected to the internet, consisting of five virtual machines on a subnet of an Azure virtual network (DC1, APP1, CLIENT1, ADFS1, and PROXY1). Microsoft Entra Connect runs on APP1 to synchronize the list of accounts in the Active Directory Domain Services domain to Microsoft 365. PROXY1 receives the incoming authentication requests. ADFS1 validates credentials with DC1 and issues security tokens.- -Setting up this test environment involves five phases: -- [Phase 1: Configure password hash synchronization for your Microsoft 365 test environment](#phase-1-configure-password-hash-synchronization-for-your-microsoft-365-test-environment)-- [Phase 2: Create the AD FS server](#phase-2-create-the-ad-fs-server)-- [Phase 3: Create the web proxy server](#phase-3-create-the-web-proxy-server)-- [Phase 4: Create a self-signed certificate and configure ADFS1 and PROXY1](#phase-4-create-a-self-signed-certificate-and-configure-adfs1-and-proxy1)-- [Phase 5: Configure Microsoft 365 for federated identity](#phase-5-configure-microsoft-365-for-federated-identity)- -> [!NOTE] -> You can't configure this test environment with an Azure Trial subscription. - -## Phase 1: Configure password hash synchronization for your Microsoft 365 test environment --Follow the instructions in [password hash synchronization for Microsoft 365](password-hash-sync-m365-ent-test-environment.md). Your resulting configuration looks like this: - -![The simulated enterprise with password hash synchronization test environment.](../media/federated-identity-for-your-microsoft-365-dev-test-environment/federated-tlg-phase1.png) - -This configuration consists of: - -- A Microsoft 365 E5 trial or paid subscriptions.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. Microsoft Entra Connect runs on APP1 to synchronize the TESTLAB Active Directory Domain Services (AD DS) domain to the Microsoft Entra tenant of your Microsoft 365 subscriptions periodically.--## Phase 2: Create the AD FS server --An AD FS server provides federated authentication between Microsoft 365 and the accounts in the corp.contoso.com domain hosted on DC1. - -To create an Azure virtual machine for ADFS1, fill in the name of your subscription and the resource group and Azure location for your Base Configuration, and then run these commands at the Azure PowerShell command prompt on your local computer. - -```powershell -$subscrName="<your Azure subscription name>" -$rgName="<the resource group name of your Base Configuration>" -$vnetName="TlgBaseConfig-01-VNET" -# NOTE: If you built your simulated intranet with Azure PowerShell, comment the previous line with a "#" and remove the "#" from the next line. -#$vnetName="TestLab" -Connect-AzAccount -Select-AzSubscription -SubscriptionName $subscrName -$staticIP="10.0.0.100" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -$pip = New-AzPublicIpAddress -Name ADFS1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic -$nic = New-AzNetworkInterface -Name ADFS1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -PrivateIpAddress $staticIP -$vm=New-AzVMConfig -VMName ADFS1 -VMSize Standard_D2_v2 -$cred=Get-Credential -Message "Type the name and password of the local administrator account for ADFS1." -$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName ADFS1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate -$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest" -$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id -$vm=Set-AzVMOSDisk -VM $vm -Name "ADFS-OS" -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType "Standard_LRS" -New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm -``` --Next, use the [Azure portal](https://portal.azure.com) to connect to the ADFS1 virtual machine using the ADFS1 local administrator account name and password, and then open a Windows PowerShell command prompt. - -To check name resolution and network communication between ADFS1 and DC1, run the **ping dc1.corp.contoso.com** command and check that there are four replies. - -Next, join the ADFS1 virtual machine to the CORP domain with these commands at the Windows PowerShell prompt on ADFS1. - -```powershell -$cred=Get-Credential -UserName "CORP\User1" -Message "Type the User1 account password." -Add-Computer -DomainName corp.contoso.com -Credential $cred -Restart-Computer -``` --Your resulting configuration looks like this: - -![The AD FS server added to the DirSync for Microsoft 365 test environment.](../media/federated-identity-for-your-microsoft-365-dev-test-environment/federated-tlg-phase2.png) - -## Phase 3: Create the web proxy server --PROXY1 provides proxying of authentication messages between users trying to authenticate and ADFS1. - -To create an Azure virtual machine for PROXY1, fill in the name of your resource group and Azure location, and then run these commands at the Azure PowerShell command prompt on your local computer. - -```powershell -$rgName="<the resource group name of your Base Configuration>" -$vnetName="TlgBaseConfig-01-VNET" -# NOTE: If you built your simulated intranet with Azure PowerShell, comment the previous line with a "#" and remove the "#" from the next line. -#$vnetName="TestLab" -$staticIP="10.0.0.101" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$vnet=Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -$pip = New-AzPublicIpAddress -Name PROXY1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Static -$nic = New-AzNetworkInterface -Name PROXY1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -PrivateIpAddress $staticIP -$vm=New-AzVMConfig -VMName PROXY1 -VMSize Standard_D2_v2 -$cred=Get-Credential -Message "Type the name and password of the local administrator account for PROXY1." -$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName PROXY1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate -$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest" -$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id -$vm=Set-AzVMOSDisk -VM $vm -Name "PROXY1-OS" -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType "Standard_LRS" -New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm -``` --> [!NOTE] -> PROXY1 is assigned a static public IP address because you will create a public DNS record that points to it and it must not change when you restart the PROXY1 virtual machine. - -Next, add a rule to the network security group for the CorpNet subnet to allow unsolicited inbound traffic from the internet to PROXY1's private IP address and TCP port 443. Run these commands at the Azure PowerShell command prompt on your local computer. - -```powershell -$rgName="<the resource group name of your Base Configuration>" -Get-AzNetworkSecurityGroup -Name CorpNet -ResourceGroupName $rgName | Add-AzNetworkSecurityRuleConfig -Name "HTTPS-to-PROXY1" -Description "Allow TCP 443 to PROXY1" -Access "Allow" -Protocol "Tcp" -Direction "Inbound" -Priority 101 -SourceAddressPrefix "Internet" -SourcePortRange "*" -DestinationAddressPrefix "10.0.0.101" -DestinationPortRange "443" | Set-AzNetworkSecurityGroup -``` --Next, use the [Azure portal](https://portal.azure.com) to connect to the PROXY1 virtual machine using the PROXY1 local administrator account name and password, and then open a Windows PowerShell command prompt on PROXY1. - -To check name resolution and network communication between PROXY1 and DC1, run the **ping dc1.corp.contoso.com** command and check that there are four replies. - -Next, join the PROXY1 virtual machine to the CORP domain with these commands at the Windows PowerShell prompt on PROXY1. - -```powershell -$cred=Get-Credential -UserName "CORP\User1" -Message "Type the User1 account password." -Add-Computer -DomainName corp.contoso.com -Credential $cred -Restart-Computer -``` --Display the public IP address of PROXY1 with these Azure PowerShell commands on your local computer. - -```powershell -Write-Host (Get-AzPublicIpaddress -Name "PROXY1-PIP" -ResourceGroup $rgName).IPAddress -``` --Next, work with your public DNS provider and create a new public DNS A record for **fs.testlab.**\<*your DNS domain name*> that resolves to the IP address displayed by the **Write-Host** command. The **fs.testlab.**\<*your DNS domain name*> is hereafter referred to as the *federation service FQDN*. - -Next, use the [Azure portal](https://portal.azure.com) to connect to the DC1 virtual machine using the CORP\\User1 credentials, and then run the following commands at an administrator-level Windows PowerShell command prompt: - -```powershell -Add-DnsServerPrimaryZone -Name corp.contoso.com -ZoneFile corp.contoso.com.dns -Add-DnsServerResourceRecordA -Name "fs" -ZoneName corp.contoso.com -AllowUpdateAny -IPv4Address "10.0.0.100" -TimeToLive 01:00:00 -``` -These commands create an internal DNS A record so that virtual machines on the Azure virtual network can resolve the internal federation service FQDN to ADFS1's private IP address. - -Your resulting configuration looks like this: - -![The web application proxy server added to the DirSync for Microsoft 365 test environment.](../media/federated-identity-for-your-microsoft-365-dev-test-environment/federated-tlg-phase3.png) - -## Phase 4: Create a self-signed certificate and configure ADFS1 and PROXY1 --In this phase, you create a self-signed digital certificate for your federation service FQDN and configure ADFS1 and PROXY1 as an AD FS farm. - -First, use the [Azure portal](https://portal.azure.com) to connect to the DC1 virtual machine using the CORP\\User1 credentials, and then open an administrator-level Windows PowerShell command prompt. - -Next, create an AD FS service account with this command at the Windows PowerShell command prompt on DC1: - -```powershell -New-ADUser -SamAccountName ADFS-Service -AccountPassword (read-host "Set user password" -assecurestring) -name "ADFS-Service" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false -``` -Note that this command prompts you to supply the account password. Choose a strong password and record it in a secured location. You will need it for this phase and for Phase 5. - -Use the [Azure portal](https://portal.azure.com) to connect to the ADFS1 virtual machine using the CORP\\User1 credentials. Open an administrator-level Windows PowerShell command prompt on ADFS1, fill in your federation service FQDN, and then run these commands to create a self-signed certificate: - -```powershell -$fedServiceFQDN="<federation service FQDN>" -New-SelfSignedCertificate -DnsName $fedServiceFQDN -CertStoreLocation "cert:\LocalMachine\My" -New-Item -path c:\Certs -type directory -New-SmbShare -name Certs -path c:\Certs -changeaccess CORP\User1 -``` --Next, use these steps to save the new self-signed certificate as a file. - -1. Select **Start**, enter **mmc.exe**, and then press **Enter**. - -2. Select **File** > **Add/Remove Snap-in**. - -3. In **Add or Remove Snap-ins**, double-click **Certificates** in the list of available snap-ins, select **Computer account**, and then select **Next**. - -4. In **Select Computer**, select **Finish**, and then select **OK**. - -5. In the tree pane, open **Certificates (Local Computer) > Personal > Certificates**. - -6. Select and hold (or right-click) the certificate with your federation service FQDN, select **All tasks**, and then select **Export**. - -7. On the **Welcome** page, select **Next**. - -8. On the **Export Private Key** page, select **Yes**, and then select **Next**. - -9. On the **Export File Format** page, select **Export all extended properties**, and then select **Next**. - -10. On the **Security** page, select **Password** and enter a password in **Password** and **Confirm password.** - -11. On the **File to Export** page, select **Browse**. - -12. Browse to the **C:\\Certs** folder, enter **SSL** in **File name**, and then select **Save.** - -13. On the **File to Export** page, select **Next**. - -14. On the **Completing the Certificate Export Wizard** page, select **Finish**. When prompted, select **OK**. - -Next, install the AD FS service with this command at the Windows PowerShell command prompt on ADFS1: - -```powershell -Install-WindowsFeature ADFS-Federation -IncludeManagementTools -``` --Wait for the installation to complete. - -Next, configure the AD FS service with these steps: - -1. Select **Start**, and then select the **Server Manager** icon. - -2. In the tree pane of Server Manager, select **AD FS**. - -3. In the tool bar at the top, select the orange caution symbol, and then select **Configure the federation service on this server**. - -4. On the **Welcome** page of the Active Directory Federation Services Configuration Wizard, select **Next**. - -5. On the **Connect to AD DS** page, select **Next**. - -6. On the **Specify Service Properties** page: - - - For **SSL Certificate**, select the down arrow, and then select the certificate with the name of your federation service FQDN. - - - In **Federation Service Display Name**, enter the name of your fictional organization. - - - Select **Next**. - -7. On the **Specify Service Account** page, select **Select** for **Account name**. - -8. In **Select User or Service Account**, enter **ADFS-Service**, select **Check Names**, and then select **OK**. - -9. In **Account Password**, enter the password for the ADFS-Service account, and then select **Next**. - -10. On the **Specify Configuration Database** page, select **Next**. - -11. On the **Review Options** page, select **Next**. - -12. On the **Pre-requisite Checks** page, select **Configure**. --13. On the **Results** page, select **Close**. - -14. Select **Start**, select the power icon, select **Restart**, and then select **Continue**. - -From the [Azure portal](https://portal.azure.com), connect to PROXY1 with the CORP\\User1 account credentials. - -Next, use these steps to install the self-signed certificate on **both PROXY1 and APP1**. - -1. Select **Start**, enter **mmc.exe**, and then press **Enter**. - -2. Select **File > Add/Remove Snap-in**. - -3. In **Add or Remove Snap-ins**, double-click **Certificates** in the list of available snap-ins, select **Computer account**, and then select **Next**. - -4. In **Select Computer**, select **Finish**, and then select **OK**. - -5. In the tree pane, open **Certificates (Local Computer)** > **Personal** > **Certificates**. - -6. Select and hold (or right-click) **Personal**, select **All tasks**, and then select **Import**. - -7. On the **Welcome** page, select **Next**. - -8. On the **File to Import** page, enter **\\\\adfs1\\certs\\ssl.pfx**, and then select **Next**. - -9. On the **Private key protection** page, enter the certificate password in **Password**, and then select **Next.** - -10. On the **Certificate store** page, select **Next.** - -11. On the **Completing** page, select **Finish**. - -12. On the **Certificate Store** page, select **Next**. - -13. When prompted, select **OK**. - -14. In the tree pane, select **Certificates**. - -15. Select and hold (or right-click) the certificate, and then select **Copy**. - -16. In the tree pane, open **Trusted Root Certification Authorities** > **Certificates**. - -17. Move your mouse pointer below the list of installed certificates, select and hold (or right-click), and then select **Paste**. - -Open an administrator-level PowerShell command prompt and run the following command: - -```powershell -Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools -``` --Wait for the installation to complete. - -Use these steps to configure the web application proxy service to use ADFS1 as its federation server: - -1. Select **Start**, and then select **Server Manager**. - -2. In the tree pane, select **Remote Access**. - -3. In the tool bar at the top, select the orange caution symbol, and then select **Open the Web Application Proxy Wizard**. - -4. On the **Welcome** page of the Web Application Proxy Configuration Wizard, select **Next**. - -5. On the **Federation Server** page: - - - In the **Federation service name** box, enter your federation service FQDN. - - - In the **User name** box, enter **CORP\\User1**. - - - In the **Password** box, enter the password for the User1 account. - - - Select **Next**. - -6. On the **AD FS Proxy Certificate** page, select the down arrow, select the certificate with your federation service FQDN, and then select **Next**. - -7. On the **Confirmation** page, select **Configure**. - -8. On the **Results** page, select **Close**. - -## Phase 5: Configure Microsoft 365 for federated identity --Use the [Azure portal](https://portal.azure.com) to connect to the APP1 virtual machine with the CORP\\User1 account credentials. - -Use these steps to configure Microsoft Entra Connect and your Microsoft 365 subscription for federated authentication: - -1. From the desktop, double-click **Microsoft Entra Connect**. - -2. On the **Welcome to Microsoft Entra Connect** page, select **Configure**. - -3. On the **Additional tasks** page, select **Change user sign-in**, and then select **Next**. - -4. On the **Connect to Microsoft Entra ID** page, enter your global administrator account name and password, and then select **Next**. - -5. On the **User sign-in** page, select **Federation with AD FS**, and then select **Next**. - -6. On the **AD FS farm** page, select **Use an existing AD FS farm**, enter **ADFS1** in the **Server Name** box, and then select **Next**. - -7. When prompted for server credentials, enter the credentials of the CORP\\User1 account, and then select **OK**. - -8. On the **Domain Administrator** credentials page, enter **CORP\\User1** in the **Username** box, enter the account password in the **Password** box, and then select **Next**. - -9. On the **AD FS service account** page, enter **CORP\\ADFS-Service** in the **Domain Username** box, enter the account password in the **Domain User Password** box, and then select **Next**. - -10. On the **Microsoft Entra Domain** page, in **Domain**, select the name of the domain that you previously created and added to your subscription in Phase 1, and then select **Next**. - -11. On the **Ready to configure** page, select **Configure**. - -12. On the **Installation complete** page, select **Verify**. - - You should see messages indicating that both the intranet and internet configuration was verified. - -13. On the **Installation complete** page, select **Exit**. - -To demonstrate that federated authentication is working: - -1. Open a new private instance of your browser on your local computer and go to [https://admin.microsoft.com](https://admin.microsoft.com). - -2. For the sign-in credentials, enter **user1@**\<*the domain created in Phase 1*>. - - For example, if your test domain is **testlab.contoso.com**, you would enter "user1@testlab.contoso.com". Press the **Tab** key or allow Microsoft 365 to automatically redirect you. - - You should now see a **Your connection is not private** page. You are seeing this because you installed a self-signed certificate on ADFS1 that your desktop computer can't validate. In a production deployment of federated authentication, you would use a certificate from a trusted certification authority and your users would not see this page. - -3. On the **Your connection is not private** page, select **Advanced**, and then select **Proceed to \<*your federation service FQDN*>**. - -4. On the page with the name of your fictional organization, sign in with the following: - - - **CORP\\User1** for the name - - - The password for the User1 account - - You should see the **Microsoft Office Home** page. - -This procedure demonstrates that your trial subscription is federated with the AD DS corp.contoso.com domain hosted on DC1. Here are the basics of the authentication process: - -1. When you use the federated domain that you created in Phase 1 within the sign-in account name, Microsoft 365 redirects your browser to your federation service FQDN and PROXY1. - -2. PROXY1 sends your local computer the fictional company sign-in page. - -3. When you send CORP\\User1 and the password to PROXY1, it forwards them to ADFS1. - -4. ADFS1 validates CORP\\User1 and the password with DC1 and sends your local computer a security token. - -5. Your local computer sends the security token to Microsoft 365. - -6. Microsoft 365 validates that the security token was created by ADFS1 and allows access. - -Your trial subscription is now configured with federated authentication. You can use this dev/test environment for advanced authentication scenarios. - -## Next step --When you are ready to deploy production-ready, high availability federated authentication for Microsoft 365 in Azure, see [Deploy high availability federated authentication for Microsoft 365 in Azure](deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md). - |
enterprise | Hybrid Modern Auth Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/hybrid-modern-auth-overview.md | Verify and check these items off your list before you continue: - If you use AD FS, you should have Windows 2012 R2 AD FS 3.0 and above for federation. - Your identity configurations are any of the types supported by Microsoft Entra Connect, such as password hash sync, pass-through authentication, and on-premises STS supported by Office 365. - You have Microsoft Entra Connect configured and functioning for user replication and sync.+ > [!NOTE] + > Any user accounts that are not synchronized to Microsoft Entra Identity won't be provided an authorization token via Hybrid Modern Authentication. Once the on-premises application is configured to use evoSTS as the default authorization endpoint, these user accounts that aren't synchronized will encounter issues with their access to the application if appropriate configuration isn't available. - You have verified that hybrid is configured using Exchange Classic Hybrid Topology mode between your on-premises and Office 365 environment. Official support statement for Exchange hybrid says you must have either current CU or current CU - 1. > [!NOTE] > Hybrid modern authentication is not supported with the [Hybrid Agent](/exchange/hybrid-deployment/hybrid-agent). |
