Professional Documents
Culture Documents
This document is provided “as-is”. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy and use this document for your internal, reference purposes.
Intended Audience
Demo Prerequisites
For this demo, you will need a Microsoft 365 Enterprise Demo Content tenant from
https://cdx.transform.microsoft.com .
This demo also has the following prerequisites:
A Windows PC or virtual machine running Windows 10 or above
A mobile device configured with the Microsoft Authenticator app
In addition, you will need to configure the tenant and client devices before you begin the demo. See the Demo
Setup Guide for details on how to set up the environments for this demo.
Your demo tenant is pre-provisioned with content and settings that you can use as-is. However, some
settings need to be manually configured by you. Please ensure to review and execute the scenario-specific
pre-demo setup steps specified at the beginning section of each demo against your tenant, prior to your
first demo.
Demo Personas
The recommended demo personas to use for performing demos in this guide, unless otherwise stated, are:
Administrator scenarios: admin@<tenant>.onmicrosoft.com
End user scenarios (Hero User): Isaiah Langer, IsaiahL@<tenant>.onmicrosoft.com
The default password for both users can be found on your tenant information card at
https://cdx.transform.microsoft.com.
Secure Authentication
In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department
faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management
solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest
product, but Deana is also dealing with an explosing in the number of apps employees use every day to do their
jobs.
For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even
outside the company is important. He must work seamlessly across a wide array of apps, both external and
internal. The question is whether he can do all of this securely and easily, and still be empowered to make good
decisions for Contoso on his own.
Pre-Demo Steps
Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare a browser session for user experience:
a. In Microsoft Edge, launch a new InPrivate browsing session.
b. Navigate to the Access Panel Apps portal (https://myapps.microsoft.com) and log in as
IsaiahL@<tenant>.onmicrosoft.com.
NOTE: If you have previously signed in to the site as IsaiahL@<tenant>.onmicrosoft.com, clear all browser
history including, cache, cookies, passwords, etc.
Conditional Access
Conditional Access provides the control and protection you need to keep your corporate data secure, while
giving your people an experience that allows them to do their best work from any device. With Conditional
Access, you can define policies that provide contextual controls at the user, location, device, and app levels. You
can allow or block access or challenge users with multi-factor authentication, device enrollment, or a password
change. Plus, machine learning-based identity protection, which leverages billions of signals daily, detects
suspicious behavior and applies risk-based conditional access that protects your applications and critical
company data in real time.
With Conditional Access by Microsoft, you get the control you need to ensure your corporate data is secure,
while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.
Pre-Demo Steps
Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare an Azure Portal session for the administrator experience:
a. In Edge, launch a new browser session.
b. Log in to the Azure Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
c. In the left hand navigation click Azure Active Directory.
2. Prepare a SharePoint admin center session for the administrator experience:
a. In the Edge browser, create a new tab.
b. Log in to the SharePoint admin center (https://<TENANT>-admin.sharepoint.com) as the as
admin@<tenant>.onmicrosoft.com.
c. In the left-hand navigation, click Access Control.
3. Prepare an Office Portal session for the end user experience:
a. Launch Edge browser in InPrivate mode.
b. Log in to the Office portal (https://portal.office.com) as meganb@<tenant>.onmicrosoft.com.
Perform these steps after each demo presentation to ensure re-usability of this demo environment:
1. In the Azure portal (https://portal.azure.com), disable the Baseline policy: Require MFA for admins.
Pre-Demo Steps
Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare a browser session for administrator experience:
a. Launch Edge dev browser with a profile for the Admin persona.
b. Log in to the Azure Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
2. Prepare a browser session for user experience:
a. Launch the Microsoft Edge dev browser with a profile for the User persona or use an in private session.
b. Log in to Outlook (https://outlook.office365.com/) as IsaiahL@<tenant>.onmicrosoft.com.
c. Open a new browser tab, and then navigate to the Access Panel Apps portal
(https://myapps.microsoft.com).
