11/26/2019 Virtual Guide

Exercise 3: Configure Identity Protection

In this lab, you will configure identity protection to help prevent credential theft.

The lab steps that are performed in the Microsoft Admin Center (MAC) can be completed in a web browser in the
provided virtual machine, or in a web browser on your computer.

Create a dedicated admin account

In this task you will create an admin account without a license assigned to it that is only used for administration.

The administrative accounts used in Microsoft 365 Business include elevated privileges and make valuable targets for
hackers and cyber criminals. Admins should have a separate user account for regular, non-administrative use.

Tasks
Sign into the Microsoft 365 Admin Center
. Begin at the Microsoft Admin Center portal, located at the following URL: https://admin.microsoft.com/.
2. Sign in as  [email protected]   with password  +xYO)r1j^ob$ 
On the User Management tile click Add User
Enter MSP for First name and Admin for Last name.
Enter mspadmin for username.
Check the box for Send password in email upon completion and click Next.
Select an appropriate geography under Select Location and select the radio button next to Create user without
product license (not recommended) and click Next.
On the Optional settings page, click the chevron next to Roles, unselect User (no administrator access), then
select Global administrator and click Next.
On the You're almost done - review and finish adding page, click Finish adding.
Review the summary page then click Close.

Be sure admin accounts are also set up for multi-factor authentication. Before using admin accounts, close out all
unrelated browser sessions and apps, including personal email accounts. After completing admin tasks, be sure to log
out of the browser session.

Configure Baseline Policies

In this task you will first configure multi-factor authentication for all admins using a baseline policy. Then you will disable
legacy authentication so legacy protocols that do not support MFA, such as IMAP, cannot be used as a workaround to
bypass MFA.

Admins should always have MFA configured. Conditional Access is the recommended method for enabling on MFA in
Microsoft 365 Business.

Tasks
Begin at the Microsoft Admin Center portal.

immprod-guide-web.azurewebsites.net/8642a986-2893-4da3-a7bd-8bae28fe7732/06379723-b73f-42cb-9ecc-1b54664811c1?experienceId=experienc… 1/3
11/26/2019 Virtual Guide

Click on Azure Active Directory in the left-hand navigation under Admin Centers. This will open a new browser
tab for the Azure Active Directory admin center at the following URL: https://aad.portal.azure.com

In the Azure Active Directory admin center click Azure Active Directory in the left-hand navigation.

Click Conditional Access under the Security heading near the top of the left menu.

Note: If your view is different, look for Security toward the top of the left-hand navigation menu and click
it.Conditional Access will show under the Protect heading.

Select Baseline policy: Require MFA for admins (Preview)

Under Enable Policy select the radio button next to Use policy immediately and then click Save

Select Baseline policy: Block legacy authentication (Preview)

Set Enable Policy to On and then click Save

Turn on MFA for a subset of users using Conditional Access

In this task you will configure multi-factor authentication for the marketing department when accessing Microsoft 365
Business.

As a best practice, roll out MFA to users in a controlled manner balancing productivity and security. Ensure the users
know how to enroll in and use MFA. Conditional Access is the recommended method for enabling on MFA in Microsoft
365 Business.

Carefully review each configuration policy before releasing it to avoid undesirable results. In this context, you should pay
special attention to assignments affecting complete sets such as all users / groups / cloud apps. As a safety precaution,
we will exclude the dedicated admin account from policies created below. This ensures that there is at least one account
available to log in and correct mistakes that locks the admins out.

Tasks
Begin at the Microsoft Admin Center portal.
Click on Azure Active Directory in the left-hand navigation under Admin Centers. This will open a new browser
tab for the Azure Active Directory admin center at the following URL: https://aad.portal.azure.com
In the Azure Active Directory admin center click Azure Active Directory in the left-hand navigation.
Click Conditional Access under the Security heading near the top of the left menu.
Click +New Policy at the top of the Conditional Access - Policies pane.
In the Name field type Require MFA for Marketing Users.
Under Assignments click Users and groups then under Include select the radio button next to Select users and
groups.
Check the box next to Users and groups then click Select below it.
In the select dialog, type marketing, select the Marketing group, and click Select at the bottom of the blade.
Click Exclude on the Users and groups blade, then click the check box next to Users and groups, then click Select
Excluded Users.
In the Select excluded users blade, enter mspadmin in the Select dialog box and select your dedicated admin
account.

immprod-guide-web.azurewebsites.net/8642a986-2893-4da3-a7bd-8bae28fe7732/06379723-b73f-42cb-9ecc-1b54664811c1?experienceId=experienc… 2/3
11/26/2019 Virtual Guide

Ensure the dedicated admin account shows user Selected members and press the blue Select button at the
bottom of the blade.
At the bottom of the Users and groups blade press Done
Select Cloud apps or actions, select the radio button next to Select apps under Include, then click Select.
Under Applications type Office 365 and select both Office 365 Exchange Online and Office 365 SharePoint
Online.
Under Applications type Teams and select Microsoft Teams.
Verify that under Selected the page shows Microsoft Teams and 2 more then click the blue Select button.
Verify that the correct three apps show on the Cloud apps or actions pane then click Done.
Under Access Controls click Grant, leave the radio button selected to the left of Grant, then click the check box
next to Require multi-factor authentication.
Click the blue Select button at the bottom of the Grant blade
Select On under Enable this policy then select Create

Enroll your admin account in MFA

In the prior task, you enabled all admins for MFA. In this task you will complete the MFA configuration for your admin
account.

As a best practice use the authenticator app instead of SMS text messages. Voice may not be available in trial tenants.

Tasks
Install the Microsoft Authenticator app to an Android or iOS device you will use for MFA from the app store on
your device. If you already have the Microsoft Authenticator app, wait a minute or two for the baseline policy
you created to take effect.
Open a new browser tab and sign into the Azure Portal located at the following URL: https://portal.azure.com.
With MFA enabled via baseline policy, you should receive an authentication dialog with More information
required and Your organization needs more information to keep your account secure
Click the blue Next button
On the Additional Security Verification page select mobile app under Step 1: How should we contact you?
Select Receive notifications for verification and click Set up
In the authenticator app on your device, click + (top left of your device screen) to add an account and
choose Work or school account.
Scan the QR barcode image displayed in the configure mobile app dialog in the browser. Once the authenticator
app displays a 6-digit code for this account click Next.
After the service has checked to make sure the authenticator app has been configured for notifications and
verification codes click Next.
The service will attempt to reach you on your Mobile App device. Watch for the notification in the authenticator
app and respond by pressing Approve in the app.
When verification succeeds, click Done.

immprod-guide-web.azurewebsites.net/8642a986-2893-4da3-a7bd-8bae28fe7732/06379723-b73f-42cb-9ecc-1b54664811c1?experienceId=experienc… 3/3