enterprise | Identity Device Access M365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/identity-device-access-m365-test-environment.md | - Title: "Identity and device access for your Microsoft 365 test environment"--- NOCSH-- Previously updated : 04/23/2019----- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise- -description: Create a Microsoft 365 environment to test identity and device access. ---# Identity and device access for your Microsoft 365 test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --[Identity and device access configurations](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md) are a set of recommended configurations and conditional access policies to protect access to all services that are integrated with Microsoft Entra ID. --To create a test environment that has the common identity and device access configurations in place: --1. Configure your test environment with the prerequisite identity and security features based on your choice of identity model and authentication method: -- - [Cloud only](cloud-only-prereqs-m365-test-environment.md) - - [Password hash synchronization (PHS)](phs-prereqs-m365-test-environment.md) - - [Pass-through authentication (PTA)](pta-prereqs-m365-test-environment.md) --2. Use [Common identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-common.md) to configure the policies that build on the prerequisites configured for your test environment and explore and verify protection for identities and devices. --## See also --[Additional identity Test Lab Guides](m365-enterprise-test-lab-guides.md#identity) --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Increased O365 Security Microsoft 365 Enterprise Dev Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/increased-o365-security-microsoft-365-enterprise-dev-test-environment.md | - Title: "Increased Microsoft 365 security for your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 12/09/2019----- scotvorg-- M365-security-compliance--- Ent_TLGs-- admindeeplinkMAC-- admindeeplinkDEFENDER-- admindeeplinkSPO -description: Use this Test Lab Guide to enable additional Microsoft 365 security settings your Microsoft 365 for enterprise test environment. ---# Increased Microsoft 365 security for your Microsoft 365 for enterprise test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --With the instructions in this article, you configure additional Microsoft 365 settings to increase security in your Microsoft 365 for enterprise test environment. --![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) --> [!TIP] -> Click [here](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) for a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack. --## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you just want to configure increased Microsoft 365 security in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). --If you want to configure increased Microsoft 365 security in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). --> [!NOTE] -> Testing increased Microsoft 365 security does not require the simulated enterprise test environment, which includes a simulated intranet connected to the Internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. It is provided here as an option so that you can test automated licensing and group membership and experiment with it in an environment that represents a typical organization. --## Phase 2: Configure increased Microsoft 365 security --In this phase, you enable increased Microsoft 365 security for your Microsoft 365 for enterprise test environment. For additional details and settings, see [Configure your tenant for increased security](/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security). --### Configure SharePoint Online to block apps that don't support modern authentication --Apps that do not support modern authentication cannot have [identity and device access configurations](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md) applied to them, which is an important element of securing your Microsoft 365 subscription and its digital assets. --1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> and sign in to your Microsoft 365 test lab subscription with your global administrator account. -- - If you are using the lightweight Microsoft 365 test environment, sign in from your local computer. -- - If you are using the simulated enterprise Microsoft 365 test environment, use the [Azure portal](https://portal.azure.com) to connect to the CLIENT1 virtual machine, and then sign in from CLIENT1. --2. On the new **Microsoft 365 admin center** tab, under **Admin centers** in the left navigation pane, click **SharePoint**. -3. On the new **SharePoint admin center** tab, select **Policies** > <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control**</a>. -4. Select **Apps that don't support modern authentication**, select **Block access**, and then select **Save**. --### Enable Defender for Office 365 for SharePoint, OneDrive for Business, and Microsoft Teams --Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. --1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Security & Compliance Center</a> and sign in with your global administrator account. --2. In the left navigation pane, under **Threat management**, click **Policy**, and then click **Safe Attachments**. --3. Under **Protect files in SharePoint, OneDrive, and Microsoft Teams**. select **Turn on ATP for SharePoint, OneDrive, and Microsoft Teams**. --4. Click **Save**. --### Enable anti-malware --Malware is comprised of viruses and spyware. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware refers to malware that gathers your personal information, such as sign-in information and personal data, and sends it back to the malware author. --Microsoft 365 has built-in malware and spam filtering capabilities that help protect inbound and outbound messages from malicious software and help protect you from spam. For more information, see [Anti-spam protection in EOP](../security/office-365-security/anti-spam-protection-about.md) and [Anti-malware protection in EOP](../security/office-365-security/anti-malware-protection-about.md). --To ensure that anti-malware processing is being performed on files with common attachment file types: --1. Click the back button on your browser to get back to the **Policy** page. -2. Click **Anti-malware**. -3. Double-click the policy named **Default**. -4. In the **Anti-malware policy** window, click **Settings**. -5. Under **Common Attachment Types filter**, select **On**, and then click **Save**. --## Phase 3: Examine the security dashboard --Threat management in Microsoft 365 can help you control and manage mobile device access to your organization's data, help protect your organization from data loss, and help protect inbound and outbound messages from malicious software and spam. You also use threat management to protect your domain's reputation and to determine whether or not senders are maliciously spoofing accounts from your domain. --To see the security dashboard: --1. If needed, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Security & Compliance Center</a> and sign in with your global administrator account. --2. In the left navigation pane, under **Threat management**, click **Dashboard**. --Take a close look at all the cards on the dashboard to familiarize yourself with the information provided. --For more information, see [Security Dashboard](/microsoft-365/security/defender/microsoft-365-defender-portal). --## Phase 4: Examine Microsoft Secure Score --Microsoft Secure Score shows your security posture as a number, which indicates your current level relative to the features that are available in your subscription. It also gives you a list of improvement actions you can take to improve your score. --1. Create a new tab in your browser, go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a>, and then click **Secure score**. -2. On the **Overview** tab, note your current Secure Score and how it compares with the global average and subscriptions with a similar number of licenses. -3. On the **Improvement actions** tab, read through the list of actions you can take to increase your score. --For more information, see [Microsoft Secure Score](../security/defender/microsoft-secure-score.md). --## Next steps --Explore additional [information protection](m365-enterprise-test-lab-guides.md#information-protection) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Lightweight Base Configuration Microsoft 365 Enterprise | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/lightweight-base-configuration-microsoft-365-enterprise.md | - Title: "Lightweight base configuration"-- NOCSH--- Previously updated : 05/17/2022----- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise- - - Ent_TLGs - - seo-marvel-apr2020 - - admindeeplinkMAC - - has-azure-ad-ps-ref -description: Use this Test Lab Guide to create a lightweight test environment for testing Microsoft 365 for enterprise. ---# The lightweight base configuration --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --This article describes how to create a simplified environment with a Microsoft 365 E5 subscription and a computer running Windows 10 Enterprise. --![The lightweight Microsoft 3656 Enterprise test environment.](../media/lightweight-base-configuration-microsoft-365-enterprise/Phase4.png) --Creating a lightweight test environment involves five phases: --- [Phase 1: Create your Microsoft 365 E5 subscription](#phase-1-create-your-microsoft-365-e5-subscription)-- [Phase 2: Configure your Office 365 trial subscription](#phase-2-configure-your-office-365-trial-subscription)-- [Phase 3: Add a Microsoft 365 E5 trial subscription](#phase-3-add-a-microsoft-365-e5-trial-subscription)-- [Phase 4: Create a Windows 10 Enterprise computer](#phase-4-create-a-windows-10-enterprise-computer)-- [Phase 5: Join your Windows 10 computer to Microsoft Entra ID](#phase-5-join-your-windows-10-computer-to-azure-ad)--Use the resulting environment to test the features and functionality of [Microsoft 365 for enterprise](https://www.microsoft.com/microsoft-365/enterprise). --![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, see [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). -->[!NOTE] ->You might want to print this article to record the specific information that you will need for this environment over the 30 days of the Office 365 trial subscription. You can easily extend the trail subscription for another 30 days. For a permanent test environment, create a new paid subscription with a separate Microsoft Entra tenant and a small number of licenses. --## Phase 1: Create your Microsoft 365 E5 subscription --We start with a Microsoft 365 E5 trial subscription and then add the Microsoft 365 E5 subscription to it. -->[!NOTE] ->We recommend that you create a trial subscription of Office 365 so that your test environment has a separate Microsoft Entra tenant from any paid subscriptions you currently have. This separation means that you can add and remove users and groups in the test tenant without affecting your production subscriptions. --To start your Microsoft 365 E5 trial subscription, you first need a fictitious company name and a new Microsoft account. - -1. We recommend that you use a variant of the company name Contoso for your company name, which is a fictitious company used in Microsoft sample content, but it isn't required. Record your fictitious company name here: ![Line.](../media/Common-Images/TableLine.png) --2. To sign up for a new Microsoft account, go to [https://outlook.com](https://outlook.com) and create an account with a new email account and address. You will use this account to sign up for Office 365. -- - Record the first and last name of your new account here: ![Line.](../media/Common-Images/TableLine.png) -- - Record the new email account address here: ![Line.](../media/Common-Images/TableLine.png)@outlook.com --### Sign up for an Office 365 E5 trial subscription --1. In your browser, go to the [Office 365 E5 purchase page](https://go.microsoft.com/fwlink/p/?linkid=2245837) and select **Free trial**. --2. In step 1 of the **Thank you for choosing Office 365 E5** page, enter your new email account address. -3. In step 2 of the trail subscription process, enter the requested information, and then perform the verification. -4. In step 3, enter an organization name and then an account name that will be the global admin for the subscription. -5. For step 4, record the sign-in page here (select and copy): ![Line.](../media/Common-Images/TableLine.png) -6. Record the user ID here: ![Line.](../media/Common-Images/TableLine.png).onmicrosoft.com - Record the password that you entered in a secure location. - This value will be referred to as the **global administrator name**. -7. Select **Go to Setup**. -8. In Office 365 E5 Setup, select **Continue using *your organization*.onmicrosoft.com for email and signing in**, and then select **Exit and continue later**. --You should see the Microsoft 365 admin center. --## Phase 2: Configure your Office 365 trial subscription --In this phase, you configure your subscription with additional users and assign them Office 365 E5 licenses. - -To connect to your subscription with the Azure Active Directory PowerShell for Graph module from your computer, use the instructions in [Connect to Microsoft 365 with PowerShell](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module). --In the **Windows PowerShell Credential Request** dialog box, enter the global administrator name (for example, *jdoe@contosotoycompany.onmicrosoft.com*) and password. - -Fill in your organization name (for example, *contosotoycompany*), the two-character country code for your location, a common account password, and then run the following commands from the PowerShell prompt: --```powershell -$orgName="<organization name>" -$loc="<two-character country code, such as US>" -$commonPW="<common user account password>" -$PasswordProfile=New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile -$PasswordProfile.Password=$commonPW --$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense -$License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuID -$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses -$LicensesToAssign.AddLicenses = $License --for($i=2;$i -le 4; $i++) { - $userUPN= "user$($i)@$($orgName).onmicrosoft.com" - New-AzureADUser -DisplayName "User $($i)" -GivenName User -SurName $i -UserPrincipalName $userUPN -UsageLocation $loc -AccountEnabled $true -PasswordProfile $PasswordProfile -MailNickName "user$($i)" - $userObjectID = (Get-AzureADUser -SearchString $userupn).ObjectID - Set-AzureADUserLicense -ObjectId $userObjectID -AssignedLicenses $LicensesToAssign -} -``` --> [!NOTE] -> The use of a common password here is for automation and ease of configuration for a test environment. Obviously, this is highly discouraged for production subscriptions. --### Record key information for future reference --If you haven't already recorded these values, record them now: - -- Global administrator name: ![Line.](../media/Common-Images/TableLine.png).onmicrosoft.com (from step 6 of Phase 1)-- Also record the password for this account in a secure location. --- Your trial subscription organization name: ![Line.](../media/Common-Images/TableLine.png) (from step 4 of Phase 1)--- To list the accounts for User 2, User 3, User 4, and User 5, run the following command from the Windows Azure Active Directory module for Windows PowerShell prompt:-- ```powershell - Get-AzureADUser | Sort UserPrincipalName | Select UserPrincipalName - ``` -- Record the account names here: -- - User 2 account name: user2@![Line.](../media/Common-Images/TableLine.png).onmicrosoft.com -- - User 3 account name: user3@![Line.](../media/Common-Images/TableLine.png).onmicrosoft.com -- - User 4 account name: user4@![Line.](../media/Common-Images/TableLine.png).onmicrosoft.com -- - User 5 account name: user5@![Line.](../media/Common-Images/TableLine.png).onmicrosoft.com -- Also record the common password for these accounts in a secure location. --### Using an Office 365 test environment --If you need only an Office 365 test environment, you do not need to read the rest of this article. --For additional Test Lab Guides that apply to both Office 365 and Microsoft 365, see [Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md). - -## Phase 3: Add a Microsoft 365 E5 trial subscription --In this phase, you sign up for the Microsoft 365 E5 trial subscription and add it to the same organization as your Office 365 E5 trial subscription. - -First, add the Microsoft 365 E5 trial subscription and assign the new Microsoft 365 license to your global administrator account. - -1. In an internet browser private window, use your global administrator account credentials to sign in to the Microsoft 365 admin center at [https://admin.microsoft.com](https://admin.microsoft.com). --2. On the **Microsoft 365 admin center** page, in the left navigation, select **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=868433" target="_blank">**Purchase services**</a>. --3. On the **Purchase services** page, select **Microsoft 365 E5**, and then select **Get free trial**. --4. On the **Microsoft 365 E5 Trial** page, decide to receive a text message or a phone call, enter your phone number, and then select **Text me** or **Call me**. Perform the verification. --5. On the **Confirm your order** page, select **Try now**. --6. On the **Order receipt** page, select **Continue**. --7. In the Microsoft 365 admin center, select **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">**Active users**</a>. --8. In **Active users**, select your administrator account. --9. Select **Licenses and apps**. --10. Disable the license for Office 365 Enterprise E5 and enable the license for Microsoft 365 E5. --11. Select **Save changes**, and then close the user account information pane. --Next, repeat steps 8 through 11 of the previous procedure for all of your other accounts (User 2, User 3, User 4, and User 5). - -> [!NOTE] -> The length of the Microsoft 365 E5 trial subscription is 30 days. For a permanent test environment, convert this trial subscription into a paid subscription with a small number of licenses. - -Your test environment now has: - -- A Microsoft 365 E5 trial subscription.-- All your appropriate user accounts (either just the global administrator or all five user accounts) are enabled to use Microsoft 365 E5.--Your resulting configuration, which adds Microsoft 365 E5, looks like this: - -![Phase 3 of the Microsoft 3656 Enterprise test environment.](../media/lightweight-base-configuration-microsoft-365-enterprise/Phase2.png) - -## Phase 4: Create a Windows 10 Enterprise computer --In this phase, you create a standalone computer running Windows 10 Enterprise as either a physical computer, a virtual machine, or an Azure virtual machine. - -### Physical computer --On a personal computer, install Windows 10 Enterprise. You can download the Windows 10 Enterprise trial [here](https://www.microsoft.com/software-download/windows10). - -### Virtual machine --Use the hypervisor of your choice to create a virtual machine, and then install Windows 10 Enterprise on it. You can download the Windows 10 Enterprise trial [here](https://www.microsoft.com/software-download/windows10). - -### Virtual machine in Azure --To create a Windows 10 virtual machine in Microsoft Azure, ***you must have a Visual Studio-based subscription***, which has access to the image for Windows 10 Enterprise. Other types of Azure subscriptions, such as trial and paid subscriptions, do not have access to this image. For the latest information, see [Use Windows client in Azure for dev/test scenarios](/azure/virtual-machines/windows/client-images). - -> [!NOTE] -> The following command sets use the latest version of Azure PowerShell. See [Get started with Azure PowerShell cmdlets](/powershell/azureps-cmdlets-docs/). These command sets build a Windows 10 Enterprise virtual machine named WIN10 and all of its required infrastructure, including a resource group, a storage account, and a virtual network. If you are already familiar with Azure infrastructure services, adapt these instructions to suit your currently deployed infrastructure. - -First, start a Microsoft PowerShell prompt. - -Sign in to your Azure account with this command. - -```powershell -Connect-AzAccount -``` --Get your subscription name using this command. - -```powershell -Get-AzSubscription | Sort Name | Select Name -``` --Set your Azure subscription. Replace everything within the quotation marks, including the \< and > characters, with the correct name. - -```powershell -$subscr="<subscription name>" -Get-AzSubscription -SubscriptionName $subscr | Select-AzSubscription -``` --Next, create a new resource group. To determine a unique resource group name, use this command to list your existing resource groups. - -```powershell -Get-AzResourceGroup | Sort ResourceGroupName | Select ResourceGroupName -``` --Create your new resource group with these commands. Replace everything within the quotation marks, including the \< and > characters, with the correct names. - -```powershell -$rgName="<resource group name>" -$locName="<location name, such as West US>" -New-AzResourceGroup -Name $rgName -Location $locName -``` --Next, create a new virtual network and the WIN10 virtual machine with these commands. When prompted, provide the name and password of the local administrator account for WIN10 and store these in a secure location. - -```powershell -$corpnetSubnet=New-AzVirtualNetworkSubnetConfig -Name Corpnet -AddressPrefix 10.0.0.0/24 -New-AzVirtualNetwork -Name "M365Ent-TestLab" -ResourceGroupName $rgName -Location $locName -AddressPrefix 10.0.0.0/8 -Subnet $corpnetSubnet -$rule1=New-AzNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the subnet" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -New-AzNetworkSecurityGroup -Name Corpnet -ResourceGroupName $rgName -Location $locName -SecurityRules $rule1 -$vnet=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name "M365Ent-TestLab" -$nsg=Get-AzNetworkSecurityGroup -Name Corpnet -ResourceGroupName $rgName -Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name Corpnet -AddressPrefix "10.0.0.0/24" -NetworkSecurityGroup $nsg -$vnet | Set-AzVirtualNetwork -$pip=New-AzPublicIpAddress -Name WIN10-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic -$nic=New-AzNetworkInterface -Name WIN10-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -$vm=New-AzVMConfig -VMName WIN10 -VMSize Standard_A2_V2 -$cred=Get-Credential -Message "Type the name and password of the local administrator account for WIN10." -$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName WIN10 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate -$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsDesktop -Offer Windows-10 -Skus RS3-Pro -Version "latest" -$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id -$vm=Set-AzVMOSDisk -VM $vm -Name WIN10-TestLab-OSDisk -DiskSizeInGB 128 -CreateOption FromImage -New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm -``` --<a name='phase-5-join-your-windows-10-computer-to-azure-ad'></a> --## Phase 5: Join your Windows 10 computer to Microsoft Entra ID --After the physical or virtual machine with Windows 10 Enterprise is created, sign in with a local administrator account. - -> [!NOTE] -> For a virtual machine in Azure, use [these instructions](/azure/virtual-machines/windows/connect-logon) to connect to it. - -Next, join the WIN10 computer to the Microsoft Entra tenant of your Microsoft 365 E5 subscription. - -1. On the desktop of the WIN10 computer, select **Start > Settings > Accounts > Access work or school > Connect**. --2. In the **Set up a work or school account** dialog box, select **Join this device to Microsoft Entra ID**. --3. In **Work or school account**, enter the global administrator account name of your Microsoft 365 E5 subscription, and then select **Next**. --4. In **Enter password**, enter the password for your global administrator account, and then select **Sign in**. --5. When prompted to make sure that this is your organization, select **Join**, and then select **Done**. --6. Close the settings window. --Next, install Microsoft 365 Apps for enterprise on the WIN10 computer: - -1. Open the Microsoft Edge browser and sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) with your global administrator account credentials. --2. On the **Microsoft Office Home** tab, select **Install Office**. --3. When prompted with what to do, select **Run**, and then select **Yes** for **User Account Control**. --4. Wait for Office to complete its installation. When you see **You're all set!**, select **Close** twice. --Your resulting environment looks like this: --![Phase 5 of the Microsoft 3656 Enterprise test environment.](../media/lightweight-base-configuration-microsoft-365-enterprise/Phase4.png) --This includes the WIN10 computer that has: --- Joined the Microsoft Entra tenant of your Microsoft 365 E5 subscription.-- Enrolled as a Microsoft Entra device in Microsoft Intune (EMS).-- Microsoft 365 Apps for enterprise installed.- -You are now ready to experiment with additional features of [Microsoft 365 for enterprise](https://www.microsoft.com/microsoft-365/enterprise). - -## Next steps --Explore these additional sets of Test Lab Guides: - -- [Identity](m365-enterprise-test-lab-guides.md#identity)-- [Mobile device management](m365-enterprise-test-lab-guides.md#mobile-device-management)-- [Information protection](m365-enterprise-test-lab-guides.md#information-protection)--## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | M365 Enterprise Test Lab Guides | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-enterprise-test-lab-guides.md | - Title: "Microsoft 365 for enterprise Test Lab Guides"-- NOCSH--- Previously updated : 11/20/2019----- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise--- Ent_TLGs-- seo-marvel-apr2020 -description: Use these Test Lab Guides to set up demonstration, proof of concept, or dev/test environments for Microsoft 365 for enterprise. ---# Microsoft 365 for enterprise Test Lab Guides --*This applies to both Microsoft 365 for enterprise and Office 365 Enterprise.* --Test Lab Guides (TLGs) help you quickly learn about Microsoft products. They provide prescriptive instructions to configure simplified but representative test environments. You can use these environments for demonstration, customization, or creation of complex proofs of concept for the duration of a trial or paid subscription. --TLGs are designed to be modular. They build upon each other to create multiple configurations that more closely match your learning or test configuration needs. The "I built it out myself and it works" hands-on experience helps you understand the deployment requirements of a new product or scenario, so that you can better plan for hosting it in production. --You can also use TLGs to create representative environments to develop and test applications, also known as dev/test environments. - -![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) --For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, expand the following graphic or go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). --[![The Microsoft 365 for enterprise Test Lab Guide stack.](../media/m365-enterprise-test-lab-guides/microsoft-365-enterprise-tlg-stack.png)](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) --## Base configuration --First, create a test environment for [Microsoft 365 for enterprise](/microsoft-365-enterprise/). You can create two different types of base configurations: --- [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md) - Use this when you want to configure and demonstrate Microsoft 365 for enterprise features and capabilities in a cloud-only environment, which does not include any on-premises components.--- [Simulated enterprise base configuration](simulated-ent-base-configuration-microsoft-365-enterprise.md) - Use this when you want to configure and demonstrate Microsoft 365 for enterprise features and capabilities in a hybrid cloud environment, which uses on-premises components such as an Active Directory Domain Services (AD DS) domain.--You can also create test environments for Office 365 E5 by not adding the Microsoft 365 E5 license to your trial or production test environment. - -## Identity --To demonstrate identity-related features and capabilities, see: --- [Password hash synchronization](password-hash-sync-m365-ent-test-environment.md)- - Enable and test password hash-based directory synchronization from an AD DS domain controller. --- [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md)- - Enable and test pass-through authentication to an AD DS domain controller. --- [Federated authentication](federated-identity-for-your-microsoft-365-dev-test-environment.md)- - Enable and test federated authentication to an AD DS domain controller. --- [Microsoft Entra seamless single sign-on](single-sign-on-m365-ent-test-environment.md)- - Enable and test Microsoft Entra seamless single sign-on (Seamless SSO) with an AD DS domain controller. --- [Multi-factor authentication](multi-factor-authentication-microsoft-365-test-environment.md)- - Enable and test smart phone-based multi-factor authentication for a specific user account. --- [Protect global administrator accounts](protect-global-administrator-accounts-microsoft-365-test-environment.md)-- Lock down your global administrator accounts with conditional access policies. --- [Password writeback](password-writeback-m365-ent-test-environment.md)-- Use password writeback to change the password on your AD DS user account from Microsoft Entra ID. --- [Password reset](password-reset-m365-ent-test-environment.md)-- Use self-service password reset to reset your password. --- [Automatic licensing and group membership](automate-licenses-group-membership-microsoft-365-test-environment.md)-- Make administering new accounts easier than ever with automatic licensing and dynamic group membership. --- [Microsoft Entra ID Protection](azure-ad-identity-protection-microsoft-365-test-environment.md)-- Scan your current user accounts for vulnerabilities. --- [Identity and device access](identity-device-access-m365-test-environment.md)-- Create an environment to test recommended identity and device access configurations and conditional access policies. --## Mobile device management --To demonstrate mobile device management-related features and capabilities, see: --- [Device compliance policies](mam-policies-for-your-microsoft-365-enterprise-dev-test-environment.md)- - Create a user group and a device compliance policy for Windows 10 devices. - -- [Enroll iOS and Android devices](enroll-ios-and-android-devices-in-your-microsoft-enterprise-365-dev-test-environ.md)- - Enroll iOS or Android devices and manage them remotely. --## Information protection --To demonstrate information protection-related features and capabilities, see: --- [Increased Microsoft 365 security](increased-o365-security-microsoft-365-enterprise-dev-test-environment.md)- - Configure settings for increased Microsoft 365 security and investigate built-in security tools. - -- [Data classification](data-classification-microsoft-365-enterprise-dev-test-environment.md)- - Configure and apply labels to a document in a SharePoint Online team site. - -- [Privileged access management](privileged-access-microsoft-365-enterprise-dev-test-environment.md)- - Configure privileged access management for just-in-time access to elevated and privileged tasks in your organization. |
