Azure Active Directory

Security and Governance

Demo Guide

Updated: July 29, 2019

This document is provided “as-is”. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy and use this document for your internal, reference purposes.

© 2019 Microsoft. All rights reserved.

Contents
Demo Overview: Azure AD Security and Governance............................................................................................................................................ 3
Intended Audience......................................................................................................................................................................................................... 3
Demo Prerequisites............................................................................................................................................................................................................. 3
One-Time Demo Environment Setup....................................................................................................................................................................... 3
Demo Personas................................................................................................................................................................................................................ 3
Secure Authentication........................................................................................................................................................................................................ 5
Pre-Demo Steps............................................................................................................................................................................................................... 5
Conditional Access............................................................................................................................................................................................................... 6
Pre-Demo Steps............................................................................................................................................................................................................... 6
Demo Reset Steps........................................................................................................................................................................................................ 10
Mitigate Admin Risk with Privilege Identity Management................................................................................................................................. 10
Pre-Demo Steps............................................................................................................................................................................................................ 10
Demo Reset Steps........................................................................................................................................................................................................ 12
Terms of Use........................................................................................................................................................................................................................ 13
Pre-Demo Steps............................................................................................................................................................................................................ 13
Demo Reset Steps........................................................................................................................................................................................................ 15
Identity Governance.......................................................................................................................................................................................................... 16
Pre-Demo Steps............................................................................................................................................................................................................ 16
Appendix: One Time Demo Environment Setup.................................................................................................................................................... 20
Configure Sharing control and Data Loss Prevention..................................................................................................................................... 21
Configure Salesforce Integration with Azure AD.............................................................................................................................................. 21
Initialize Azure AD Privileged Identity Management (PIM)........................................................................................................................... 25
Enable Access Reviews................................................................................................................................................................................................ 26
Configure BrowserStack SaaS Application with Azure AD............................................................................................................................. 26
Add Isaiah to ssg-Contoso bug Bashers.............................................................................................................................................................. 27
Setup MFA for Isaiah................................................................................................................................................................................................... 28
Setup Sales and Marketing Access Package....................................................................................................................................................... 28
Demo Overview: Azure Active Directory (Azure AD) Security and
Governance
As employees bring their personal devices to work and adopt readily available software-as-a-service (SaaS)
applications, maintaining control over their applications across corporate datacenters and public cloud
platforms has become a significant challenge.
Microsoft has proven experience in identity and access management through Windows Server Active Directory
and Microsoft Identity Manager. Now we have extended our offerings to provide you with a powerful set of
cloud-based identity and access management solutions on Azure Active Directory.
Manage and control access to corporate resources
Azure Active Directory can help IT protect access to critical applications and resources across the corporate
datacenter and into the cloud. Azure Active Directory can control access by enabling customers to use a variety
of secure authentication methods such as passwordless authentication, allowing customers to control access by
empowering them to set conditional access policies based on a users’ login context and finally helping them
mitigate potential security issues by monitoring suspicious activity through advanced security reporting,
auditing and alerting.

Intended Audience

IT Pros, Business Decision Makers

Demo Prerequisites
For this demo, you will need a Microsoft 365 Enterprise Demo Content tenant from
https://cdx.transform.microsoft.com .
This demo also has the following prerequisites:
 A Windows PC or virtual machine running Windows 10 or above
 A mobile device configured with the Microsoft Authenticator app
In addition, you will need to configure the tenant and client devices before you begin the demo. See the Demo
Setup Guide for details on how to set up the environments for this demo.

One-Time Demo Environment Setup

Your demo tenant is pre-provisioned with content and settings that you can use as-is. However, some
settings need to be manually configured by you. Please ensure to review and execute the scenario-specific
pre-demo setup steps specified at the beginning section of each demo against your tenant, prior to your
first demo.
Demo Personas

The recommended demo personas to use for performing demos in this guide, unless otherwise stated, are:
 Administrator scenarios: admin@<tenant>.onmicrosoft.com
 End user scenarios (Hero User): Isaiah Langer, IsaiahL@<tenant>.onmicrosoft.com
The default password for both users can be found on your tenant information card at
https://cdx.transform.microsoft.com.
Secure Authentication
In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department
faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management
solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest
product, but Deana is also dealing with an explosing in the number of apps employees use every day to do their
jobs.
For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even
outside the company is important. He must work seamlessly across a wide array of apps, both external and
internal. The question is whether he can do all of this securely and easily, and still be empowered to make good
decisions for Contoso on his own.

Pre-Demo Steps

Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare a browser session for user experience:
a. In Microsoft Edge, launch a new InPrivate browsing session.
b. Navigate to the Access Panel Apps portal (https://myapps.microsoft.com) and log in as
IsaiahL@<tenant>.onmicrosoft.com.
NOTE: If you have previously signed in to the site as IsaiahL@<tenant>.onmicrosoft.com, clear all browser
history including, cache, cookies, passwords, etc.