Perform these steps after each demo presentation to ensure re-usability of this demo environment:
1. On the Azure Portal (https://portal.azure.com), make Isaiah a permanent member of the Global
Administrator group:
a. In the left-hand navigation, click All services, and in the Search Everything search box, type
Identity, and then click Azure AD Privileged Identity Management.
b. Under Manage, click Azure AD roles.
c. Under ROLE, click the Global Administrator role.
d. In the Global Administrator - Members blade, click Isaiah Langer.
e. At the top, click Make Permanent.
Note: You may have to wait until Isaiah’s admin access expires.
Terms of Use
This demo shows how a Global Administrator can require users to accept the Terms of Use.
Note: Please ensure you’ve initialized Privileged Identity Management experience in your demo tenant, as detailed
in the Appendix before performing this demo.
Pre-Demo Steps
Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare a browser session for administrator experience:
a. Launch Edge dev browser with a profile for the Admin persona.
b. Log in to the Azure Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
2. Prepare a browser session for user experience:
a. Launch Edge dev browser with a profile for the User persona.
b. Log in to Outlook (https://outlook.office365.com/) as IsaiahL@<tenant>.onmicrosoft.com.
c. Open another tab, and then navigate to the Access Panel Apps portal
(https://myapps.microsoft.com).
3. Prior to each demo, download the file toupdf.pdf for Terms of Use.
Perform these steps after each demo presentation to ensure re-usability of this demo environment:
1. On the Azure Portal (https://portal.azure.com), delete the Terms of Use, Contoso Terms of Use Policy:
a. In the left-hand navigation, click Azure Active Directory.
b. Under Security, click Conditional Access.
c. In the Conditional Access – Terms of use blade, under Manage, click Terms of use.
d. If the Contoso Terms of Use Policy is present, click it, and then click Delete terms, and then
click Yes.
2. On the Azure Portal (https://portal.azure.com), verify the conditional access policy, External User SaaS
Apps Terms of Use Policy is deleted:
a. In the left-hand navigation, click Azure Active Directory.
b. Under Security, click Conditional Access.
c. In the Conditional Access – Policies blade, verify the conditional access policy External User
SaaS Apps Terms of Use Policy is deleted.
Identity Governance
In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department
faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management
solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest
product, Deana is dealing with an explosion in the number of apps employees are using every day to do their
jobs.
For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even
outside the company is important. He must work seamlessly across a wide array of apps, both internal and
external. The question is whether he can do all of this securely and easily, and still be empowered to make good
decisions for Contoso on his own.
Pre-Demo Steps
Should an Admin wish to create an access 16. Under Manage click Results.
review from scratch, they may do this in the 17. Point out the User, Outcome, and Recommended
Identity Governance – Access reviews Action columns.
blade. Admins can set the frequency, 18. Under Activity click Audit logs.
scope, and start date for the review to run. 19. Point out the details listed in the Audit log.
The access review can be targeted to
members of a group or to an application.
20. At the top in the breadcrumbs, click Identity
Reviewers can be selected individually or
Governance – Access reviews.
given to group owners. Results of the
access review can be auto-applied with or 21. Under Access reviews, click Access reviews.
without reviewer response. Once an access 22. Click + New access review.
review is started it can take some time to 23. In the Review name field, enter Salesforce Access
complete, so reminders can be sent to Review Admin.
reviewers once the review is started and to 24. Click the Users to review drop down list and select
admins when a review completes. Assigned to an application.
25. Next to Scope select Everyone.
26. Click Select an application.
27. In the search box type Salesforce and click
Salesforce in the search results.
28. Click Select.
29. Under Select reviewers, click 0 users selected.
30. In the search box type Admin and click on MOD
Administrator in the search results.
31. Click Select.
32. Click Start.
NOTE: to show the new access review in the list you may
have to refresh the page.
Appendix: One Time Demo Environment Setup
Note: These activities need to be performed only once per your demo tenant, Microsoft 365 Enterprise Demo
Content with Windows Defender ATP with the Azure Advanced Threat Protection add-on. You may have
performed some of these steps against your environment in preparation for another demo, in which case you
may skip these steps.
Important: Please note the following pre-requisite for this setup task:
To properly demonstrate any classification-based policies you will need to ensure that the tenant you are
using is configured with Azure Information Protection templates for classifying corporate data.