enterprise | Mam Policies For Your Microsoft 365 Enterprise Dev Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/mam-policies-for-your-microsoft-365-enterprise-dev-test-environment.md | - Title: "Device compliance policies for your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 11/19/2020----- scotvorg-- M365-identity-device-management- -description: Use this Test Lab Guide to add Intune device compliance policies to your Microsoft 365 for enterprise test environment. ---# Device compliance policies for your Microsoft 365 for enterprise test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --This article describes how to add an Intune device compliance policy for Windows 10 devices and Microsoft 365 Apps for enterprise to your Microsoft 365 for enterprise test environment. --Adding an Intune device compliance policy involves two phases: -- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Create a device compliance policy for Windows 10 devices](#phase-2-create-a-device-compliance-policy-for-windows-10-devices)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) --> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). --## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you want to configure MAM policies in only a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to configure MAM policies in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing automated licensing and group membership doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. It's provided here as an option so that you can test automated licensing and group membership and experiment with it in an environment that represents a typical organization. -> --## Phase 2: Create a device compliance policy for Windows 10 devices --In this phase, you create a device compliance policy for Windows 10 devices. This phase uses Microsoft Intune and the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to add a group, and create a compliance policy. --1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), sign in to your Microsoft 365 test lab subscription with your global administrator account, and select the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank">Intune admin center</a>. -- If a message similar to **You haven't enabled device management yet** message is shown, then select Intune as the MDM authority. For the specific steps, see [Set the mobile device management authority](/mem/intune/fundamentals/mdm-authority-set). -- The Intune admin center focuses on device management and app management. For a tour of this admin center, see [Tutorial: Walkthrough the Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager). --2. In **Groups**, add a new **Microsoft 365** or **Security** group named **Managed Windows 10 device users**, with an **Assigned** membership type. In the next steps, you'll assign your compliance policy to this group. -- For the specific steps, and for information on **Microsoft 365** or **Security** groups, see [Add groups to organize users and devices](/mem/intune/fundamentals/groups-add). --3. In **Devices**, create a Windows 10 compliance policy. Assign this policy to the **Managed Windows 10 device users** group you created. -- In your policy, you can block simple passwords, require a firewall, require the Microsoft Defender Antimalware service be running, and more. A compliance policy typically includes the base settings, or bare minimum that every device should have. -- For the specific steps, and for information on the available compliance settings you can configure, see [Use compliance policies to set rules for devices you manage](/mem/intune/protect/device-compliance-get-started). --When finished, you have a device compliance policy for testing members in the **Managed Windows 10 device users** group. - -## Next step --Explore additional [mobile device management](m365-enterprise-test-lab-guides.md#mobile-device-management) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md). - -[Enroll iOS and Android devices in your Microsoft 365 for enterprise test environment](enroll-ios-and-android-devices-in-your-microsoft-enterprise-365-dev-test-environ.md) - -[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Enterprise Mobility + Security (EMS)](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) |
enterprise | Multi Factor Authentication Microsoft 365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-factor-authentication-microsoft-365-test-environment.md | - Title: Microsoft 365 for enterprise test environment multifactor authentication-- NOCSH--- Previously updated : 12/12/2019----- scotvorg-- M365-identity-device-management--- TLG-- Ent_TLGs-- seo-marvel-apr2020-- admindeeplinkMAC -description: "Configure multifactor authentication using text messages sent to a smart phone in your Microsoft 365 for enterprise test environment." ---# Multifactor authentication for your Microsoft 365 for enterprise test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --For an additional level of security for signing in to Microsoft 365 or any service or application that uses the Microsoft Entra tenant for your subscription, you can enable Microsoft Entra multifactor authentication, which requires more than just a username and password to verify an account. --With multifactor authentication, users are required to acknowledge a phone call, type a verification code sent in a text message, or verify the authentication with an app on their smart phones after correctly entering their passwords. They can sign in only after this second authentication factor is satisfied. - -This article describes how to enable and test text message-based authentication for a specific user account. - -Setting up multifactor authentication for an account in your Microsoft 365 for enterprise test environment involves two phases and a third optional phase: -- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Enable and test multifactor authentication for the User 2 account](#phase-2-enable-and-test-multi-factor-authentication-for-the-user-2-account)-- [Phase 3: Enable and test multifactor authentication with a conditional access policy](#phase-3-enable-and-test-multi-factor-authentication-with-a-conditional-access-policy)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). - -## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you just want to test multifactor authentication in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to test multifactor authentication in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing multifactor authentication does not require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS) forest. It is provided here as an option so that you can test multifactor authentication and experiment with it in an environment that represents a typical organization. - -<a name='phase-2-enable-and-test-multi-factor-authentication-for-the-user-2-account'></a> --## Phase 2: Enable and test multifactor authentication for the User 2 account --Enable multifactor authentication for the User 2 account with these steps: - -1. Open a separate, private instance of your browser, go to the Microsoft 365 admin center ([https://portal.microsoft.com](https://portal.microsoft.com)), and then sign in with your global administrator account. - -2. In the left navigation, select **Users** > <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">**Active users**</a>. - -3. In the Active users pane, select **multifactor authentication**. - -4. In the list, select the **User 2** account. - -5. In the **User 2** section, under **Quick steps**, select **Enable**. - -6. In the **About enabling multifactor authentication** dialog box, select **Enable multifactor authentication**. - -7. In the **Updates successful** dialog box, select **Close**. - -8. On the **Microsoft 365 admin center** tab, select the user account icon in the upper right, and then select **Sign out**. - -9. Close your browser instance. - -Complete the configuration for the User 2 account to use a text message for validation and test it with these steps: - -1. Open a new, private instance of your browser. - -2. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with the User 2 account name and password. - -3. After signing in, you are prompted to set up the account for more information. Select **Next**. - -4. On the **Additional security verification** page: - - - Select your country or region. - - - Enter the phone number of the smart phone that will receive text messages. - - - In **Method**, select **Send me a code by text message**. - -5. Select **Next**. - -6. Enter the verification code from the text message received on your smart phone, and then select **Verify**. - -7. On the **Step 3: Keep your existing applications** page, select **Done**. - -8. If this is the first time you signed in with the User 2 account, you are prompted to change the password. Enter the original password and a new password twice, and then select **Update password and sign in**. Record the new password in a secure location. - - You should see the Office portal for User 2 on the **Microsoft Office Home** tab of your browser. --<a name='phase-3-enable-and-test-multi-factor-authentication-with-a-conditional-access-policy'></a> --## Phase 3: Enable and test multifactor authentication with a conditional access policy --*This phase can only be used for a Microsoft 365 for enterprise test environment.* --In this phase, you enable multifactor authentication for the User 3 account using a group and a conditional access policy. --Next, create a new group named MFAUsers and add the User 3 account to it. --1. On the **Microsoft 365 admin center** tab, select **Groups** in the left navigation, and then select <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">**Groups**</a>. -2. Select **Add a group**. -3. In the **Choose a group type** pane, select **Security**, and then select **Next**. -4. In the **Set up the basics** pane, select **Create group**, and then select **Close**. -5. In the **Review and finish adding group** pane, enter **MFAUsers**, and then select **Next**. -6. In the list of groups, select the **MFAUsers** group. -7. In the **MFAUsers** pane, select **Members**, and then select **View all and manage members**. -8. In the **MFAUsers** pane, select **Add members**, select the **User 3** account, and then select **Save** > **Close** > **Close**. --Next, create a conditional access policy to require multifactor authentication for members of the MFAUsers group. --1. In a new tab of your browser, go to [https://portal.azure.com](https://portal.azure.com). -2. Select **Microsoft Entra ID** > **Security** > **Conditional Access**. -3. In the **Conditional access ΓÇô Policies** pane, select **New policy**. -4. In the **New** pane, enter **MFA for user accounts** in the **Name** box. -5. In the **Assignments** section, select **Users and groups**. -6. On the **Include** tab of the **Users and groups** pane, select **Select users and groups** > **Users and groups** > **Select**. -7. In the **Select** pane, select the **MFAUsers** group, and then select **Select** > **Done**. -8. In the **Access controls** section of the **New** pane, select **Grant**. -9. In the **Grant** pane, select **Require multifactor authentication**, and then select **Select**. -10. In the **New** pane, select **On** for **Enable policy**, and then select **Create**. -11. Close the **Azure portal** and **Microsoft 365 admin center** tabs. --To test this policy, sign out and sign in with the User 3 account. You should be prompted to configure MFA. This demonstrates that the MFAUsers policy is being applied. --## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Pass Through Auth M365 Ent Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/pass-through-auth-m365-ent-test-environment.md | - Title: "Pass-through authentication for your Microsoft 365 test environment"-- NOCSH--- Previously updated : 11/21/2019----- scotvorg-- M365-identity-device-management-- Strat_O365_Enterprise--- TLG-- Ent_TLGs -description: "Summary: Configure pass-through authentication for your Microsoft 365 test environment." ---# Pass-through authentication for your Microsoft 365 test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --Organizations that want to directly use their on-premises Active Directory Domain Services (AD DS) infrastructure for authentication to Microsoft cloud-based services and applications can use pass-through authentication. This article describes how you can configure your Microsoft 365 test environment for pass-through authentication, resulting in the following configuration: - -![The simulated enterprise with pass-through authentication test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase2.png) - -There are two phases to setting up this test environment: --1. Create the Microsoft 365 simulated enterprise test environment with password hash synchronization. -2. Configure Microsoft Entra Connect on APP1 for pass-through authentication. - -![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> Click [here](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) for a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack. - -## Phase 1: Configure password hash synchronization for your Microsoft 365 test environment --Follow the instructions in [password hash synchronization for Microsoft 365](password-hash-sync-m365-ent-test-environment.md). Here is your resulting configuration. - -![The simulated enterprise with password hash synchronization test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase1.png) - -This configuration consists of: - -- Microsoft 365 E5 trial or paid subscription.-- A simplified organization intranet connected to the Internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. Microsoft Entra Connect runs on APP1 to synchronize the TESTLAB AD DS domain to the Microsoft Entra tenant of your Microsoft 365 subscription periodically.--<a name='phase-2-configure-azure-ad-connect-on-app1-for-pass-through-authentication'></a> --## Phase 2: Configure Microsoft Entra Connect on APP1 for pass-through authentication --In this phase, you configure Microsoft Entra Connect on APP1 to use pass-through authentication, and then verify that it works. --<a name='configure-azure-ad-connect-on-app1'></a> --### Configure Microsoft Entra Connect on APP1 --1. From the [Azure portal](https://portal.azure.com), sign in with your global administrator account, and then connect to APP1 with the TESTLAB\User1 account. --2. From the desktop of APP1, run Microsoft Entra Connect. --3. On the **Welcome page**, click **Configure**. --4. On the Additional tasks page, click **Change user sign-in**, and then click **Next**. --5. On the **Connect to Microsoft Entra ID** page, type your global administrator account credentials, and then click **Next**. --6. On the **User sign-in** page, click **Pass-through authentication**, and then click **Next**. --7. On the **Ready to configure** page, click **Configure**. --8. On the **Configuration complete** page, click **Exit**. --9. From the Azure portal, in the left pane, click **Microsoft Entra ID > Microsoft Entra Connect**. Verify that the **Pass-through authentication** feature appears as **Enabled**. --10. Click **Pass-through authentication**. The **Pass-through authentication** pane lists the servers where your Authentication Agents are installed. You should see APP1 in the list. Close the **Pass-through authentication** pane. --Next, test the ability to sign in to your subscription with the <strong>user1@testlab.</strong>\<your public domain> user name of the User1 account. --1. From APP1, sign out, and then sign in again, this time specifying a different account. --2. When prompted for a user name and password, specify <strong>user1@testlab.</strong>\<your public domain> and the User1 password. You should successfully sign in as User1. --Notice that although User1 has domain administrator permissions for the TESTLAB AD DS domain, it is not a global administrator. Therefore, you will not see the **Admin** icon as an option. --Here is your resulting configuration: --![The simulated enterprise with pass-through authentication test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase2.png) - -This configuration consists of: --- A Microsoft 365 E5 trial or paid subscriptions with the DNS domain testlab.\<your domain name> registered.-- A simplified organization intranet connected to the Internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. An Authentication Agent runs on APP1 to handle pass-through authentication requests from the Microsoft Entra tenant of your Microsoft 365 subscription.--## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Password Hash Sync M365 Ent Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/password-hash-sync-m365-ent-test-environment.md | - Title: "Password hash synchronization for your Microsoft 365 test environment"-- NOCSH--- Previously updated : 05/26/2020----- scotvorg-- M365-identity-device-management-- Strat_O365_Enterprise--- TLG-- Ent_TLGs-- seo-marvel-apr2020 -description: "Summary: Configure and demonstrate password hash synchronization and sign-in for your Microsoft 365 test environment." ---# Password hash synchronization for your Microsoft 365 test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --Many organizations use Microsoft Entra Connect and password hash synchronization to synchronize the set of accounts in their on-premises Active Directory Domain Services (AD DS) forest to the set of accounts in the Microsoft Entra tenant of their Microsoft 365 subscription. --This article describes how you can add password hash synchronization to your Microsoft 365 test environment, which results in this configuration: - -![The simulated enterprise with password hash synchronization test environment.](../media/password-hash-sync-m365-ent-test-environment/Phase3.png) - -Setting up this test environment involves three phases: -- [Phase 1: Create the Microsoft 365 simulated enterprise test environment](#phase-1-create-the-microsoft-365-simulated-enterprise-test-environment)-- [Phase 2: Create and register the testlab domain](#phase-2-create-and-register-the-testlab-domain)-- [Phase 3: Install Microsoft Entra Connect on APP1](#phase-3-install-azure-ad-connect-on-app1)- -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). - -## Phase 1: Create the Microsoft 365 simulated enterprise test environment --Follow the instructions in [simulated enterprise base configuration for Microsoft 365](simulated-ent-base-configuration-microsoft-365-enterprise.md). Your resulting configuration looks like this: - -![The simulated enterprise base configuration.](../media/password-hash-sync-m365-ent-test-environment/Phase1.png) - -This configuration consists of: - -- A Microsoft 365 E5 trial or paid subscription.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines in an Azure virtual network. DC1 is a domain controller for the testlab.<*your public domain name*> AD DS domain.--## Phase 2: Create and register the testlab domain --In this phase, add a public DNS domain, and then add it to your subscription. --First, work with your public DNS registration provider to create a new public DNS domain name that's based on your current domain name, and then add it to your subscription. We recommend using the name **testlab.<*your public domain*>**. For example, if your public domain name is **<span>contoso</span>.com**, add the public domain name: **<span>testlab</span>.contoso.com**. - -Next, add the **testlab.<*your public domain*>** domain to your Microsoft 365 trial or paid subscription by going through the domain registration process. This consists of adding additional DNS records to the **testlab.<*your public domain*>** domain. For more information, see [Add a domain to Microsoft 365](../admin/setup/add-domain.md). --Your resulting configuration looks like this: - -![The registration of your testlab domain name.](../media/password-hash-sync-m365-ent-test-environment/Phase2.png) - -This configuration consists of: --- A Microsoft 365 E5 trial or paid subscription with the DNS domain testlab.<*your public domain name*> registered.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network.--Notice how the testlab.<*your public domain name*> is now: --- Supported by public DNS records.-- Registered in your Microsoft 365 subscriptions.-- The AD DS domain on your simulated intranet.- -<a name='phase-3-install-azure-ad-connect-on-app1'></a> --## Phase 3: Install Microsoft Entra Connect on APP1 --In this phase, install and configure the Microsoft Entra Connect tool on APP1, and then verify that it works. - -First, install and configure Microsoft Entra Connect on APP1. --1. From the [Azure portal](https://portal.azure.com), sign in with your global administrator account, and then connect to APP1 with the TESTLAB\\User1 account. - -2. From the desktop of APP1, open an administrator-level Windows PowerShell command prompt, and then run these commands to disable Internet Explorer Enhanced Security: - - ```powershell - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0 - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0 - Stop-Process -Name Explorer -Force - ``` --3. From the taskbar, select **Internet Explorer** and go to [`https://aka.ms/aadconnect`](https://aka.ms/aadconnect). - -4. On the Microsoft Entra Connect page, select **Download**, and then select **Run**. - -5. On the **Welcome to Microsoft Entra Connect** page, select **I agree**, and then select **Continue**. - -6. On the **Express Settings** page, select **Use express settings**. - -7. On the **Connect to Microsoft Entra ID** page, enter your global administrator account name in **Username,** enter its password in **Password**, and then select **Next**. - -8. On the **Connect to AD DS** page, enter **TESTLAB\\User1** in **Username,** enter its password in **Password**, and then select **Next**. - -9. On the **Ready to configure** page, select **Install**. - -10. On the **Configuration complete** page, select **Exit**. - -11. In Internet Explorer, go to the Microsoft 365 admin center ([https://portal.microsoft.com](https://portal.microsoft.com)). - -12. In the left navigation pane, select **Users > Active users**. - - Note the account named **User1**. This account is from the TESTLAB AD DS domain and is proof that directory synchronization has worked. - -13. Select the **User1** account, and then select **Licenses and apps**. - -14. In **Product licenses**, select your location (if needed), disable the **Office 365 E5** license, and then enable the **Microsoft 365 E5** license. --15. Select **Save** at the bottom of the page, and then select **Close**. - -Next, test the ability to sign in to your subscription with the **user1@testlab.<*your domain name*>** user name of the User1 account: --1. From APP1, sign out, and then sign in again, this time specifying a different account. --2. When prompted for a user name and password, specify **user1@testlab.