Speaker Script Click Steps

Windows Hello
On his first day at Contoso, Isaiah got a
new laptop for his new role, but he’s
dreading locking and unlocking his device
a dozen times a day. Lucklily, Contoso has
an identity solution that doesn’t even need
a password to log in—Windows Hello for
Business.
1. Unlock the demo PC using Windows Hello.
2. Open the Start menu.
3. Click the Settings icon.
4. Click Accounts.
5. Click Sign-in options.
6. Indicate the Fingerprint and Face Recognition
options.

Windows Hello uses your face, fingerprint,

or a PIN tied to the device to log you in to
your machine and connected applications.
For Windows 10 machines assigned to a
single user, this is the best way to go
passwordless.
 Once signed in, Isiah doesn’t just have
access to the desktop and files, but he is
signed in to all of his enterprise
applications, thanks to the integrated
single sign-on between his Windows login
and his Azure AD user account.

And just like that, he’s ready to get started.

Log in to an App with Microsoft
Authenticator 1. On the Access Portal
While most of Contoso’s applications are (https://myapps.microsoft.com), click the
enabled for one-click access, other BrowserStack app.
applications, like BrowserStack, require very 2. On your mobile device, in the Microsoft
high security. IT needs to know that no one
Authenticator app, respond to the request.
but Isaiah is accessing this, so he gets
3. Note that Isaiah is automatically logged in to the
prompted to confirm that it is really him via
authentication using his phone. BrowserStack App using the shared account set up
by the administrator.
4. Close the BrowserStack app browser tab to return to
The Microsoft Authenticator app on his
mobile device was previously configured Access Panel.
for passwordless authentication for his
work account.
This is a very secure method of
authentication because:
 He’s authenticating with something
he owns (his personal mobile
device) and something he has (his
biometrics)
Isaiah doesn’t have to use a password in
this entire process.

Conditional Access
Conditional Access provides the control and protection you need to keep your corporate data secure, while
giving your people an experience that allows them to do their best work from any device. With Conditional
Access, you can define policies that provide contextual controls at the user, location, device, and app levels. You
can allow or block access or challenge users with multi-factor authentication, device enrollment, or a password
change. Plus, machine learning-based identity protection, which leverages billions of signals daily, detects
suspicious behavior and applies risk-based conditional access that protects your applications and critical
company data in real time.
With Conditional Access by Microsoft, you get the control you need to ensure your corporate data is secure,
while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Pre-Demo Steps

Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare an Azure Portal session for the administrator experience:
a. In Edge, launch a new browser session.
b. Log in to the Azure Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
c. In the left hand navigation click Azure Active Directory.
2. Prepare a SharePoint admin center session for the administrator experience:
a. In the Edge browser, create a new tab.
b. Log in to the SharePoint admin center (https://<TENANT>-admin.sharepoint.com) as the as
admin@<tenant>.onmicrosoft.com.
c. In the left-hand navigation, click Access Control.
3. Prepare an Office Portal session for the end user experience:
a. Launch Edge browser in InPrivate mode.
b. Log in to the Office portal (https://portal.office.com) as meganb@<tenant>.onmicrosoft.com.

Speaker Script Click Steps

Enable baseline policy
Requiring MFA for admins is an easy way
to protect your privileged administrators.
These users often have access to the most
important resources a company has, so
requiring MFA for your administrators is a
critical policy to enforce to ensure your
environment is secure.
Require MFA for admins protects the
administrator roles below:
1. Global administrator
2. SharePoint administrator
3. Exchange administrator
1. Start in the Azure Active Directory blade (i.e.
Contoso – Overview).
2. Under Security, click Identity Secure Score.
3. Point out:
 Your Identity Secure Score
 Current Score/Maximum Score
 Improvement Actions
4. Under Improvement Actions, click Require MFA
for Azure AD privileged roles.
5. Review the details of the action, and then click Get
Started.
a. You should be redirected to the Conditional
Access – Policies blade.
6. On the Conditional Access – Policies blade, click
 4. Conditional access administrator
5. Security administrator
6. Helpdesk administrator/Password
administrator
7. Billing administrator
8. User administrator
Control access on unmanaged devices
for SharePoint Access
Deana’s CTO is adamant about higher
security on Sharepoint due to the sensitive
nature of the documents stored there. No
one should be able to access that site from
unmanaged devices. So, Deana ensures
that these security requirements are set for
Sharepoint, and publishes that policy.
Deana first enables the Access Control
Policy for Unmanaged Devices in the
SharePoint admin center. This will auto-
generate the Conditional Access Policy in
Azure Active Directory for fine tuning and
further control.
In Azure Active Directory, Deana adds
mobile apps and desktop clients to the
devices that must be managed in order to
access SharePoint.
Baseline policy: Require MFA for admins.
7. On the Baseline policy: Require MFA for admins
blade, review details, and then click Use policy
immediately.
8. Click Save.
9. If you are prompted to sign in again, sign in as
admin@<tenant>.onmicrosoft.com, including
answering the Approval notification on the device
where you set up the Authenticator App.
1. Switch to the SharePoint admin center tab
(<TENANT>-admin.sharepoint.com).
2. In the left-hand navigation, under Policies, click
Access Control.
3. Click Unmanaged devices.
4. In the Unmanaged devices pane, click Block
access.
5. Click Save.
6. Switch to the Azure Portal tab.
7. Click Azure Active Directory.
8. Under Security, click Conditional Access.
9. Select the policy [SharePoint admin center]Use
app-enforced Restrictions for browser access.
10. Click Conditions.
11. Click Client apps (preview).
12. Verify Browser is selected.
13. Click Mobile apps and desktop clients.
14. Click Other clients.
15. In the Clients apps (preview) pane click Done.
16. In the Conditions pane click Done.
17. Under Access controls, click Session.
18. In the Session pane, verify Use app enforced
restrictions is checked.
19. Click Select.