To properly demonstrate “Protect on Download” functionality, you will need to configure a third-party
SaaS app that supports session control (such as Salesforce) integrated with SAML-based single sign-on
with your demo tenant.
For an application to appear on the proxy apps page in Cloud App Security, a user that is targeted with
access to the SaaS app with to which the proxy policy applies must have previously signed in to the app
in question (i.e. Salesforce) with SSO.
In order to configure Inspection settings in a policy, Azure Information Protection must be configured to
automatically scan new files for Azure Information Protection classification labels and content inspection
warnings.
1. Log in to the Microsoft Cloud App Security Portal (https://portal.cloudappsecurity.com) using Edge or
Edge Dev, as your demo tenant’s Global Administrator.
2. In the upper right corner, click the settings menu, and then click Settings.
4. Under Azure Information Protection settings, click Automatically scan new files for Azure
Information Protection classification labels and content inspection warnings.
6. On the Pick an account window, click your demo tenant’s Global Administrator.
7. On the Permissions requested Accept for your organization window, click Accept.
8. Click Save.
Note: The Welcome to Salesforce email used to verify your account, could be in the Other tab.
5. Provide a password for Salesforce.
6. Pick a security question and answer it.
7. Click Change Password.
Note: You’ll be directed to the Salesforce Home page. Keep this Salesforce administration tab open.
8. Classic UI: In the left navigation pane, expand Domain Management, then click My Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings, then click My Domain.
Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to Salesforce.
9. Under Choose Your Domain Name, type your tenant name in the textbox (e.g. m365x123456).
10. Click Check Availability.
11. When availability has been verified, click Register Domain.
Note: Please wait 10 - 15 minutes before proceeding to the next step. The custom domain name you just
registered requires some time to take effect.
12. In the left navigation, click My Domain again to refresh the page. The domain follows the pattern:
https://{TENANT}-dev-ed.my.salesforce.com.
13. Click Log in. If prompted to Navigate to this page, click Open.
14. If prompted to register your mobile phone, click I Don’t Want to Register My Phone.
15. If prompted, login with your Salesforce administrator user ID (admin@<Tenant>.onmicrosoft.com) and password.
Note: The My Domain page will re-load, and the URL for this page will updated to the custom domain name
containing your tenant name https://<TENANT>-dev-ed.my.salesforce.com.
16. In the SETTINGS > My Domain section, click Deploy to Users.
17. Click OK.
18. If the Classic Salesforce UI is displayed, in the upper right corner, click Switch to Lightening Experience.
Enable automatic account provisioning
1. In a new browser tab, browse to the Azure Management Portal (https://portal.azure.com).
2. If necessary, log in as the tenant’s Global Admin user, admin@<Tenant>.onmicrosoft.com.
3. In the left-hand navigation menu, click Azure Active Directory, then under Manage, click Enterprise
Applications.
4. From All applications, click Salesforce.
5. Under Manage, click Users and groups.
6. Click + Add user.
7. Click Users and groups.
8. On Users and groups blade, in the Search by name or email address, type MOD, and then click
admin@<Tenant>.onmicrosoft.com from the Users list, and then click Select.
9. Click Select Role, and then click System Administrator.
10. Click Select.
11. Click Assign.
12. On the Salesforce – Users and groups blade, click the check box for sg-Sales and Marketing, and then
click Edit.
13. Click Select Role, and then click Chatter Free User.
14. Click Select.
15. Click Assign.
Enable automatic account provisioning
1. On the Salesforce blade, under Manage, click Provisioning.
2. On the Provisioning Mode drop-down list, click Automatic.
3. Under Admin Credentials, type in the admin@<Tenant>.onmicrosoft.com and Password for
accessing Salesforce.
4. Obtain a Secret Token as follows:
a. Switch to the Salesforce administration browser tab.
b. Click the user menu (user name at the top-right corner of the page), then click Settings.
c. In the left navigation, click Reset My Security Token.
d. Click Reset Security Token button.
e. Navigate back to the administrator’s inbox, and then copy the security token.
f. Switch back to the Azure portal, the Salesforce – Provisioning blade.