<*your domain name*>** and the User1 password. You should successfully sign in as User1. - -Notice that although User1 has domain administrator permissions for the TESTLAB AD DS domain, it is not a global administrator. Therefore, you will not see the **Admin** icon as an option. --Your resulting configuration looks like this: --![The simulated enterprise with password hash synchronization test environment.](../media/password-hash-sync-m365-ent-test-environment/Phase3.png) --This configuration consists of: - -- Microsoft 365 E5 or Office 365 E5 trial or paid subscriptions with the DNS domain TESTLAB.<*your domain name*> registered.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network. Microsoft Entra Connect runs on APP1 to periodically synchronize the TESTLAB AD DS domain to the Microsoft Entra tenant of your Microsoft 365 subscription.-- The User1 account in the TESTLAB AD DS domain has been synchronized with the Microsoft Entra tenant.--## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Password Reset M365 Ent Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/password-reset-m365-ent-test-environment.md | - Title: "Password reset for your Microsoft 365 test environment"-- NOCSH--- Previously updated : 12/13/2019----- scotvorg-- M365-identity-device-management-- Strat_O365_Enterprise--- TLGS-- Ent_TLGs -description: "Summary: Configure and test password reset for your Microsoft 365 test environment." ---# Password reset for your Microsoft 365 test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --Microsoft Entra self-service password reset (SSPR) allows users to reset or unlock their passwords or accounts. --This article describes how to configure and test password resets in your Microsoft 365 test environment. --Setting up SSPR involves three phases: -- [Phase 1: Configure password hash synchronization for your Microsoft 365 test environment](#phase-1-configure-password-hash-synchronization-for-your-microsoft-365-test-environment)-- [Phase 2: Enable password writeback](#phase-2-enable-password-writeback)-- [Phase 3: Configure and test password reset](#phase-3-configure-and-test-password-reset)- -![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). --## Phase 1: Configure password hash synchronization for your Microsoft 365 test environment --First, follow the instructions in [password hash synchronization](password-hash-sync-m365-ent-test-environment.md). --Your resulting configuration looks like this: - -![The simulated enterprise with password hash synchronization test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase1.png) - -This configuration consists of: - -- A Microsoft 365 E5 trial or paid subscription.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network.-- Microsoft Entra Connect runs on APP1 to synchronize the TESTLAB Active Directory Domain Services (AD DS) domain to the Microsoft Entra tenant of your Microsoft 365 subscription.--## Phase 2: Enable password writeback --Follow the instructions in [Phase 2 of the password writeback Test Lab Guide](password-writeback-m365-ent-test-environment.md#phase-2-enable-password-writeback-for-the-testlab-ad-ds-domain). --You must have password writeback enabled to use password reset. - -## Phase 3: Configure and test password reset --In this phase, configure password reset in the Microsoft Entra tenant through group membership, and then verify that it works. --First, enable password reset for the accounts in a specific Microsoft Entra group. --1. From a private instance of your browser, open [https://portal.azure.com](https://portal.azure.com), and then sign in with the credentials of your global administrator account. -2. In the Azure portal, select **Microsoft Entra ID** > **Groups** > **New group**. -3. Set the **Group type** to **Security**, **Group name** to **PWReset**, and the **Membership type** to **Assigned**. -4. Select **Members**, find and select **User 3**, select **Select**, and then select **Create**. -5. Close the **Groups** pane. -6. In the Microsoft Entra pane, select **Password reset** in the left navigation. -7. In the **Password reset-Properties** pane, under the option **Self Service Password Reset Enabled**, choose **Selected**. -8. Select **Select group**, select the **PWReset** group, and then select **Select** > **Save**. -9. Close the private browser instance. --Next, test password reset for the User 3 account. --1. Open a new private browser instance and browse to [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup). -1. Sign in with the User 3 account credentials. -1. In **More information required**, select **Next**. -1. In **Don't lose access to your account**, set the authentication phone to your mobile phone number and the authentication email to your work or personal email account. -1. After both are verified, select **Looks good**, and then close the private instance of the browser. -1. In a new private browser instance, go to [https://aka.ms/sspr](https://aka.ms/sspr). -1. Enter the User 3 account name, enter the characters from the CAPTCHA, and then select **Next**. -1. For **verification step 1**, select **Email my alternate email**, and then select **Email**. When you receive the email, enter the verification code, and then select **Next**. -1. In **Get back into your account**, enter a new password for the User 3 account, and then select **Finish**. Note the changed password of the User 3 account and store it in a safe location. -1. In a separate tab of the same browser, go to [https://admin.microsoft.com](https://admin.microsoft.com), and then sign in with the User 3 account name and its new password. You should see the **Microsoft Office Home** page. --## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Password Writeback M365 Ent Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/password-writeback-m365-ent-test-environment.md | - Title: "Password writeback for your Microsoft 365 test environment"-- NOCSH--- Previously updated : 11/22/2019----- scotvorg-- M365-identity-device-management-- Strat_O365_Enterprise--- TLGS-- Ent_TLGs -description: "Summary: Configure password writeback for your Microsoft 365 test environment." ---# Password writeback for your Microsoft 365 test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --Users can use password writeback to update their passwords through Microsoft Entra ID, which is then replicated to your local Active Directory Domain Services (AD DS). With password writeback, users don't have to update their passwords through the on-premises AD DS where their original user accounts are stored. This helps roaming or remote users who don't have a remote access connection to their on-premises network. --This article describes how to configure your Microsoft 365 test environment for password writeback. --Configuring your test environment for password writeback involves two phases: -- [Phase 1: Configure password hash synchronization for your Microsoft 365 test environment](#phase-1-configure-password-hash-synchronization-for-your-microsoft-365-test-environment)-- [Phase 2: Enable password writeback for the TESTLAB AD DS domain](#phase-2-enable-password-writeback-for-the-testlab-ad-ds-domain)- -![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). --## Phase 1: Configure password hash synchronization for your Microsoft 365 test environment --First, follow the instructions in [password hash synchronization](password-hash-sync-m365-ent-test-environment.md). Your resulting configuration looks like this: - -![The simulated enterprise with password hash synchronization test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase1.png) - -This configuration consists of: - -- A Microsoft 365 E5 trial or paid subscription.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network.-- Microsoft Entra Connect runs on APP1 to synchronize the TESTLAB AD DS domain to the Microsoft Entra tenant of your Microsoft 365 subscription.--## Phase 2: Enable password writeback for the TESTLAB AD DS domain --First, configure the User 1 account with the global administrator role. --1. From the [Microsoft 365 admin center](https://portal.microsoft.com), sign in with your global administrator account. --2. Select **Active users**. - -3. On the **Active users** page, select the **user1** account, --4. On the **user1** pane, select **Edit** next to **Roles**. --5. On the **Edit user roles** pane for user1, select **Global administrator**, select **Save**, and then select **Close**. --Next, configure the User 1 account with the security settings that allow it to change passwords on behalf of other users in the TESTLAB AD DS domain. --1. From the [Azure portal](https://portal.azure.com), sign in with your global administrator account, and then connect to APP1 with the TESTLAB\User1 account. --2. From the desktop of APP1, select **Start**, enter **active**, and then select **Active Directory Users and Computers**. --3. On the menu bar, select **View**. If **Advanced features** is not enabled, select it to enable it. --4. In the tree pane, select and hold (or right-click) your domain, select **Properties**, and then select the **Security** tab. --5. Select **Advanced**. --6. On the **Permissions** tab, select **Add**. --7. Select **Select a principal**, enter **User1**, and then select **OK**. --8. In **Applies to**, select **Descendant User objects**. --9. Under **Permissions**, select the following: -- - **Change password** - - **Reset password** --10. Under **Properties**, select the following: - - **Write lockoutTime** - - **Write pwdLastSet** --11. Select **OK** three times to save the changes. --12. Close **Active Directory Users and Computers**. --Next, configure Microsoft Entra Connect on APP1 for password writeback. --1. If needed, connect to APP1 with the TESTLAB\User1 account. --2. From the desktop of APP1, double-click **Microsoft Entra Connect**. --3. On the **Welcome page**, select **Configure**. --4. On the **Additional tasks** page, select **Customize synchronization options**, and then select **Next**. --5. On the **Connect to Microsoft Entra ID** page, enter your global administrator account credentials, and then select **Next**. --6. On the **Connect directories** and **Domain/OU filtering** pages, select **Next**. --7. On the **Optional features** page, select **Password writeback**, and then select **Next**. --8. On the **Ready to configure** page, select **Configure** and wait for the process to finish. --9. When you see the configuration finish, select **Exit**. --You are now ready to test password writeback for users on computers that aren't connected to the virtual network of your simulated intranet. --Your resulting configuration looks like this: --![The simulated enterprise with pass-through authentication test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase1.png) --This configuration consists of: --- A Microsoft 365 E5 trial or paid subscriptions with the DNS domain TESTLAB.\<*your domain name*> registered.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network.-- Microsoft Entra Connect runs on APP1 to synchronize the list of accounts and groups from the Microsoft Entra tenant of your Microsoft 365 subscription to the TESTLAB AD DS domain.-- Password writeback is enabled so that users can change their passwords through Microsoft Entra ID without having to be connected to the simplified intranet.--## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Phs Prereqs M365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/phs-prereqs-m365-test-environment.md | - Title: "Identity and device access prerequisites for password hash synchronization in your Microsoft 365 test environment"--- NOCSH-- Previously updated : 04/23/2019----- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise- -description: Create a Microsoft 365 environment to test identity and device access with the prerequisites for password hash synchronization authentication. ---# Identity and device access prerequisites for password hash synchronization in your Microsoft 365 test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --[Identity and device access configurations](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md) are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Microsoft Entra ID. --This article describes how to configure a Microsoft 365 test environment that meets the requirements of the [hybrid with password hash sync authentication prerequisite configuration](../security/office-365-security/zero-trust-identity-device-access-policies-prereq.md#prerequisites) for identity and device access. --There are ten phases to setting up this test environment: --1. Create a simulated enterprise with password hash sync test environment -2. Configure Microsoft Entra seamless single sign-on -3. Configure named locations -4. Configure password writeback -5. Configure self-service password reset for all user accounts -6. Configure multifactor authentication for all user accounts -7. Enable automatic device registration of domain-joined Windows computers -8. Configure Microsoft Entra password protection -9. Enable Microsoft Entra ID Protection -10. Enable modern authentication for Exchange Online and Skype for Business Online --## Phase 1: Build out your simulated enterprise with password hash sync Microsoft 365 test environment --Follow the instructions in [the password hash synchronization](password-hash-sync-m365-ent-test-environment.md) Test Lab Guide. -Here is the resulting configuration. --![The simulated enterprise with password hash synchronization test environment.](../media/password-hash-sync-m365-ent-test-environment/Phase3.png) - -<a name='phase-2-configure-azure-ad-seamless-single-sign-on'></a> --## Phase 2: Configure Microsoft Entra seamless single sign-on --Follow the instructions in [Phase 2 of the Microsoft Entra seamless single sign-on Test Lab Guide](single-sign-on-m365-ent-test-environment.md#phase-2-configure-azure-ad-connect-on-app1-for-azure-ad-seamless-sso). --## Phase 3: Configure named locations --First, determine the public IP addresses or address ranges used by your organization. --Next, follow the instructions in [Configure named locations in Microsoft Entra ID](/azure/active-directory/reports-monitoring/quickstart-configure-named-locations) to add the addresses or address ranges as named locations. --## Phase 4: Configure password writeback --Follow the instructions in [Phase 2 of the password writeback Test Lab Guide](password-writeback-m365-ent-test-environment.md#phase-2-enable-password-writeback-for-the-testlab-ad-ds-domain). --## Phase 5: Configure self-service password reset --Follow the instructions in [Phase 3 of the password reset Test Lab Guide](password-reset-m365-ent-test-environment.md#phase-3-configure-and-test-password-reset). --When enabling password reset for the accounts in a specific Microsoft Entra group, add these accounts to the **Password reset** group: --- User 2-- User 3-- User 4-- User 5--Test password reset only for the User 2 account. --## Phase 6: Configure multi-factor authentication --Follow the instructions in [Phase 2 of the multi-factor authentication Test Lab Guide](multi-factor-authentication-microsoft-365-test-environment.md#phase-2-enable-and-test-multi-factor-authentication-for-the-user-2-account) for the following user accounts: --- User 2-- User 3-- User 4-- User 5--Test multi-factor authentication only for the User 2 account. --## Phase 7: Enable automatic device registration of domain-joined Windows computers --Follow [these instructions](/azure/active-directory/devices/hybrid-azuread-join-plan) to enable automatic device registration of domain-joined Windows computers. --<a name='phase-8-configure-azure-ad-password-protection'></a> --## Phase 8: Configure Microsoft Entra password protection --Follow [these instructions](/azure/active-directory/authentication/concept-password-ban-bad) to block known weak passwords and their variants. --<a name='phase-9-enable-azure-ad-identity-protection'></a> --## Phase 9: Enable Microsoft Entra ID Protection --Follow the instructions in [Phase 2 of the Microsoft Entra ID Protection Test Lab Guide](azure-ad-identity-protection-microsoft-365-test-environment.md#phase-2-use-azure-ad-identity-protection). --## Phase 10: Enable modern authentication for Exchange Online and Skype for Business Online --For Exchange Online, follow [these instructions](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later). --For Skype for Business Online: --1. Connect to [Skype for Business Online](/SkypeForBusiness/set-up-your-computer-for-windows-powershell/set-up-your-computer-for-windows-powershell). --2. Run this command. -- ```powershell - Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed - ``` --3. Verify that the change was successful with this command. -- ```powershell - Get-CsOAuthConfiguration - ``` --The result is a test environment that meets the requirements of the [Active Directory with password hash sync prerequisite configuration](../security/office-365-security/zero-trust-identity-device-access-policies-prereq.md#prerequisites) for identity and device access. --## Next step --Use [Common identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-common.md) to configure the policies that build on the prerequisites and protect identities and devices. --## See also --[Additional identity Test Lab Guides](m365-enterprise-test-lab-guides.md#identity) --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Privileged Access Microsoft 365 Enterprise Dev Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/privileged-access-microsoft-365-enterprise-dev-test-environment.md | - Title: "Privileged access management for your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 09/19/2018----- scotvorg-- tier3-- M365-security-compliance- -description: Use this Test Lab Guide to enable privileged access management your Microsoft 365 for enterprise test environment. ---# Privileged access management for your Microsoft 365 for enterprise test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --This article describes how to configure privileged access management to increase security in your Microsoft 365 for enterprise test environment. --Configuring privileged access management involves three phases: --- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Configure privileged access management](#phase-2-configure-privileged-access-management)-- [Phase 3: Verify that approval is required for elevated and privileged tasks](#phase-3-verify-that-approval-is-required-for-elevated-and-privileged-tasks)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) --> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). - -## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you want to configure privileged access management in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to configure privileged access management in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing privileged access management doesn't require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services forest. It's provided here as an option so that you can test privileged access management and experiment with it in an environment that represents a typical organization. --## Phase 2: Configure privileged access management --In this phase, configure an approvers group and enable privileged access management for your Microsoft 365 for enterprise test environment. For additional details and an overview of privileged access management, see [Privileged access management](../compliance/privileged-access-management-overview.md). --To set up and use privileged access in your organization, perform the following steps. --### [Step 1: Create an approver's group](../compliance/privileged-access-management-configuration.md#step-1-create-an-approvers-group) --Before you start using privileged access, determine who will have approval authority for incoming requests for access to elevated and privileged tasks. All users who are part of the Approvers' group can approve access requests. To use privileged access, you must create a mail-enabled security group in Microsoft 365. In your test environment, name the new security group "Privileged Access Approvers" and add the "User 3" that was previously created in previous test lab guide steps. --### [Step 2: Enable privileged access](../compliance/privileged-access-management-configuration.md#step-2-enable-privileged-access) --Privileged access needs to be explicitly turned on in Microsoft 365 with the default approver group, and it must include a set of system accounts that you want excluded from the privileged access management access control. Be sure to enable privileged access in your organization before starting Phase 3 of this guide. --## Phase 3: Verify that approval is required for elevated and privileged tasks --In this phase, verify that the privileged access policy is working and that users require approval to execute defined elevated and privileged tasks. --### Test the ability to execute a task NOT defined in a privileged access policy --First, attempt to create a new Journal rule in Exchange Online PowerShell. The [New-JournalRule](/powershell/module/exchange/new-journalrule) task is not currently defined in a privileged access policy for your organization. --1. On your local computer, [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) using credentials with the Exchange Role Management role for your test environment. -2. Create a new Journal rule for your organization by running the following command: -- ```PowerShell - New-JournalRule -Name "JournalRule1" -Recipient joe@contoso.onmicrosoft.com -JournalEmailAddress barbara@adatum.com -Scope Global -Enabled $true - ``` --3. Verify that the new Journal Rule was successfully created: -- ```PowerShell - Get-JournalRule -Identity "JournalRule1" - ``` --### Create a new privileged access policy for the New-JournalRule task --> [!NOTE] -> If you haven't already completed the Steps 1 and 2 from Phase 2 of this guide, be sure follow the steps to create an approver's group named "Privilege Access Approvers" to enable privileged access in your test environment. --1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using credentials with the Exchange Role Management role for your test environment. -2. In the Admin Center, go to **Settings** > **Security & Privacy** > **Privileged access**. -3. Select **Manage access policies and requests**. -4. Select **Configure policies**, and then select **Add a policy**. -5. From the drop-down fields, select or enter the following values: -- **Policy type**: Task - **Policy scope**: Exchange - **Policy name**: New Journal Rule - **Approval type**: Manual - **Approval group**: Privileged Access Approvers --6. Select **Create**, and then select **Close**. It may take a few minutes for the policy to be fully configured and enabled. Be sure to allow time for the policy to be fully enabled before testing the approval requirement in the next step. --### Test approval requirement for the New-JournalRule task defined in a privileged access policy --1. On your local computer, [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) using credentials with the Exchange Role Management role for your test environment. --2. In Exchange Online PowerShell, create a new Journal rule for your organization: -- ```PowerShell - New-JournalRule -Name "JournalRule2" -Recipient user1@<your subscription domain> -JournalEmailAddress user1@<your subscription domain> -Scope Global -Enabled $true - ``` --3. View the "Insufficient permissions" error in Exchange Online PowerShell: -- ```PowerShell - Insufficient permissions. Please raise an elevated access request for this task. - + CategoryInfo : NotSpecified: (:) [], LocalizedException - + FullyQualifiedErrorId : [Server=CY1PR00MB0220,RequestId=7b8c7470-ddd0-4528-a01e-5e20ecc9bd54,TimeStamp=9/19/2018 - 7:38:34 PM] [FailureCategory=Cmdlet-LocalizedException] 882BD051 - + PSComputerName : outlook.office365.com - ``` --### Request access to create a new Journal Rule using the New-JournalRule task --1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using credentials with the Exchange Role Management role for your test environment. --2. In the Admin Center, go to **Settings** > **Security & Privacy** > **Privileged access**. --3. Select **Manage access policies and requests**. --4. Select **New request**. From the drop-down fields, select the appropriate values for your organization: -- **Request type**: Task - **Request scope**: Exchange - **Request for**: New Journal Rule - **Duration (hours)**: 2 - **Comments**: Request permission to create a new Journal Rule --5. Select **Save**, and then select **Close**. Your request will be sent to the approver's group via email. --### Approve privileged access request for the creation of a new Journal Rule --1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) using the credentials for User 3 in your test environment (member of the "Privileged Access Approvers" security group in your test environment). --2. In the Admin Center, go to **Settings** > **Security & Privacy** > **Privileged access**. --3. Select **Manage access policies and requests**. --4. Select the pending request, and then select **Approve** to grant access to the user account to create a new Journal Rule. The account (the requesting user) will receive an email confirmation that approval was granted. --### Test creating a new Journal Rule with privileged access approved for the New-JournalRule task --1. On your local computer, [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) using credentials with the Exchange Role Management role for your test environment. --2. In Exchange Online PowerShell, create a new Journal rule for your organization: -- ```PowerShell - New-JournalRule -Name "JournalRule2" -Recipient user1@<your subscription domain> -JournalEmailAddress user1@<your subscription domain> -Scope Global -Enabled $true - ``` --3. Verify that the new Journal rule was successfully created: -- ```PowerShell - Get-JournalRule -Identity "JournalRule2" - ``` --## Next step --Explore additional [information protection](m365-enterprise-test-lab-guides.md#information-protection) features and capabilities in your test environment. --## See also --- [Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md)-- [Microsoft 365 for enterprise overview](microsoft-365-overview.md)-- [Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Protect Global Administrator Accounts Microsoft 365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/protect-global-administrator-accounts-microsoft-365-test-environment.md | - Title: "Protect global administrator accounts in your Microsoft 365 for enterprise test environment"-- NOCSH--- Previously updated : 12/12/2019----- scotvorg-- M365-identity-device-management--- TLG-- Ent_TLGs -description: "Use these steps to protect global administrator accounts in your Microsoft 365 for enterprise test environment." ---# Protect global administrator accounts in your Microsoft 365 for enterprise test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --You can prevent digital attacks on your organization by ensuring that your administrator accounts are as secure as possible. --This article describes how to use Microsoft Entra Conditional Access policies to protect global administrator accounts. --Protecting global administrator accounts in your Microsoft 365 for enterprise test environment involves two phases: -- [Phase 1: Build out your Microsoft 365 for enterprise test environment](#phase-1-build-out-your-microsoft-365-for-enterprise-test-environment)-- [Phase 2: Configure conditional access policies](#phase-2-configure-conditional-access-policies)--![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). --## Phase 1: Build out your Microsoft 365 for enterprise test environment --If you want to test global administrator account protection in a lightweight way with the minimum requirements, follow the instructions in [Lightweight base configuration](lightweight-base-configuration-microsoft-365-enterprise.md). - -If you want to test global administrator account protection in a simulated enterprise, follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). - -> [!NOTE] -> Testing global administrator account protection does not require the simulated enterprise test environment, which includes a simulated intranet connected to the internet and directory synchronization for an Active Directory Domain Services (AD DS). It is provided here as an option so that you can test global administrator account protection and experiment with it in an environment that represents a typical organization. - -## Phase 2: Configure conditional access policies --First, create a new user account as a dedicated global administrator. --1. On a separate tab, open the [Microsoft 365 admin center](https://admin.microsoft.com/). -2. Select **Users** > **Active users**, and then select **Add a user**. -3. In the **Add user** pane, enter **DedicatedAdmin** in the **First name**, **Display name**, and **Username** boxes. -4. Select **Password**, select **Let me create the password**, and then enter a strong password. Record the password for this new account in a secure location. -5. Select **Next**. -6. In the **Assign product licenses** pane, select **Microsoft 365 E5**, and then select **Next**. -7. In the **Optional settings** pane, select **Roles** > **Admin center access** > **Global admin** > **Next**. -8. On the **You're almost done** pane, select **Finish adding**, and then select **Close**. --Next, create a new group named GlobalAdmins and add the DedicatedAdmin account to it. --1. On the **Microsoft 365 admin center** tab, select **Groups** in the left navigation, and then select **Groups**. -2. Select **Add a group**. -3. In the **Choose a group type** pane, select **Security**, and then select **Next**. -4. In the **Set up the basics** pane, select **Create group**, and then select **Close**. -5. In the **Review and finish adding group** pane, enter **GlobalAdmins**, and then select **Next**. -7. In the list of groups, select the **GlobalAdmins** group. -8. In the **GlobalAdmins** pane, select **Members**, and then select **View all and manage members**. -9. In the **GlobalAdmins** pane, select **Add members**, select the **DedicatedAdmin** account and your global admin account, and then select **Save** > **Close** > **Close**. --Next, create conditional access policies to require multi-factor authentication for global administrator accounts and to deny authentication if the sign-in risk is medium or high. --This first policy requires that all global administrator accounts use MFA. --1. In a new tab of your browser, go to [https://portal.azure.com](https://portal.azure.com). -2. Click **Microsoft Entra ID** > **Security** > **Conditional Access**. -3. In the **Conditional access ΓÇô Policies** pane, select **Baseline policy: Require MFA for admins (preview)**. -4. In the **Baseline policy** pane, select **Use policy immediately > Save**. --This second policy blocks access to global administrator account authentication when the sign-in risk is medium or high. --1. In the **Conditional access ΓÇô Policies** pane, select **New policy**. -2. In the **New** pane, enter **Global administrators** in **Name**. -3. In the **Assignments** section, select **Users and groups**. -4. On the **Include** tab of the **Users and groups** pane, select **Select users and groups** > **Users and groups** > **Select**. -5. In the **Select** pane, select the **GlobalAdmins** group, and then select **Select** > **Done**. -6. In the **Assignments** section, select **Conditions**. -7. In the **Conditions** pane, select **Sign-in risk**, select **Yes** for **Configure**, select **High** and **Medium**, and then select **Select** and **Done**. -8. In the **Access controls** section of the **New** pane, select **Grant**. -9. In the **Grant** pane, select **Block access**, and then select **Select**. -10. In the **New** pane, select **On** for **Enable policy**, and then select **Create**. -11. Close the **Azure portal** and **Microsoft 365 admin center** tabs. --To test the first policy, sign out and sign in with the DedicatedAdmin account. You should be prompted to configure MFA. This demonstrates that the first policy is being applied. --## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Pta Prereqs M365 Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/pta-prereqs-m365-test-environment.md | - Title: "Identity and device access prerequisites for pass-through authentication in your Microsoft 365 test environment"--- NOCSH-- Previously updated : 04/23/2019----- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise- -description: Create a Microsoft 365 environment to test identity and device access with the prerequisites for pass-through authentication. ---# Identity and device access prerequisites for pass-through authentication in your Microsoft 365 test environment --*This Test Lab Guide can only be used for Microsoft 365 for enterprise test environments.* --[Identity and device access configurations](../security/office-365-security/zero-trust-identity-device-access-policies-overview.md) are a set of configurations and conditional access policies to protect access to all services in Microsoft 365 for enterprise that are integrated with Microsoft Entra ID. --This article describes how you can configure a Microsoft 365 test environment that meets the requirements of the [Pass-through authentication prerequisite configuration](../security/office-365-security/zero-trust-identity-device-access-policies-prereq.md#prerequisites) for identity and device access. --There are ten phases to setting up this test environment: --1. Build out your simulated enterprise with pass-through authentication Microsoft 365 test environment -2. Configure Microsoft Entra seamless single sign-on -3. Configure named locations -4. Configure password writeback -5. Configure self-service password reset -6. Configure multifactor authentication -7. Enable automatic device registration of domain-joined Windows computers -8. Configure Microsoft Entra password protection -9. Enable Microsoft Entra ID Protection -10. Enable modern authentication for Exchange Online and Skype for Business Online --## Phase 1: Build out your simulated enterprise with pass-through authentication Microsoft 365 test environment --Follow the instructions in [Pass-through authentication](pass-through-auth-m365-ent-test-environment.md). --Here is the resulting configuration. --![The simulated enterprise with pass-through authentication test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase2.png) - -<a name='phase-2-configure-azure-ad-seamless-single-sign-on'></a> --## Phase 2: Configure Microsoft Entra seamless single sign-on --Follow the instructions in [Phase 2 of the Microsoft Entra seamless single sign-on Test Lab Guide](single-sign-on-m365-ent-test-environment.md#phase-2-configure-azure-ad-connect-on-app1-for-azure-ad-seamless-sso). --## Phase 3: Configure named locations --First, determine the public IP addresses or address ranges used by your organization. --Next, follow the instructions in [Configure named locations in Microsoft Entra ID](/azure/active-directory/reports-monitoring/quickstart-configure-named-locations) to add the addresses or address ranges as named locations. --## Phase 4: Configure password writeback --Follow the instructions in [Phase 2 of the password writeback Test Lab Guide](password-writeback-m365-ent-test-environment.md#phase-2-enable-password-writeback-for-the-testlab-ad-ds-domain). --## Phase 5: Configure self-service password reset --Follow the instructions in [Phase 3 of the password reset Test Lab Guide](password-reset-m365-ent-test-environment.md#phase-3-configure-and-test-password-reset). --When enabling password reset for the accounts in a specific Microsoft Entra group, add these accounts to the **Password reset** group: --- User 2-- User 3-- User 4-- User 5--Test password reset only for the User 2 account. --## Phase 6: Configure multi-factor authentication --Follow the instructions in [Phase 2 of the multi-factor authentication Test Lab Guide](multi-factor-authentication-microsoft-365-test-environment.md#phase-2-enable-and-test-multi-factor-authentication-for-the-user-2-account) for the following user accounts: --- User 2-- User 3-- User 4-- User 5--Test multi-factor authentication only for the User 2 account. --## Phase 7: Enable automatic device registration of domain-joined Windows computers --Follow [these instructions](/azure/active-directory/devices/hybrid-azuread-join-plan) to enable automatic device registration of domain-joined Windows computers. --<a name='phase-8-configure-azure-ad-password-protection'></a> --## Phase 8: Configure Microsoft Entra password protection --Follow [these instructions](/azure/active-directory/authentication/concept-password-ban-bad) to block known weak passwords and their variants. --<a name='phase-9-enable-azure-ad-identity-protection'></a> --## Phase 9: Enable Microsoft Entra ID Protection --Follow the instructions in [Phase 2 of the Microsoft Entra ID Protection Test Lab Guide](azure-ad-identity-protection-microsoft-365-test-environment.md#phase-2-use-azure-ad-identity-protection). --## Phase 10: Enable modern authentication for Exchange Online and Skype for Business Online --For Exchange Online, follow [these instructions](/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later). --For Skype for Business Online: --1. Connect to [Skype for Business Online](/SkypeForBusiness/set-up-your-computer-for-windows-powershell/set-up-your-computer-for-windows-powershell). --2. Run this command. -- ```powershell - Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed - ``` --3. Verify that the change was successful with this command. -- ```powershell - Get-CsOAuthConfiguration - ``` --The result is a test environment that meets the requirements of the [Pass-through authentication prerequisite configuration](../security/office-365-security/zero-trust-identity-device-access-policies-prereq.md#prerequisites) for identity and device access. --## Next step --Use [Common identity and device access policies](../security/office-365-security/zero-trust-identity-device-access-policies-common.md) to configure the policies that build on the prerequisites and protect identities and devices. --## See also --[Additional identity Test Lab Guides](m365-enterprise-test-lab-guides.md#identity) --[Deploy identity](deploy-identity-solution-overview.md) --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Simulated Cross Premises Microsoft 365 Enterprise | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/simulated-cross-premises-microsoft-365-enterprise.md | - Title: "Simulated cross-premises virtual network in a Microsoft 365 test environment"-- NOCSH--- Previously updated : 11/14/2019---- MET150--- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise- -description: "Summary: Create a simulated cross-premises virtual network in Microsoft Azure as a Microsoft 365 test environment." ---# Simulated cross-premises virtual network in a Microsoft 365 test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --This article steps you through creating a simulated hybrid cloud environment with Microsoft Azure using two Azure virtual networks. Here is the resulting configuration. - -![Phase 3 of the simulated cross-premises virtual network test environment, with the DC2 virtual machine in the XPrem VNet.](../media/simulated-cross-premises-microsoft-365-enterprise/df458c56-022b-4688-ab18-056c3fd776b4.png) - -This simulates an Azure IaaS hybrid cloud production environment and consists of: - -- A simulated and simplified on-premises network hosted in an Azure virtual network (the TestLab virtual network).- -- A simulated cross-premises virtual network hosted in Azure (XPrem).- -- A VNet peering relationship between the two virtual networks.- -- A secondary domain controller in the XPrem virtual network.- -This provides a basis and common starting point from which you can: - -- Develop and test applications in a simulated Azure IaaS hybrid cloud environment.- -- Create test configurations of computers, some within the TestLab virtual network and some within the XPrem virtual network, to simulate hybrid cloud-based IT workloads.- -There are three major phases to setting up this test environment: - -1. Configure the TestLab virtual network. - -2. Create the cross-premises virtual network. - -3. Configure DC2. - -> [!NOTE] -> This configuration requires a paid Azure subscription. --You can use the resulting environment to test the features and functionality of [Microsoft 365 for enterprise](https://www.microsoft.com/microsoft-365/enterprise) with additional [Test Lab Guides](m365-enterprise-test-lab-guides.md) or on your own. --![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) --> [!TIP] -> Go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf) for a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack. --## Phase 1: Configure the TestLab virtual network --Use the instructions in **Phase 1** of the [simulated enterprise base configuration](simulated-ent-base-configuration-microsoft-365-enterprise.md) to configure the DC1, APP1, and CLIENT1 computers in the Azure virtual network named TestLab. - -This is your current configuration. - -![The simulated enterprise base configuration in Azure.](../media/simulated-cross-premises-microsoft-365-enterprise/25a010a6-c870-4690-b8f3-84421f8bc5c7.png) - -## Phase 2: Create the XPrem virtual network --In this phase, you create and configure the new XPrem virtual network and then connect it to the TestLab virtual network with VNet peering. - -First, start an Azure PowerShell prompt on your local computer. - -> [!NOTE] -> The following command sets use the latest version of Azure PowerShell. See [Get started with Azure PowerShell cmdlets](/powershell/azureps-cmdlets-docs/). - -Sign in to your Azure account with this command. - -```powershell -Connect-AzAccount -``` --Get your subscription name using this command. - -```powershell -Get-AzSubscription | Sort Name | Select Name -``` --Set your Azure subscription. Replace everything within the quotes, including the \< and > characters, with the correct names. - -```powershell -$subscrName="<subscription name>" -Select-AzSubscription -SubscriptionName $subscrName -``` --Next, create the XPrem virtual network and protect it with a network security group with these commands. - -```powershell -$rgName="<name of the resource group that you used for your TestLab virtual network>" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$Testnet=New-AzVirtualNetworkSubnetConfig -Name "Testnet" -AddressPrefix 192.168.0.0/24 -New-AzVirtualNetwork -Name "XPrem" -ResourceGroupName $rgName -Location $locName -AddressPrefix 192.168.0.0/16 -Subnet $Testnet -DNSServer 10.0.0.4 -$rule1=New-AzNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the subnet" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -New-AzNetworkSecurityGroup -Name "Testnet" -ResourceGroupName $rgName -Location $locName -SecurityRules $rule1 -$vnet=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name XPrem -$nsg=Get-AzNetworkSecurityGroup -Name "Testnet" -ResourceGroupName $rgName -Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name "Testnet" -AddressPrefix 192.168.0.0/24 -NetworkSecurityGroup $nsg -$vnet | Set-AzVirtualNetwork -``` --Next, you create the VNet peering relationship between the TestLab and XPrem VNets with these commands. - -```powershell -$rgName="<name of the resource group that you used for your TestLab virtual network>" -$vnet1=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name TestLab -$vnet2=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name XPrem -Add-AzVirtualNetworkPeering -Name TestLab2XPrem -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id -Add-AzVirtualNetworkPeering -Name XPrem2TestLab -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id -``` --This is your current configuration. - -![Phase 2 of the simulated cross-premises virtual network test environment, with the XPrem VNet and the VNet peering relationship.](../media/simulated-cross-premises-microsoft-365-enterprise/cac5e999-69c7-4f4c-bfce-a7f4006115ef.png) - -## Phase 3: Configure DC2 --In this phase, you create the DC2 virtual machine in the XPrem virtual network and then configure it as a replica domain controller. - -First, create a virtual machine for DC2. Run these commands at the Azure PowerShell command prompt on your local computer. - -```powershell -$rgName="<your resource group name>" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$vnet=Get-AzVirtualNetwork -Name XPrem -ResourceGroupName $rgName -$pip=New-AzPublicIpAddress -Name DC2-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic -$nic=New-AzNetworkInterface -Name DC2-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -PrivateIpAddress 192.168.0.4 -$vm=New-AzVMConfig -VMName DC2 -VMSize Standard_A2_V2 -$cred=Get-Credential -Message "Type the name and password of the local administrator account for DC2." -$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName DC2 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate -$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest" -$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id -$vm=Set-AzVMOSDisk -VM $vm -Name "DC2-OS" -DiskSizeInGB 128 -CreateOption FromImage -StorageAccountType "Standard_LRS" -$diskConfig=New-AzDiskConfig -AccountType "Standard_LRS" -Location $locName -CreateOption Empty -DiskSizeGB 20 -$dataDisk1=New-AzDisk -DiskName "DC2-DataDisk1" -Disk $diskConfig -ResourceGroupName $rgName -$vm=Add-AzVMDataDisk -VM $vm -Name "DC2-DataDisk1" -CreateOption Attach -ManagedDiskId $dataDisk1.Id -Lun 1 -New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm -``` --Next, connect to the new DC2 virtual machine from the [Azure portal](https://portal.azure.com) using its local administrator account name and password. - -Next, configure a Windows Firewall rule to allow traffic for basic connectivity testing. From an administrator-level Windows PowerShell command prompt on DC2, run these commands. - -```powershell -Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)" -enabled True -ping dc1.corp.contoso.com -``` --The ping command should result in four successful replies from IP address 10.0.0.4. This is a test of traffic across the VNet peering relationship. - -Next, add the extra data disk as a new volume with the drive letter F: with this command from the Windows PowerShell command prompt on DC2. - -```powershell -Get-Disk | Where PartitionStyle -eq "RAW" | Initialize-Disk -PartitionStyle MBR -PassThru | New-Partition -AssignDriveLetter -UseMaximumSize | Format-Volume -FileSystem NTFS -NewFileSystemLabel "WSAD Data" -``` --Next, configure DC2 as a replica domain controller for the corp.contoso.com domain. Run these commands from the Windows PowerShell command prompt on DC2. - -```powershell -Install-WindowsFeature AD-Domain-Services -IncludeManagementTools -Install-ADDSDomainController -Credential (Get-Credential CORP\User1) -DomainName "corp.contoso.com" -InstallDns:$true -DatabasePath "F:\NTDS" -LogPath "F:\Logs" -SysvolPath "F:\SYSVOL" -``` --Note that you are prompted to supply both the CORP\\User1 password and a Directory Services Restore Mode (DSRM) password, and to restart DC2. - -Now that the XPrem virtual network has its own DNS server (DC2), you must configure the XPrem virtual network to use this DNS server. Run these commands from the Azure PowerShell command prompt on your local computer. - -```powershell -$vnet=Get-AzVirtualNetwork -ResourceGroupName $rgName -name "XPrem" -$vnet.DhcpOptions.DnsServers="192.168.0.4" -Set-AzVirtualNetwork -VirtualNetwork $vnet -Restart-AzVM -ResourceGroupName $rgName -Name "DC2" -``` --From the Azure portal on your local computer, connect to DC1 with the CORP\\User1 credentials. To configure the CORP domain so that computers and users use their local domain controller for authentication, run these commands from an administrator-level Windows PowerShell command prompt on DC1. - -```powershell -New-ADReplicationSite -Name "TestLab" -New-ADReplicationSite -Name "XPrem" -New-ADReplicationSubnet -Name "10.0.0.0/8" -Site "TestLab" -New-ADReplicationSubnet -Name "192.168.0.0/16" -Site "XPrem" -``` --This is your current configuration. - -![Phase 3 of the simulated cross-premises virtual network test environment, with the DC2 virtual machine in the XPrem VNet.](../media/simulated-cross-premises-microsoft-365-enterprise/df458c56-022b-4688-ab18-056c3fd776b4.png) - -Your simulated Azure hybrid cloud environment is now ready for testing. - -You are now ready to experiment with additional features of [Microsoft 365 for enterprise](https://www.microsoft.com/microsoft-365/enterprise). - -## Next steps --Explore these additional sets of Test Lab Guides: - -- [Identity](m365-enterprise-test-lab-guides.md#identity)-- [Mobile device management](m365-enterprise-test-lab-guides.md#mobile-device-management)-- [Information protection](m365-enterprise-test-lab-guides.md#information-protection)--## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Simulated Ent Base Configuration Microsoft 365 Enterprise | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/simulated-ent-base-configuration-microsoft-365-enterprise.md | - Title: "Simulated enterprise base configuration for Microsoft 365"-- NOCSH--- Previously updated : 11/21/2019----- scotvorg-- M365-subscription-management-- Strat_O365_Enterprise- - -description: Use this Test Lab Guide to create a simulated enterprise test environment for Microsoft 365 for enterprise. ---# The simulated enterprise base configuration --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --This article describes how to create a simplified environment for Microsoft 365 for enterprise that includes: --- A Microsoft 365 E5 trial or paid subscription.-- A simplified organization intranet connected to the internet, consisting of three virtual machines on an Azure virtual network (DC1, APP1, and CLIENT1).- -![The simulated enterprise base configuration.](../media/simulated-ent-base-configuration-microsoft-365-enterprise/Phase4.png) --Creating a simplified test environment involves two phases: -- [Phase 1: Create a simulated intranet](#phase-1-create-a-simulated-intranet)-- [Phase 2: Create your Microsoft 365 E5 subscription](#phase-2-create-your-microsoft-365-e5-subscription)--You can use the resulting environment to test the features and functionality of [Microsoft 365 for enterprise](https://www.microsoft.com/microsoft-365/enterprise) with additional [Test Lab Guides](m365-enterprise-test-lab-guides.md) or on your own. --![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) --> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). --## Phase 1: Create a simulated intranet --In this phase, build a simulated intranet in Azure infrastructure services that includes an Active Directory Domain Services (AD DS) domain controller, an application server, and a client computer. --You'll use these computers in additional [Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) to configure and demonstrate hybrid identity and other capabilities. --### Method 1: Build your simulated intranet with an Azure Resource Manager template --In this method, you use an Azure Resource Manager template to build out the simulated intranet. Azure Resource Manager templates contain all of the instructions to create the Azure networking infrastructure, the virtual machines, and their configuration. --Before deploying the template, read through the [template README page](https://github.com/maxskunkworks/TLG/tree/master/tlg-base-config_3-vm.m365-ems) and have the following information ready: --- The public DNS domain name of your test environment (testlab.