5. In the Secret Token textbox, paste in the security token string.
6. Click Test Connection.
Note: You should see a notification saying “Testing connection to Salesforce. The supplied credentials are
authorized to enable provisioning”.
7. Set Notification Email to admin@<Tenant>.onmicrosoft.com and check Send an email notification
when a failure occurs.
8. At the top of the Salesforce – Provisioning blade, click Save.
9. Under Settings, set the Provisioning Status to On.
10. At the top of the Salesforce – Provisioning blade, click Save to complete account provisioning settings.
Configure SSO for Azure AD
1. Under Manage, click Single sign-on.
2. On the Select a single sign-on method, click SAML to enable single sign-on.
3. In step 1 Basic SAML configuration, click the pen to edit the Sign on URL and Identifier:
o Identifier (Entity ID) (Required): https://{Tenant}-dev-ed.my.salesforce.com
o Sign-on URL (Required): https://{Tenant}-dev-ed.my.salesforce.com
Note: Verify that there is NO space after the URL https://{Tenant}-dev-ed.my.salesforce.com.
4. At the top of the Basic SAML Configuration pane, click Save. After the configuration is successfully
saved, click X to close the Basic SAML Configuration blade.
5. If you are prompted to Test single sign-on with Salesforce, click No, I’ll test it later.
6. In step 3 SAML Signing Certificate, on the Federation Metadata XML option, click Download. Save
this XML file to your local system, you will use it later in Salesforce.
Set up Salesforce for SSO
1. Switch to the Salesforce administration browser tab.
2. In the upper right-hand corner, click the configuration cog, and then click Setup.
3. Classic UI: In the left navigation pane, expand Security Controls, then click Single Sign-On Settings.
Lightning UI: In the left navigation pane, under SETTINGS, expand Identity, then click Single Sign-On Settings.
Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to Salesforce.
4. Classic UI: On the Federated Single Sign-on Using SAML section, click Edit, click SAML Enabled and then click
Save. On the Single Sign-on Settings section, click New from Metadata File to configure SAML sign-on settings.
Lightning UI: On the Federated Single Sign-on Using SAML section, click Edit, click SAML Enabled and then click
Save. On the Single Sign-on Settings section, click New from Metadata File to configure SAML sign-on settings.
5. Upload the Federation Metadata XML you downloaded from Azure portal.
6. Click Create.
7. On the SAML Single Sign-On Settings configuration page, make the following updates or verify the
information:
o Name: AzureSSO
o API Name: AzureSSO
o Entity ID: https://{Tenant}-dev-ed.my.salesforce.com
o SAML Identity Type: Assertion contains the User's Salesforce username
o Identity Provider Login URL: (copy/paste from the Configure sign-on blade in the Azure window,
e.g. https://login.microsoftonline.com/8511cd8b-2ab4-45c7-a8c2-13c5b961a134/saml2)
o Identity Provider Logout URL: (copy/paste from Azure window, e.g.
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 )
8. Click Save to apply your SAML single sign-on settings.
9. Classic UI: In the left navigation pane, expand Domain Management, then click My Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings, then click My Domain.
10. Scroll down to the Authentication Configuration section, and click the Edit button, and then click
Open.
11. Under Authentication Service, uncheck Login Form, then select AzureSSO as Authentication Service of
your SAML SSO configuration, and then click Save.
Configure SSO for BrowserStack
17. Under Manage, click All applications.
18. Click BrowserStack.
19. Under Manage, click Single sign-on.
20. Click Password-based, and then click Save.
21. Under Manage, click Users and groups, and then on the left-hand side of the row, click the check box
for ssg-Contoso bug Bashers.
22. Click Update Credentials.
23. Type in the BrowserStack account you configured earlier (email and password) in the text box, then
click Save.
24. Click X to close the Update Credentials blade.
Note: You may be prompted to install a browser extension. Do so then return to the MyApps Portal and
click BrowserStack.
4. Follow the prompts to set up the Mobile app authenticator.
5. After setup is complete, close the browser.