\<*your public domain*>). You'll enter this name in the **Domain Name** field of the **Custom deployment** page.-- A DNS label prefix for the URLs of the public IP addresses of your virtual machines. You'll need to enter this label in the **Dns Label Prefix** field of the **Custom deployment** page.--After you read through the instructions, select **Deploy to Azure** on the [template README page](https://github.com/maxskunkworks/TLG/tree/master/tlg-base-config_3-vm.m365-ems) to get started. -->[!Note] ->The simulated intranet built by the Azure Resource Manager template requires a paid Azure subscription. --After the template is complete, your configuration looks like this: --![The simulated intranet in Azure infrastructure services.](../media/simulated-ent-base-configuration-microsoft-365-enterprise/Phase3.png) --### Method 2: Build your simulated intranet with Azure PowerShell --In this method, you use Windows PowerShell and the Azure PowerShell module to build out the networking infrastructure, the virtual machines, and their configuration. --Use this method if you want to get experience creating elements of Azure infrastructure one step at a time with PowerShell. You can then customize the PowerShell command blocks for your own deployment of other virtual machines in Azure. --#### Step 1: Create DC1 --In this step, you create an Azure virtual network and add DC1, a virtual machine that is a domain controller for an AD DS domain. --First, start a Windows PowerShell command prompt on your local computer. - -> [!NOTE] -> The following command sets use the latest version of Azure PowerShell. See [Get started with Azure PowerShell cmdlets](/powershell/azureps-cmdlets-docs/). - -Sign in to your Azure account with the following command. - -```powershell -Connect-AzAccount -``` --Get your subscription name using the following command. - -```powershell -Get-AzSubscription | Sort Name | Select Name -``` --Set your Azure subscription. Replace everything within the quotation marks, including the angle brackets ("<" and ">"), with the correct name. - -```powershell -$subscr="<subscription name>" -Get-AzSubscription -SubscriptionName $subscr | Select-AzSubscription -``` --Next, create a new resource group for your simulated enterprise test lab. To determine a unique resource group name, use this command to list your existing resource groups. - -```powershell -Get-AzResourceGroup | Sort ResourceGroupName | Select ResourceGroupName -``` --Create your new resource group with these commands. Replace everything within the quotation marks, including the angle brackets, with the correct names. - -```powershell -$rgName="<resource group name>" -$locName="<location name, such as West US>" -New-AzResourceGroup -Name $rgName -Location $locName -``` --Next, create the TestLab virtual network that will host the corporate network subnet of the simulated enterprise environment and protect it with a network security group. Fill in the name of your resource group and run these commands at the PowerShell command prompt on your local computer. - -```powershell -$rgName="<name of your new resource group>" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$corpnetSubnet=New-AzVirtualNetworkSubnetConfig -Name Corpnet -AddressPrefix 10.0.0.0/24 -New-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName -Location $locName -AddressPrefix 10.0.0.0/8 -Subnet $corpnetSubnet -DNSServer 10.0.0.4 -$rule1=New-AzNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the subnet" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -New-AzNetworkSecurityGroup -Name Corpnet -ResourceGroupName $rgName -Location $locName -SecurityRules $rule1 -$vnet=Get-AzVirtualNetwork -ResourceGroupName $rgName -Name TestLab -$nsg=Get-AzNetworkSecurityGroup -Name Corpnet -ResourceGroupName $rgName -Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name Corpnet -AddressPrefix "10.0.0.0/24" -NetworkSecurityGroup $nsg -$vnet | Set-AzVirtualNetwork -``` --Next, you create the DC1 virtual machine and configure it as a domain controller for the **testlab.**\<your public domain> AD DS domain and a DNS server for the virtual machines of the TestLab virtual network. For example, if your public domain name is **<span>contoso</span>.com**, the DC1 virtual machine will be a domain controller for the **<span>testlab</span>.contoso.com** domain. - -To create an Azure virtual machine for DC1, fill in the name of your resource group and run these commands at the PowerShell command prompt on your local computer. - -```powershell -$rgName="<resource group name>" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$vnet=Get-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName -$pip=New-AzPublicIpAddress -Name DC1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic -$nic=New-AzNetworkInterface -Name DC1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -PrivateIpAddress 10.0.0.4 -$vm=New-AzVMConfig -VMName DC1 -VMSize Standard_A2_V2 -$cred=Get-Credential -Message "Type the name and password of the local administrator account for DC1." -$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName DC1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate -$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest" -$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id -$vm=Set-AzVMOSDisk -VM $vm -Name "DC1-OS" -DiskSizeInGB 128 -CreateOption FromImage -$diskConfig=New-AzDiskConfig -AccountType "Standard_LRS" -Location $locName -CreateOption Empty -DiskSizeGB 20 -$dataDisk1=New-AzDisk -DiskName "DC1-DataDisk1" -Disk $diskConfig -ResourceGroupName $rgName -$vm=Add-AzVMDataDisk -VM $vm -Name "DC1-DataDisk1" -CreateOption Attach -ManagedDiskId $dataDisk1.Id -Lun 1 -New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm -``` --You will be prompted for a user name and password for the local administrator account on DC1. Use a strong password and record both the name and password in a secure location. - -Next, connect to the DC1 virtual machine: - -1. In the [Azure portal](https://portal.azure.com), select **Resource Groups** > <***the name of your new resource group***> > **DC1** > **Connect**. - -2. In the open pane, select **Download RDP file**. Open the DC1.rdp file that is downloaded, and then select **Connect**. - -3. Specify the DC1 local administrator account name: - - - For Windows 7: - - In the **Windows Security** dialog box, select **Use another account**. In **User name**, enter **DC1\\**<*local administrator account name*>. - - - For Windows 8 or Windows 10: - - In the **Windows Security** dialog box, select **More choices**, and then select **Use a different account**. In **User name**, enter **DC1\\**<*local administrator account name*>. - -4. In **Password**, enter the password of the local administrator account, and then select **OK**. - -5. When prompted, select **Yes**. - -Next, add an extra data disk as a new volume with the drive letter F: with this command at an administrator-level Windows PowerShell command prompt on DC1. - -```powershell -Get-Disk | Where PartitionStyle -eq "RAW" | Initialize-Disk -PartitionStyle MBR -PassThru | New-Partition -AssignDriveLetter -UseMaximumSize | Format-Volume -FileSystem NTFS -NewFileSystemLabel "WSAD Data" -``` --Next, configure DC1 as a domain controller and DNS server for the **testlab.**\<*your public domain*> domain. Specify your public domain name, remove the angle brackets, and then run these commands at an administrator-level Windows PowerShell command prompt on DC1. - -```powershell -$yourDomain="<your public domain>" -Install-WindowsFeature AD-Domain-Services -IncludeManagementTools -Install-ADDSForest -DomainName testlab.$yourDomain -DatabasePath "F:\NTDS" -SysvolPath "F:\SYSVOL" -LogPath "F:\Logs" -``` -You will need to specify a safe mode administrator password. Store this password in a secure location. - -Note that these commands can take a few minutes to complete. - -After DC1 restarts, reconnect to the DC1 virtual machine. - -1. In the [Azure portal](https://portal.azure.com), select **Resource Groups** > <*your resource group name*> > **DC1** > **Connect**. - -2. Run the DC1.rdp file that is downloaded, and then select **Connect**. - -3. In **Windows Security**, select **Use another account**. In **User name**, enter **TESTLAB\\**<*local administrator account name*>. - -4. In the **Password** box, enter the password of the local administrator account, and then select **OK**. - -5. When prompted, select **Yes**. - -Next, create a user account in Active Directory that will be used when signing in to TESTLAB domain member computers. Run this command at an administrator-level Windows PowerShell command prompt. - -```powershell -New-ADUser -SamAccountName User1 -AccountPassword (read-host "Set user password" -assecurestring) -name "User1" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false -``` --Note that this command prompts you to supply the User1 account password. This account will be used for remote desktop connections for all TESTLAB domain member computers, so choose a strong password. Record the User1 account password and store it in a secured location. - -Next, configure the new User1 account as a domain, enterprise, and schema administrator. Run this command at the administrator-level Windows PowerShell command prompt. - -```powershell -$yourDomain="<your public domain>" -$domainName = "testlab."+$yourDomain -$userName="user1@" + $domainName -$userSID=(New-Object System.Security.Principal.NTAccount($userName)).Translate([System.Security.Principal.SecurityIdentifier]).Value -$groupNames=@("Domain Admins","Enterprise Admins","Schema Admins") -ForEach ($name in $groupNames) {Add-ADPrincipalGroupMembership -Identity $userSID -MemberOf (Get-ADGroup -Identity $name).SID.Value} -``` --Close the Remote Desktop session with DC1 and then reconnect using the TESTLAB\\User1 account. - -Next, to allow traffic for the Ping tool, run this command at an administrator-level Windows PowerShell command prompt. - -```powershell -Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)" -enabled True -``` --Your current configuration looks like this: - -![Step 1 of the simulated enterprise base configuration.](../media/simulated-ent-base-configuration-microsoft-365-enterprise/Phase1.png) - -#### Step 2: Configure APP1 --In this step, you create and configure APP1, which is an application server that initially provides web and file sharing services. --To create an Azure Virtual Machine for APP1, fill in the name of your resource group and run these commands at the command prompt on your local computer. - -```powershell -$rgName="<resource group name>" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$vnet=Get-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName -$pip=New-AzPublicIpAddress -Name APP1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic -$nic=New-AzNetworkInterface -Name APP1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -$vm=New-AzVMConfig -VMName APP1 -VMSize Standard_A2_V2 -$cred=Get-Credential -Message "Type the name and password of the local administrator account for APP1." -$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName APP1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate -$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest" -$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id -$vm=Set-AzVMOSDisk -VM $vm -Name "APP1-OS" -DiskSizeInGB 128 -CreateOption FromImage -New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm -``` --Next, connect to the APP1 virtual machine using the APP1 local administrator account name and password, and then open a Windows PowerShell command prompt. - -To check name resolution and network communication between APP1 and DC1, run the **ping dc1.testlab.**\<*your public domain name*> command and verify that there are four replies. - -Next, join the APP1 virtual machine to the TESTLAB domain with these commands at the Windows PowerShell prompt. - -```powershell -$yourDomain="<your public domain name>" -Add-Computer -DomainName ("testlab." + $yourDomain) -Restart-Computer -``` --Note that you after you run the **Add-Computer** command, you must supply the TESTLAB\\User1 domain account credentials. - -After APP1 restarts, connect to it using the TESTLAB\\User1 account, and then open an administrator-level Windows PowerShell command prompt. - -Next, make APP1 a web server with this command at an administrator-level Windows PowerShell command prompt on APP1. - -```powershell -Install-WindowsFeature Web-WebServer -IncludeManagementTools -``` --Next, create a shared folder and a text file within the folder on APP1 with these PowerShell commands. - -```powershell -New-Item -path c:\files -type directory -Write-Output "This is a shared file." | out-file c:\files\example.txt -New-SmbShare -name files -path c:\files -changeaccess TESTLAB\User1 -``` --Your current configuration looks like this: - -![Step 2 of the simulated enterprise base configuration.](../media/simulated-ent-base-configuration-microsoft-365-enterprise/Phase2.png) - -#### Step 3: Configure CLIENT1 --In this step, you create and configure CLIENT1, which acts as a typical laptop, tablet, or desktop computer on the intranet. --> [!NOTE] -> The following command set creates CLIENT1 running Windows Server 2016 Datacenter, which can be done for all types of Azure subscriptions. If you have a Visual Studio-based Azure subscription, you can create CLIENT1 running Windows 10 with the [Azure portal](https://portal.azure.com). - -To create an Azure Virtual Machine for CLIENT1, fill in the name of your resource group and run these commands at the command prompt on your local computer. - -```powershell -$rgName="<resource group name>" -$locName=(Get-AzResourceGroup -Name $rgName).Location -$vnet=Get-AzVirtualNetwork -Name TestLab -ResourceGroupName $rgName -$pip=New-AzPublicIpAddress -Name CLIENT1-PIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic -$nic=New-AzNetworkInterface -Name CLIENT1-NIC -ResourceGroupName $rgName -Location $locName -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -$vm=New-AzVMConfig -VMName CLIENT1 -VMSize Standard_A2_V2 -$cred=Get-Credential -Message "Type the name and password of the local administrator account for CLIENT1." -$vm=Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName CLIENT1 -Credential $cred -ProvisionVMAgent -EnableAutoUpdate -$vm=Set-AzVMSourceImage -VM $vm -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version "latest" -$vm=Add-AzVMNetworkInterface -VM $vm -Id $nic.Id -$vm=Set-AzVMOSDisk -VM $vm -Name "CLIENT1-OS" -DiskSizeInGB 128 -CreateOption FromImage -New-AzVM -ResourceGroupName $rgName -Location $locName -VM $vm -``` --Next, connect to the CLIENT1 virtual machine using the CLIENT1 local administrator account name and password, and then open an administrator-level Windows PowerShell command prompt. - -To check name resolution and network communication between CLIENT1 and DC1, run the **ping dc1.testlab.**\<*your public domain name*> command at a Windows PowerShell command prompt and verify that there are four replies. - -Next, join the CLIENT1 virtual machine to the TESTLAB domain with these commands at the Windows PowerShell prompt. - -```powershell -$yourDomain="<your public domain name>" -Add-Computer -DomainName ("testlab." + $yourDomain) -Restart-Computer -``` --Note that you must supply your TESTLAB\\User1 domain account credentials after running the **Add-Computer** command. - -After CLIENT1 restarts, connect to it using the TESTLAB\\User1 account name and password, and then open an administrator-level Windows PowerShell command prompt. - -Next, verify that you can access web and file share resources on APP1 from CLIENT1. - -1. In Server Manager, in the tree pane, select **Local Server**. - -2. In **Properties for CLIENT1**, select **On** next to **IE Enhanced Security Configuration**. - -3. In **Internet Explorer Enhanced Security Configuration**, select **Off** for **Administrators** and **Users**, and then select **OK**. - -4. From the Start screen, select **Internet Explorer**, and then select **OK**. - -5. In the address bar, enter **http<span>://</span>app1.testab.**\<*your public domain name*>**/**, and then press **Enter**. You should see the default Internet Information Services web page for APP1. - -6. On the desktop taskbar, select the File Explorer icon. - -7. In the address bar, enter **\\\\app1\\Files**, and then press **Enter**. You should see a folder window with the contents of the Files shared folder. - -8. In the **Files** shared folder window, double-click the **Example.txt** file. You should see the contents of the Example.txt file. - -9. Close the **example.txt - Notepad** and the **Files** shared folder windows. - -Your current configuration looks like this: - -![Step 3 of the simulated enterprise base configuration.](../media/simulated-ent-base-configuration-microsoft-365-enterprise/Phase3.png) --## Phase 2: Create your Microsoft 365 E5 subscription --In this phase, you create a new Microsoft 365 E5 subscription that uses a new Microsoft Entra tenant, one that is separate from your production subscription. You can do this in two ways: --- Use a trial subscription of Microsoft 365 E5.-- The Microsoft 365 E5 trial subscription is 30 days, which can be easily extended to 60 days. When the trial subscription expires, you must either convert it to a paid subscription or create a new trial subscription. Creating new trial subscriptions means you will leave your configuration, which could include complex scenarios, behind. --- Use a separate production subscription of Microsoft 365 E5 with a small number of licenses.-- This is an additional cost, but ensures that you have a working test environment that doesn't expire; in it, you can try features, configurations, and scenarios. You can use the same test environment over the long term for proofs of concept, demonstration to peers and management, and application development and testing. This is the recommended method. --### Sign up for an Office 365 E5 trial subscription --From the Azure portal, connect to CLIENT1 with the CORP\User1 account. --To create a new Office 365 E5 trial subscription, perform the instructions in [Phase 1](lightweight-base-configuration-microsoft-365-enterprise.md#phase-1-create-your-microsoft-365-e5-subscription) of the lightweight base configuration Test Lab Guide. --To configure your new Office 365 E5 trial subscription, perform the instructions in [Phase 2](lightweight-base-configuration-microsoft-365-enterprise.md#phase-2-configure-your-office-365-trial-subscription) of the lightweight base configuration Test Lab Guide. --#### Using an Office 365 E5 test environment --If you need only an Office 365 test environment, you do not need to read the rest of this article. --For additional Test Lab Guides that apply to both Microsoft 365 and Office 365, see [Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md). --### Add a Microsoft 365 E5 trial subscription --To add a Microsoft 365 E5 trial subscription and configure your users accounts with licenses, perform the instructions in [Phase 3](lightweight-base-configuration-microsoft-365-enterprise.md#phase-3-add-a-microsoft-365-e5-trial-subscription) of the lightweight base configuration Test Lab Guide. -- -## Results --Your test environment now has: - -- Microsoft 365 E5 trial subscription.-- All your appropriate user accounts are enabled to use Microsoft 365 E5.-- A simulated and simplified intranet.- -Your final configuration looks like this: - -![Phase 2 of the simulated enterprise base configuration.](../media/simulated-ent-base-configuration-microsoft-365-enterprise/Phase4.png) - -You are now ready to experiment with additional features of [Microsoft 365 for enterprise](https://www.microsoft.com/microsoft-365/enterprise). - -## Next steps --Explore these additional sets of Test Lab Guides: - -- [Identity](m365-enterprise-test-lab-guides.md#identity)-- [Mobile device management](m365-enterprise-test-lab-guides.md#mobile-device-management)-- [Information protection](m365-enterprise-test-lab-guides.md#information-protection)--## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
enterprise | Single Sign On M365 Ent Test Environment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/single-sign-on-m365-ent-test-environment.md | - Title: "Microsoft Entra seamless single sign-on for your Microsoft 365 test environment"-- NOCSH--- Previously updated : 11/21/2019----- scotvorg-- M365-identity-device-management-- Strat_O365_Enterprise--- TLGS-- Ent_TLGs -description: "Summary: Configure and test Microsoft Entra seamless single sign-on for your Microsoft 365 test environment." ---# Microsoft Entra seamless single sign-on for your Microsoft 365 test environment --*This Test Lab Guide can be used for both Microsoft 365 for enterprise and Office 365 Enterprise test environments.* --Microsoft Entra seamless single sign-on (Seamless SSO) automatically signs in users when they are on their PCs or devices that are connected to their organization network. Microsoft Entra seamless SSO provides users with easy access to cloud-based applications without needing any additional on-premises components. --This article describes how to configure your Microsoft 365 test environment for Microsoft Entra seamless SSO. --Setting up Microsoft Entra seamless SSO involves two phases: -- [Phase 1: Configure password hash synchronization for your Microsoft 365 test environment](#phase-1-configure-password-hash-synchronization-for-your-microsoft-365-test-environment)-- [Phase 2: Configure Microsoft Entra Connect on APP1 for Microsoft Entra seamless SSO](#phase-2-configure-azure-ad-connect-on-app1-for-azure-ad-seamless-sso)- -![Test Lab Guides for the Microsoft cloud.](../media/m365-enterprise-test-lab-guides/cloud-tlg-icon.png) - -> [!TIP] -> For a visual map to all the articles in the Microsoft 365 for enterprise Test Lab Guide stack, go to [Microsoft 365 for enterprise Test Lab Guide Stack](https://download.microsoft.com/download/5/e/4/5e43a139-09c5-4700-b846-e468444bc557/Microsoft365EnterpriseTLGStack.pdf). - -## Phase 1: Configure password hash synchronization for your Microsoft 365 test environment --Follow the instructions in [password hash synchronization for Microsoft 365](password-hash-sync-m365-ent-test-environment.md). --Your resulting configuration looks like this: - -![The simulated enterprise with password hash synchronization test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase1.png) - -This configuration consists of: - -- A Microsoft 365 E5 trial or paid subscription.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network.-- Microsoft Entra Connect runs on APP1 to periodically synchronize the TESTLAB Active Directory Domain Services (AD DS) domain to the Microsoft Entra tenant of your Microsoft 365 subscription.--<a name='phase-2-configure-azure-ad-connect-on-app1-for-azure-ad-seamless-sso'></a> --## Phase 2: Configure Microsoft Entra Connect on APP1 for Microsoft Entra seamless SSO --In this phase, configure Microsoft Entra Connect on APP1 for Microsoft Entra seamless SSO, and then verify that it works. --<a name='configure-azure-ad-connect-on-app1'></a> --### Configure Microsoft Entra Connect on APP1 --1. From the [Azure portal](https://portal.azure.com), sign in with your global administrator account, and then connect to APP1 with the TESTLAB\User1 account. --2. From the APP1 desktop, run Microsoft Entra Connect. --3. On the **Welcome page**, select **Configure**. --4. On the **Additional tasks** page, select **Change user sign-in**, and then select **Next**. --5. On the **Connect to Microsoft Entra ID** page, enter your global administrator account credentials, and then select **Next**. --6. On the **User sign-in** page, select **Enable single sign-on**, and then select **Next**. --7. On the **Enable single sign-on** page, select **Enter credentials**. --8. In the **Windows Security** dialog box, enter **user1** and the password of the user1 account, select **OK**, and then select **Next**. --9. On the **Ready to Configure** page, select **Configure**. --10. On the **Configuration complete** page, select **Exit**. --11. From the Azure portal, in the left pane, select **Microsoft Entra ID** > **Microsoft Entra Connect**. Verify that the **Seamless single sign-on** feature appears as **Enabled**. --Next, test the ability to sign in to your subscription with the <strong>user1@testlab.</strong>\<*your public domain*> user name of the User1 account. --1. From Internet Explorer on APP1, select the settings icon, and then select **Internet Options**. - -2. In **Internet Options**, select the **Security** tab. --3. Select **Local intranet**, and then select **Sites**. --4. In **Local intranet**, select **Advanced**. --5. In **Add this website to the zone**, enter **https<span>://</span>autologon.microsoftazuread-sso.com**, select **Add** > **Close** > **OK** > **OK**. --6. Sign out, and then sign in again, this time specifying a different account. --7. When prompted to sign in, specify <strong>user1@testlab.</strong>\<*your public domain*> name, and then select **Next**. You should successfully sign in as User1 without being prompted for a password. This proves that Microsoft Entra seamless SSO is working. --Notice that although User1 has domain administrator permissions for the TESTLAB AD DS domain, it is not a global administrator for Microsoft Entra ID. Therefore, you will not see the **Admin** icon as an option. --Here is your resulting configuration: --![The simulated enterprise with pass-through authentication test environment.](../media/pass-through-auth-m365-ent-test-environment/Phase1.png) --This configuration consists of: --- A Microsoft 365 E5 trial or paid subscriptions with the DNS domain testlab.\<*your domain name*> registered.-- A simplified organization intranet connected to the internet, consisting of the DC1, APP1, and CLIENT1 virtual machines on a subnet of an Azure virtual network.-- Microsoft Entra Connect runs on APP1 to synchronize the list of accounts and groups from the Microsoft Entra tenant of your Microsoft 365 subscription to the TESTLAB AD DS domain.-- Microsoft Entra seamless SSO is enabled so that computers on the simulated intranet can sign in to Microsoft 365 cloud resources without specifying a user account password.--## Next step --Explore additional [identity](m365-enterprise-test-lab-guides.md#identity) features and capabilities in your test environment. --## See also --[Microsoft 365 for enterprise Test Lab Guides](m365-enterprise-test-lab-guides.md) --[Microsoft 365 for enterprise overview](microsoft-365-overview.md) --[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/) |
security | Configure Network Connections Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md | search.appverid: met150 - Microsoft Defender Antivirus **Platforms**+ - Windows -To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists connections that must be allowed for using the firewall rules. It also provides instructions for validating your connection. Configuring your protection properly will ensure you receive the best value from your cloud-delivered protection services. +To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists connections that must be allowed for using the firewall rules. It also provides instructions for validating your connection. Configuring your protection properly ensures you receive the best value from your cloud-delivered protection services. > [!IMPORTANT] > This article contains information about configuring network connections only for Microsoft Defender Antivirus. If you are using Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus), see [Configure device proxy and Internet connectivity settings for Defender for Endpoint](configure-proxy-internet.md). Make sure that there are no firewall or network filtering rules denying access t |Service and description|URL| ||| |Microsoft Defender Antivirus cloud-delivered protection service is referred to as Microsoft Active Protection Service (MAPS).<br/> Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.|`*.wdcp.microsoft.com` <br/>`*.wdcpalt.microsoft.com`<br/>`*.wd.microsoft.com` |-|Microsoft Update Service (MU) and Windows Update Service (WU)<br/>These services will allow security intelligence and product updates.|`*.update.microsoft.com`<br/>`*.delivery.mp.microsoft.com`<br/>`*.windowsupdate.com` <br/>`ctldl.windowsupdate.com`<br/><br/>For more information, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update).| +|Microsoft Update Service (MU) and Windows Update Service (WU)<br/>These services allow security intelligence and product updates.|`*.update.microsoft.com`<br/>`*.delivery.mp.microsoft.com`<br/>`*.windowsupdate.com` <br/>`ctldl.windowsupdate.com`<br/><br/>For more information, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update).| |Security intelligence updates Alternate Download Location (ADL)<br/>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).|`*.download.microsoft.com`<br/>`*.download.windowsupdate.com` (Port 80 is required)<br/>`go.microsoft.com` (Port 80 is required)<br/>`https://www.microsoft.com/security/encyclopedia/adlpackages.aspx` <br/>`https://definitionupdates.microsoft.com/download/DefinitionUpdates/`<br/>`https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`| |Malware submission storage<br/>This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.|`ussus1eastprod.blob.core.windows.net`<br/>`ussus2eastprod.blob.core.windows.net`<br/>`ussus3eastprod.blob.core.windows.net`<br/>`ussus4eastprod.blob.core.windows.net`<br/>`wsus1eastprod.blob.core.windows.net`<br/>`wsus2eastprod.blob.core.windows.net`<br/>`ussus1westprod.blob.core.windows.net`<br/>`ussus2westprod.blob.core.windows.net`<br/>`ussus3westprod.blob.core.windows.net`<br/>`ussus4westprod.blob.core.windows.net`<br/>`wsus1westprod.blob.core.windows.net`<br/>`wsus2westprod.blob.core.windows.net`<br/>`usseu1northprod.blob.core.windows.net`<br/>`wseu1northprod.blob.core.windows.net`<br/>`usseu1westprod.blob.core.windows.net`<br/>`wseu1westprod.blob.core.windows.net`<br/>`ussuk1southprod.blob.core.windows.net`<br/>`wsuk1southprod.blob.core.windows.net`<br/>`ussuk1westprod.blob.core.windows.net`<br/>`wsuk1westprod.blob.core.windows.net`| |Certificate Revocation List (CRL)<br/>Windows use this list while creating the SSL connection to MAPS for updating the CRL.|`http://www.microsoft.com/pkiops/crl/`<br/>`http://www.microsoft.com/pkiops/certs`<br/>`http://crl.microsoft.com/pki/crl/products`<br/>`http://www.microsoft.com/pki/certs`| Use the following argument with the Microsoft Defender Antivirus command-line ut For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md). -### Attempt to download a fake malware file from Microsoft +Use the tables below to see error messages you might encounter along with information on the root cause and possible solutions: ++|Error messages|Root cause| +|:|:|:| +|Start Time: <Day_of_the_week> MM DD YYYY HH:MM:SS <br/> MpEnsureProcessMitigationPolicy: hr = 0x1 <br/> ValidateMapsConnection<br/>ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80070006 httpcore=451)<br/> MpCmdRun.exe: hr = 0x80070006**<br/><br/> ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072F8F httpcore=451)<br/>MpCmdRun.exe: hr = 0x80072F8F <br/><br/> ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80072EFE httpcore=451)<br/> MpCmdRun.exe: hr = 0x80072EFE| The root cause of these error messages is that the device doesn't have its system-wide WinHttp proxy configured. If you donΓÇÖt set the system-wide WinHttp proxy, then the operating system isn't aware of the proxy and canΓÇÖt fetch the CRL (the operating system does this, not Defender for Endpoint), which means that TLS connections to URLs like `http://cp.wd.microsoft.com/` will not fully succeed. You'll see successful (response 200) connections to the endpoints but the MAPS connections would still fail.| ++|Solution|Description| +|:|:| +|Solution (Preferred) | Configure the system-wide WinHttp proxy that allows the CRL check.| +|Solution (Preferred 2) | - [Setup Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Configure a server that has access to the Internet to retrieve the CTL files](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> - [Redirect the Microsoft Automatic Update URL for a disconnected environment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN) <br/> <br/> _Usefule references:_ <br/> - Go to **Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings** > **Select the Network Retrieval tab** > **Select Define these policy settings** > **Select to clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.** <br/> - [Certificate Revocation List (CRL) Verification - an Application Choice](https://social.technet.microsoft.com/wiki/contents/articles/964.certificate-revocation-list-crl-verification-an-application-choice.aspx) <br/> - [https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows](https://support.microsoft.com/help/931125/how-to-get-a-root-certificate-update-for-windows) <br/> - [https://technet.microsoft.com/library/dn265983(v=ws.11).aspx](https://technet.microsoft.com/library/dn265983(v=ws.11).aspx) <br/> - [/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element](/dotnet/framework/configure-apps/file-schema/runtime/generatepublisherevidence-element) - [https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/](https://blogs.msdn.microsoft.com/amolravande/2008/07/20/improving-application-start-up-time-generatepublisherevidence-setting-in-machine-config/)| +|Work-around solution (Alternative) <br/> _Not best practice since you'll no longer check for revoked certificates or certificate pinning_.| Disable CRL check only for SPYNET. <br/> Configuring this registry SSLOption disables CRL check only for SPYNET reporting. It wonΓÇÖt impact other services.<br/><br/> To to this: <br/> Go to **HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet** > set SSLOptions (dword) to 0 (hex). <br/> - 0 ΓÇô disable pinning and revocation checks <br/> - 1 ΓÇô disable pinning <br/> - 2 ΓÇô disable revocation checks only <br/> - 3 ΓÇô enable revocation checks and pinning (default)| -You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud. Visit [https://aka.ms/ioavtest1](https://aka.ms/ioavtest1) to download the file. +## Attempt to download a fake malware file from Microsoft ++You can download a [sample file](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection) that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud. > [!NOTE] > The downloaded file is not exactly malware. It's a fake file designed to test if you're properly connected to the cloud. A similar message occurs if you're using Internet Explorer: :::image type="content" source="../../media/wdav-bafs-ie.png" alt-text="The Microsoft Defender Antivirus notification that malware was found" lightbox="../../media/wdav-bafs-ie.png"::: -#### View the fake malware detection in your Windows Security app +### View the fake malware detection in your Windows Security app 1. On your task bar, select the Shield icon, open the **Windows Security** app. Or, search the **Start** for *Security*. -2. Select **Virus & threat protection**, and then select **Protection history**. +1. Select **Virus & threat protection**, and then select **Protection history**. -1. 3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. +1. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). A similar message occurs if you're using Internet Explorer: > [!TIP] > If you're looking for Antivirus related information for other platforms, see:-> +> > - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)-> +> > - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)-> +> > - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)-> +> > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)-> +> > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)-> +> > - [Configure Defender for Endpoint on Android features](android-configure.md)-> +> > - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) ## See also A similar message occurs if you're using Internet Explorer: - [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md) - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) - [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | This article is updated frequently to let you know what's new in the latest rele - [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) +<details> +<summary> March-2024 (Build: 101.24012.0001 | Release version: 30.124012.0001.0)</summary> ++## March-2024 Build: 101.24012.0001 | Release version: 30.124012.0001.0 ++ Released: **March 12,2024**<br/> + Published: **March 12,2024**<br/> + Build: **101.24012.0001**<br/> + Release version: **30.124012.0001.0**<br/> + Engine version: **1.1.23110.4**<br/> + Signature version: **1.403.87.0**<br/> ++**What's new** +There are multiple fixes and new changes in this release: ++- Updated default engine version to `1.1.23110.4`, and default signatures version to `1.403.87.0`. +- Stability and performance improvements. +- Bug fixes. +</details> + <details> <summary> February-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)</summary> |
security | Mac Device Control Jamf | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md | Before you get started with Removable Storage Access Control, you must confirm y ### Step 1: Create policy JSON -Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [mdatp-devicecontrol/deny_removable_media_except_kingston.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/examples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main - microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json). +Now, you have 'groups' and 'rules' and 'settings', combine 'settings' and 'groups' and rules into one JSON, here is the demo file: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/samples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema so your policy format is correct: [https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json](https://github.com/microsoft/mdatp-devicecontrol/blob/main/macOS/policy/device_control_policy_schema.json). See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups. |
security | Mac Support Perf Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf-overview.md | + + Title: Overview for how to troubleshoot performance issues for Microsoft Defender for Endpoint on macOS +description: Troubleshoot performance issues overview for Microsoft Defender for Endpoint on macOS ++++ Last updated : 03/01/2024+++++# Overview for how to troubleshoot performance issues for Microsoft Defender for Endpoint on macOS ++**Applies to:** ++- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) ++This article provides general guidelines to identify performance issues related to Microsoft Defender for Endpoint on macOS. See [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](mac-support-perf.md) for more specific guidance. ++Depending on the applications that you're running and your device characteristics, you might experience suboptimal performance when running Microsoft Defender for Endpoint on macOS. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender for Endpoint on macOS. ++> [!CAUTION] +> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on MacOS is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can configure Microsoft Defender Antivirus to run in **[Passive mode](/microsoft-365/security/defender-endpoint/mac-preferences)**. After you configure Passive mode, you can use Defender for Endpoint on Mac EDR functionality. ++> [!WARNING] +> Before starting, make sure that other security products are not currently running on the device. Multiple security products might conflict and impact system performance. ++> [!TIP] +> If you're running other third-party security products, make sure that the Microsoft Defender for Endpoint on macOS processes and paths are excluded from that 3rd party security product and that security product is excluded from Microsoft Defender for Endpoint on macOS. ++When troubleshooting performance issues for Microsoft Defender for Endpoint on macOS, you should review the **Activity Monitor** to see which of the three (3) processes is leading the high cpu utilization ++|Daemon name|Component|Troubleshooting guide| +| -- | -- |-- | +|wdavdaemon| Core (privileged)|Open a [Microsoft support case](/microsoft-365/security/defender-endpoint/contact-support).| +|wdavdaemon_unpriviliged| Antimalware (AV, EPP)|Review [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf).| +|wdavdaemon_enterprise| Endpoint Detection and Response (EDR)|Open a [Microsoft support case](/microsoft-365/security/defender-endpoint/contact-support).| ++Additionally, gather [Defender for Endpoint Client Analyzer](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux) files while the issue occurs. This will be used by the support team to investigate the issue. + |
security | Mac Support Perf | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md | Last updated 12/18/2020 **Applies to:** +- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) + > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) Depending on the applications that you're running and your device characteristic **Applies to:** -- Only performance issues related to AV+- Only performance issues related to AV (wdavdaemon_unpriviliged) Real-time protection (RTP) is a feature of Defender for Endpoint on macOS that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. The following steps can be used to troubleshoot and mitigate these issues: 3. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint on Mac. - > [!NOTE] - > This feature is available in version 100.90.70 or newer. - This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: -- ```bash - mdatp config real-time-protection-statistics --value enabled - ``` -- This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: -- ```bash - mdatp health --field real_time_protection_enabled - ``` -- Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: -- ```bash - mdatp config real-time-protection --value enabled - ``` -- ```output - Configuration property updated - ``` -- To collect current statistics, run: -- ```bash - mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json - ``` -- > [!NOTE] - > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. --4. On your Mac system, download the sample Python parser high_cpu_parser.py using the command: -- ```bash - curl -O https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py - ``` -- The output of this command should be similar to the following: -- ```Output - --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft. - mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py - Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx - Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected. - HTTP request sent, awaiting response... 200 OK - Length: 1020 [text/plain] - Saving to: 'high_cpu_parser.py' - 100%[===========================================>] 1,020 --.-K/s in - 0s - ``` --5. Next, type the following commands: -- ```bash - chmod +x high_cpu_parser.py - ``` -- ```bash - cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log - ``` -- The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is the process name, and the last column is the number of scanned files, sorted by impact. -- For example, the output of the command will be something like the below: -- ```output - ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 - 27432 None 76703 - 73467 actool 1249 - 73914 xcodebuild 1081 - 73873 bash 1050 - 27475 None 836 - 1 launchd 407 - 73468 ibtool 344 - 549 telemetryd_v1 325 - 4764 None 228 - 125 CrashPlanService 164 - ``` +> [!NOTE] +> This feature is available in version 100.90.70 or newer. +> This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: - To improve the performance of Defender for Endpoint on Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on macOS](mac-exclusions.md). +> [!TIP] +> If you have [Tamper Protection in block mode](/microsoft-365/security/defender-endpoint/tamperprotection-macos), you need to use [Troubleshooting mode](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode) to capture real-time-protection-statistics. Otherwise, you will get null results. + +```bash +mdatp config real-time-protection-statistics --value enabled + ``` - > [!NOTE] - > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. - > -6. Configure Microsoft Defender for Endpoint on macOS with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: - See [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md) for details. +```bash +mdatp health --field real_time_protection_enabled +``` -## Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer +Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: -**Applies to:** -- Performance issues of all available Defender for Endpoint components such as AV and EDR+```bash +mdatp config real-time-protection --value enabled +``` -The Microsoft Defender for Endpoint Client Analyzer (MDECA) can collect traces, logs, and diagnostic information in order to troubleshoot performance issues on [onboarded devices](/microsoft-365/security/defender-endpoint/onboard-configure) on macOS. +```output +Configuration property updated +``` -> [!NOTE] -> -> - The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). -> - As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming that the issue still persists before investigating further. + To collect current statistics, run: -To run the client analyzer for troubleshooting performance issues, see [Run the client analyzer on macOS and Linux](run-analyzer-macos-linux.md). +```bash +mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json +``` > [!NOTE]-> In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation. --## See also --- [Investigate agent health issues](health-status.md)+> Using **--output json** (note the double dash) ensures that the output format is ready for parsing. +The output of this command will show all processes and their associated scan activity. |
security | Mac Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md | For more information on Microsoft Defender for Endpoint on other operating syste - [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md) - [What's new in Microsoft Defender for Endpoint on iOS](ios-whatsnew.md) -**Built-in Scheduled Scan for macOS** (Public Preview) +**Built-in Scheduled Scan for macOS** (preview) Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS is now available in Public Preview. To learn more, see [How to schedule scans with Microsoft Defender for Endpoint on macOS](mac-schedule-scan.md). -**Troubleshooting mode for macOS** (Public Preview) +**Troubleshooting mode for macOS** (preview) Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. Troubleshooting mode for macOS is now available in Public Preview. To learn more, see [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](mac-troubleshoot-mode.md). Apple fixed an issue on macOS [Ventura upgrade](<https://developer.apple.com/doc Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **macOS Deprecation**--> [!NOTE] -> Microsoft Defender for Endpoint no longer supports these macOS as Apple ended support for: -> - Big Sur (11) in December 2023. +Microsoft Defender for Endpoint no longer supports Big Sur (11) ### Jan-2024 (Build: 101.23122.0005 | Release version: 20.123122.5.0) Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release.  Engine version: **1.1.19900.2**<br/>  Signature version: **1.381.2029.0**<br/> + Build: **101.96.85**<br/> + Release version: **20.122112.19413.0**<br/> + Engine version: **1.1.19900.2**<br/> + Signature version: **1.381.2029.0**<br/> ++ Build: **101.96.85**<br/> + Release version: **20.122112.19413.0**<br/> + Engine version: **1.1.19900.2**<br/> + Signature version: **1.381.2029.0**<br/> ++ Build: **101.96.85**<br/> + Release version: **20.122112.19413.0**<br/> + Engine version: **1.1.19900.2**<br/> + Signature version: **1.381.2029.0**<br/> ++ Build: **101.96.85**<br/> + Release version: **20.122112.19413.0**<br/> + Engine version: **1.1.19900.2**<br/> + Signature version: **1.381.2029.0**<br/> ++ Build: **101.96.85**<br/> + Release version: **20.122112.19413.0**<br/> + Engine version: **1.1.19900.2**<br/> + Signature version: **1.381.2029.0**<br/> + **What's new** - Bug and performance fixes Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. </details> + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Microsoft Defender Endpoint Linux | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md | Last updated 11/29/2023 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux. +This article describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux. > [!CAUTION] > Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine). In general you need to take the following steps: - Ubuntu 16.04 LTS or higher LTS - Debian 9 - 12 - SUSE Linux Enterprise Server 12 or higher+ - SUSE Linux Enterprise Server 15 or higher - Oracle Linux 7.2 or higher - Oracle Linux 8.x - Oracle Linux 9.x High I/O workloads from certain applications can experience performance issues w ## Resources -- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md).+- For more information about logging, uninstalling, or other articles, see [Resources](linux-resources.md). ## Related articles |
security | Non Windows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md | With Microsoft Defender for Endpoint, customers benefit from a unified view of a ## Microsoft Defender for Endpoint on macOS -Microsoft Defender for Endpoint on macOS offers antivirus, endpoint detection and response (EDR), and vulnerability management capabilities for the three latest released versions of macOS. Customers can deploy and manage the solution through Microsoft Intune and Jamf. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft Defender for Endpoint on Mac updates. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS). +Microsoft Defender for Endpoint on macOS offers antivirus, endpoint detection and response (EDR), and vulnerability management capabilities for the three latest released versions of macOS. Customers can deploy and manage the solution through Microsoft Intune and Jamf. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft Defender for Endpoint on Mac updates. Security Management for Microsoft Defender for Endpoint is now supported on MacOS endpoints. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS). For more details on how to get started, visit the Defender for Endpoint on macOS [documentation](microsoft-defender-endpoint-mac.md). -> [!NOTE] -> The following capabilities are not currently supported on macOS endpoints: -> -> - Security Management for Microsoft Defender for Endpoint - ## Microsoft Defender for Endpoint on Linux -Microsoft Defender for Endpoint on Linux offers preventative antivirus (AV), endpoint detection and response (EDR), and vulnerability management capabilities for Linux servers. This includes a full command line experience to configure and manage the agent, initiate scans, and manage threats. We support recent versions of the six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool. For information about the key features and benefits, read our +Microsoft Defender for Endpoint on Linux offers preventative antivirus (AV), endpoint detection and response (EDR), and vulnerability management capabilities for Linux servers. This includes a full command line experience to configure and manage the agent, initiate scans, and manage threats. We support recent versions of the six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool. Security Management for Microsoft Defender for Endpoint is now supported on Linux. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux). For more details on how to get started, visit the Microsoft Defender for Endpoint on Linux [documentation](microsoft-defender-endpoint-linux.md). > [!NOTE]-> The following capabilities are not currently supported on Linux endpoints: -> -> - Data loss prevention -> - Security Management for Microsoft Defender for Endpoint -+> The following capabilities are not currently supported on Linux endpoints:> - Data loss prevention ## Microsoft Defender for Endpoint on Android Microsoft Defender for Endpoint on Android is our mobile threat defense solution for devices running Android 6.0 and higher. Both Android Enterprise (Work Profile) and Device Administrator modes are supported. On Android, we offer web protection, which includes anti-phishing, blocking of unsafe connections, and setting of custom indicators. The solution scans for malware and potentially unwanted applications (PUA) and offers additional breach prevention capabilities through integration with Microsoft Intune and Conditional Access. For information about the key features and benefits, read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android). |
security | Troubleshoot Np | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md | ms.localizationpriority: medium audience: ITPro -+ Last updated 02/16/2024 [!INCLUDE [Microsoft Defender XDR rebranding](../../includes/microsoft-defender.md)] **Applies to:**-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business?branch=main) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) > [!TIP] > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink) There are four steps to troubleshooting these problems: Network protection works on devices with the following conditions: > [!div class="checklist"]-> -> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. +> > - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. > - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you're using a non-Microsoft antivirus solution](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). > - [Real-time protection](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) is enabled.+> - [Behavior Monitoring](/microsoft-365/security/defender-endpoint/behavior-monitor) is enabled. > - [Cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) is enabled.+> - [Cloud Protection network connectivity](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) is functional. > - Audit mode isn't enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode -You can enable network protection in audit mode and then visit a website that's designed to demo the feature. All website connections are allowed by network protection but an event is logged to indicate any connection that would be blocked if network protection were enabled. +You can enable network protection in audit mode and then visit a website designed to demo the feature. All website connections are allowed by network protection but an event is logged to indicate any connection that would be blocked if network protection were enabled. 1. Set network protection to **Audit mode**. The current exclusion options are: 3. Excluding an entire process. For more information, see [Microsoft Defender Antivirus exclusions](configure-exclusions-microsoft-defender-antivirus.md). +## Network Performance issues ++In certain circumstances, a network protections component might contribute to slow network connections to Domain Controllers and/or Exchange servers. You might also notice Event ID 5783 NETLOGON errors. ++To attempt to solve these issues, change Network Protection from ‘block mode’ to either ‘[audit mode](troubleshoot-np.md)’ or 'disabled'. If your network issues are fixed, follow the next steps to find out which component in Network Protection is contributing to the behavior.  ++Disable the following components in order and test your network connectivity performance after disabling each one: ++ 1. [Disable Datagram Processing on Windows Server](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable Network Protection Perf Telemetry](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable FTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable SSH parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable RDP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable HTTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable SMTP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable DNS over TCP parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable DNS parsing ](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable inbound connection filtering](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) + 1. [Disable TLS parsing](/powershell/module/defender/set-mppreference?view=windowsserver2022-ps&preserve-view=true) ++If your network performance issues persist after following these troubleshooting steps, then they're probably not related to network protection and you should look for other causes of your network performance issues. + ## Collect diagnostic data for file submissions When you report a problem with network protection, you're asked to collect and submit diagnostic data for Microsoft support and engineering teams to help troubleshoot issues. |
security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | For more information on Microsoft Defender for Endpoint on specific operating sy **Attack Surface Reduction (ASR) Rules** Two new ASR rules are now in public preview: -- Block rebooting machine in Safe Mode (preview): This rule prevents the execution of commands to restart machines in Safe Mode.-- Block use of copied or impersonated system tools (preview): This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.+- [Block rebooting machine in Safe Mode (preview)](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-rebooting-machine-in-safe-mode-preview): This rule prevents the execution of commands to restart machines in Safe Mode. +- [Block use of copied or impersonated system tools (preview)](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-use-of-copied-or-impersonated-system-tools-preview): This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. ## January 2024 |
security | Attack Simulation Training Payloads | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md | To see payloads that have been archived (the **Status** value is **Archive**), u Select one of the available URL values: - - <https://www.mcsharepoint.com> - - <https://www.attemplate.com> - - <https://www.doctricant.com> - - <https://www.mesharepoint.com> - - <https://www.officence.com> - - <https://www.officenced.com> - - <https://www.officences.com> - - <https://www.officentry.com> - - <https://www.officested.com> - - <https://www.prizegives.com> - - <https://www.prizemons.com> - - <https://www.prizewel.com> - - <https://www.prizewings.com> - - <https://www.shareholds.com> - - <https://www.sharepointen.com> - - <https://www.sharepointin.com> - - <https://www.sharepointle.com> - - <https://www.sharesbyte.com> - - <https://www.sharession.com> - - <https://www.sharestion.com> - - <https://www.templateau.com> - - <https://www.templatent.com> - - <https://www.templatern.com> - - <https://www.windocyte.com> + | | | | + |||| + |<https://www.attemplate.com>|<https://www.exportants.it>|<https://www.resetts.it>| + |<https://www.bankmenia.com>|<https://www.exportants.org>|<https://www.resetts.org>| + |<https://www.bankmenia.de>|<https://www.financerta.com>|<https://www.salarytoolint.com>| + |<https://www.bankmenia.es>|<https://www.financerta.de>|<https://www.salarytoolint.net>| + |<https://www.bankmenia.fr>|<https://www.financerta.es>|<https://www.securembly.com>| + |<https://www.bankmenia.it>|<https://www.financerta.fr>|<https://www.securembly.de>| + |<https://www.bankmenia.org>|<https://www.financerta.it>|<https://www.securembly.es>| + |<https://www.banknown.de>|<https://www.financerta.org>|<https://www.securembly.fr>| + |<https://www.banknown.es>|<https://www.financerts.com>|<https://www.securembly.it>| + |<https://www.banknown.fr>|<https://www.financerts.de>|<https://www.securembly.org>| + |<https://www.banknown.it>|<https://www.financerts.es>|<https://www.securetta.de>| + |<https://www.banknown.org>|<https://www.financerts.fr>|<https://www.securetta.es>| + |<https://www.browsersch.com>|<https://www.financerts.it>|<https://www.securetta.fr>| + |<https://www.browsersch.de>|<https://www.financerts.org>|<https://www.securetta.it>| + |<https://www.browsersch.es>|<https://www.hardwarecheck.net>|<https://www.shareholds.com>| + |<https://www.browsersch.fr>|<https://www.hrsupportint.com>|<https://www.sharepointen.com>| + |<https://www.browsersch.it>|<https://www.mcsharepoint.com>|<https://www.sharepointin.com>| + |<https://www.browsersch.org>|<https://www.mesharepoint.com>|<https://www.sharepointle.com>| + |<https://www.docdeliveryapp.com>|<https://www.officence.com>|<https://www.sharesbyte.com>| + |<https://www.docdeliveryapp.net>|<https://www.officenced.com>|<https://www.sharession.com>| + |<https://www.docstoreinternal.com>|<https://www.officences.com>|<https://www.sharestion.com>| + |<https://www.docstoreinternal.net>|<https://www.officentry.com>|<https://www.supportin.de>| + |<https://www.doctorican.de>|<https://www.officested.com>|<https://www.supportin.es>| + |<https://www.doctorican.es>|<https://www.passwordle.de>|<https://www.supportin.fr>| + |<https://www.doctorican.fr>|<https://www.passwordle.fr>|<https://www.supportin.it>| + |<https://www.doctorican.it>|<https://www.passwordle.it>|<https://www.supportres.de>| + |<https://www.doctorican.org>|<https://www.passwordle.org>|<https://www.supportres.es>| + |<https://www.doctrical.com>|<https://www.payrolltooling.com>|<https://www.supportres.fr>| + |<https://www.doctrical.de>|<https://www.payrolltooling.net>|<https://www.supportres.it>| + |<https://www.doctrical.es>|<https://www.prizeably.com>|<https://www.supportres.org>| + |<https://www.doctrical.fr>|<https://www.prizeably.de>|<https://www.techidal.com>| + |<https://www.doctrical.it>|<https://www.prizeably.es>|<https://www.techidal.de>| + |<https://www.doctrical.org>|<https://www.prizeably.fr>|<https://www.techidal.fr>| + |<https://www.doctricant.com>|<https://www.prizeably.it>|<https://www.techidal.it>| + |<https://www.doctrings.com>|<https://www.prizeably.org>|<https://www.techniel.de>| + |<https://www.doctrings.de>|<https://www.prizegiveaway.net>|<https://www.techniel.es>| + |<https://www.doctrings.es>|<https://www.prizegives.com>|<https://www.techniel.fr>| + |<https://www.doctrings.fr>|<https://www.prizemons.com>|<https://www.techniel.it>| + |<https://www.doctrings.it>|<https://www.prizesforall.com>|<https://www.templateau.com>| + |<https://www.doctrings.org>|<https://www.prizewel.com>|<https://www.templatent.com>| + |<https://www.exportants.com>|<https://www.prizewings.com>|<https://www.templatern.com>| + |<https://www.exportants.de>|<https://www.resetts.de>|<https://www.windocyte.com>| + |<https://www.exportants.es>|<https://www.resetts.es>|| + |<https://www.exportants.fr>|<https://www.resetts.fr>|| > [!NOTE] > A URL reputation service might identify one or more of these URLs as unsafe. Check the availability of the URL in your supported web browsers before you use the URL in a simulation. For more information, see [Phishing simulation URLs blocked by Google Safe Browsing](attack-simulation-training-faq.md#phishing-simulation-urls-blocked-by-google-safe-browsing). |
security | Attack Simulation Training Simulations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulations.md | All actions on existing simulations start on the **Simulations** tab. To get the > - Remove columns from the view. > - Zoom out in your web browser. +### Copy simulations ++You can copy an existing simulation and modify it to suit your needs. This will save you time and effort when creating new simulations based on previous ones. ++You can copy any simulation that you created and that's available in the **Simulations** tab, regardless of the **Status** value. You can then modify the copy. For example, change the simulation name, description, technique, payload, target users, etc. ++- We don't recommend copying **Failed** simulations, because the reasons for failure could recur in the duplicated simulation. +- When you copy a simulation, the most recent version of the content in the original simulation is used in the new copy. For example, the payload, landing page, and end-user notifications. If any content is deleted, you're prompted to select the respective content again. +- The latest target and excluded users at the time of simulation launch will be used when groups are added from the search bar - **Search for users or groups**. The target and excluded users will remain unchanged in the following scenarios: + - when the user list was imported as a CSV. + - when users were added from the search bar. + - When users were added for different categories: All users, Suggested user groups, User tags, City, Country, Department, Title. +- If the scheduled simulation launch time in the original simulation is in the future, it's copied as is. For launch times in the past, the value **Launch this simulation as soon as I'm done** is selected. ++To copy a simulation, follow these steps: ++1. Select the **Simulations** tab and find the simulation that you want to copy. +2. Select the checkbox next to the simulation name, and then select :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy simulation**. +3. The simulation configuration wizard opens with all the original settings and a simulation name containing the suffix **_Copy**. +4. Review and modify the simulation configuration as needed. Select **Submit** to launch it or **Save and close** to review it later. If you select **Cancel**, the copied simulation isn't saved. + ### Cancel simulations You can cancel simulations with the **Status** value **In progress** or **Scheduled**. |
syntex | Apply A Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/apply-a-model.md | |
syntex | Content Assembly Conditional Sections | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly-conditional-sections.md | |
syntex | Content Assembly Modern Template | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly-modern-template.md | |
syntex | Create A Content Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/create-a-content-center.md | description: Learn how to create a content center in Microsoft Syntex. <sup>**Applies to:**   ✓ All custom models   |   ✓ All prebuilt models</sup> -</br> +<!</br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4CPSF] -</br> +</br>> To create and manage enterprise models, you first need a content center. The content center is the model creation interface and also contains information about which document libraries published models have been applied to. |
syntex | Create Syntex Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/create-syntex-model.md | |
syntex | Delete A Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/delete-a-model.md | |
syntex | Document Understanding Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/document-understanding-overview.md | description: Learn about the unstructured document processing model in Microsoft > [!NOTE] > Through June 2024, you can try out unstructured document processing and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md). -</br> +<!</br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4CSu7] -</br> +</br>> Use the unstructured document processing model ([teaching method](create-syntex-model.md#train-a-custom-model)) to automatically classify files and extract information. It works best for unstructured documents, such as letters or contracts. |
syntex | Form Processing Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/form-processing-overview.md | description: Learn how to use AI Builder to create structured or freeform docume > [!NOTE] > Through June 2024, you can try out structured and freeform document processing and other selected Syntex services at no cost if you have [pay-as-you-go billing](syntex-azure-billing.md) set up. For information and limitations, see [Try out Microsoft Syntex and explore its services](promo-syntex.md). -</br> +<!</br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RW15YNo] -</br> +</br>> Use the structured document processing model ([layout method](create-syntex-model.md#train-a-custom-model)) to automatically identify field and table values. It works best for structured or semi-structured documents, such as forms and invoices. |
syntex | Import Term Set Skos | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/import-term-set-skos.md | Title: Import a term set using a SKOS-based format Previously updated : 05/14/2023 Last updated : 03/11/2024 audience: admin |
syntex | Leverage Term Store Taxonomy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/leverage-term-store-taxonomy.md | |
syntex | Manage Library Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/manage-library-settings.md | |
syntex | Model Types Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/model-types-overview.md | description: Learn about custom models and prebuilt models in Microsoft Syntex. <sup>**Applies to:**   ✓ All custom models   |   ✓ All prebuilt models</sup> -</br> +<!</br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4GJXS] -</br> +</br>> Content understanding in Microsoft Syntex starts with document processing models. Document processing models let you identify and classify documents that are uploaded to SharePoint document libraries, and then to extract the information you need from each file. When applied to a SharePoint document library, the model is associated with a co Syntex uses [custom models](#custom-models) and [prebuilt models](#prebuilt-models). -![Diagram showing the types of Syntex custom and prebuilt models.](../media/content-understanding/syntex-model-types-diagram-2.png) +![Diagram showing the types of Syntex custom and prebuilt models.](../media/content-understanding/syntex-model-types-diagram-3.png) Models can be either *enterprise models*, which are created in a [content center](create-a-content-center.md), or *local models*, which are created on your [local SharePoint site](create-local-model.md). |
syntex | Prebuilt Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/prebuilt-overview.md | |
syntex | Scenario Document Compliance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/scenario-document-compliance.md | |
syntex | Scenario Find Content Details | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/scenario-find-content-details.md | description: Learn how to use Microsoft Syntex to find content details in docume :::row::: :::column span=""::: - Use Syntex to centralize, organize, and retrieve content to make the specific details easier to discover. + Use Microsoft Syntex to centralize, organize, and retrieve content to make the specific details easier to discover. Features used: - Document processing models The legal team of a retail manufacturer is looking for a solution to centralize, The team has been using Microsoft Outlook to manage legal content, but is having difficulty with team visibility, search, and content decentralized through mailboxes. -The team decides to use Microsoft Syntex as the solution. First, set up a SharePoint document library where you want to store the legal content. Then copy the content of the email messages and attachments to the document library. Finally, use Syntex to extract information and metadata from email messages as well as the attachments to help organize content. +The team decides to use Microsoft Syntex as the solution. First, set up a SharePoint document library where you want to store the legal content. Then copy the content of the email messages and attachments to the document library. Finally, use Microsoft Syntex to extract information and metadata from email messages as well as the attachments to help organize content. The legal team is now able to easily manage and search the patent filings and intellectual property documents. |
syntex | Scenario Generate Documents Bulk | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/scenario-generate-documents-bulk.md | |
syntex | Scenario Generate Routine Documents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/scenario-generate-routine-documents.md | To implement a Microsoft Syntex solution: 3. Go to the document library and create a modern template using an existing report. Create fields for the values that are entered by the frontline workers. Associate the fields with the columns of the SharePoint list you previously set up.ΓÇ» -4. Now create a Power Automate flow using the action ΓÇ£Generate document using SyntexΓÇ¥ and use the trigger ΓÇ£When a list item is created.ΓÇ¥ This action ensures that whenever a new entry is added by a frontline worker to the list, a new report is generated.ΓÇ» +4. Now create a Power Automate flow using the action ΓÇ£Generate document using Microsoft SyntexΓÇ¥ and use the trigger ΓÇ£When a list item is created.ΓÇ¥ This action ensures that whenever a new entry is added by a frontline worker to the list, a new report is generated.ΓÇ» 5. Using Microsoft Forms, you can create a form for frontline workers to enter values in the list or expose the list itself for them to add values.ΓÇ» |
syntex | Scenario Handle Incoming Documents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/scenario-handle-incoming-documents.md | description: Learn how to use Microsoft Syntex to manage various incoming busine :::row::: :::column span=""::: - Use Syntex to manage and process incoming business documents, such as insurance forms, business verifications, and rental contracts. + Use Microsoft Syntex to manage and process incoming business documents, such as insurance forms, business verifications, and rental contracts. Features used: - Document processing models AI-based automation significantly reduces the time needed to process these forms ## Rental contract management -Most landlords use a standard rental agreement with their tenants. Once a new tenant completes the agreement and sends it to the landlord, the agreement is placed in a SharePoint library where Syntex extracts the key information. +Most owners use a standard rental agreement with their tenants. Once a new tenant completes the agreement and sends it to the landlord, the agreement is placed in a SharePoint library where Microsoft Syntex extracts the key information. During the life of the contract, certain events can occur that require correspondence to be sent to the tenant such as late rental notices, grievances, and eviction notices. Correspondence for these events also uses standard templates that can use the information originally captured from the agreement. As part of annual verification of partners and vendors, W-9 forms and Certificat An improved process is required to do more with less. A Power Platform solution is created to extract attachments from incoming emails to save them to SharePoint. -Syntex models are then created to identify and extract information from CLIs and W-9 forms, such as name, type of coverage, amount of coverage, date. Extracted information can be used to populate other applications used during construction proposals. +Microsoft Syntex models are then created to identify and extract information from CLIs and W-9 forms, such as name, type of coverage, amount of coverage, date. Extracted information can be used to populate other applications used during construction proposals. <br> <br> |
syntex | Scenario Organize Repositories | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/scenario-organize-repositories.md | |
syntex | Syntex Azure Billing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-azure-billing.md | Title: Configure Microsoft Syntex for pay-as-you-go billing Previously updated : 05/15/2023 Last updated : 03/12/2024 audience: admin |
syntex | Syntex Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-overview.md | description: Learn about the capabilities, services, and features in Microsoft S # Overview of Microsoft Syntex -</br> +<!</br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RW15yuU] -</br> +</br>> Microsoft Syntex is a content understanding, processing, and compliance service that uses intelligent document processing, content artificial intelligence (AI), and advanced machine learning to automatically and thoughtfully find, organize, and classify documents in your SharePoint libraries, Microsoft Teams, OneDrive for Business, and Exchange. |
syntex | Train Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/train-model.md | |
syntex | Video Library | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/video-library.md | |