Once this policy is enabled, users will no
longer be able to access SharePoint from
browsers that are not managed by Azure
Acitve Directory.
Block legacy authentication to Azure AD
Legacy authentication protocols (ex: IMAP,
SMTP, POP3) are normally used by mail
clients to authenticate. Legacy protocols do
NOT support MFA. Even if you have an
MFA policy for your tenant, a bad actor can
authenticate using one of these legacy
protocols and bypass MFA.
Today, majority of all compromising sign-in
attempts come from legacy authentication.
What better way to get protected than
blocking these sign-in attempts altogether!
To make it easier for you to block all sign-
in requests made by legacy protocols, we
recommend enabling the baseline policy
that does just that. In fact, Security Basics, a
new feature of Azure AD, will be applying
these Baseline policies to all new tenants
by default.
Configure a user risk remediation policy
A great way to keep users secure while
empowering employee productivity is by
setting up automated remediation policies
for any risky users.
First, you’ll want to understand your
security posture. Reviewing your Identity
Secure Score is a great way to see how
many of your users represent low, medium,
or high risk. Based on the user risk, you can
20. Under Enable policy, click On.
21. Click Save.
22. Wait a couple of minutes for the policy to take
effect.
23. Switch to the browser with the Office Portal, logged
in as Megan.
24. Click SharePoint.
25. Review the Access Denied message.
1. In the left-hand navigation, click Azure Active
Directory.
2. Under Security, click Conditional Access.
3. Under POLICY NAME, click Baseline policy: Block
legacy authentication (Preview).
4. Review the settings for the policy.
5. Click X to close the Baseline policy: Block legacy
authentication (Preview) blade.
6. Point out the Baseline policies that should be
included in all tenants, the “Security Basics”.
7. In the left-hand navigation, click Azure Active
Directory.
8. Under Security, click Overview (Preview).
9. Halfway down the Overview (Preview) blade, click
Configure user risk policy.
10. Create a new policy as follows:
 Click Users:
i. Click Select individuals and groups
ii. Click Select users.
iii. Search for and click sg-Sales and
Marketing.
 automatically set risk mediation policies— iv. Click Select.
like requiring a password change when the v. Click Done.
user risk is medium or higher.  Click Conditions.
i. Click User Risk.
With so many users being flagged with as ii. Click Medium and above.
risky, a policy requiring them to change iii. Click Select.
their password on next logon is a good iv. Click Done.
idea. That way, Deana can be sure any  Under Controls, click Access.
Identities that were leaked are now i. Make sure Allow access and Require
protected by new passwords. password change are selected.
ii. Click Select.

11. Verify Enforce Policy is set to Off, and then click

Save.
12. Click the X to close the blade.

Demo Reset Steps

Perform these steps after each demo presentation to ensure re-usability of this demo environment:
1. In the Azure portal (https://portal.azure.com), disable the Baseline policy: Require MFA for admins.

Mitigate Admin Risk with Privilege Identity Management

With Azure AD Privileged Identity Management, you can manage, control, and monitor access within your
organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or
Microsoft Intune. This demo shows how a Global Administrator can grant a super user elevated access for a
limited period.
Note: Please ensure you’ve initialized the Privileged Identity Management experience in your demo tenant, as
detailed in the “Demo environment setup and configuration” document before performing this demo.

Pre-Demo Steps

Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare a browser session for administrator experience:
a. Launch Edge dev browser with a profile for the Admin persona.
b. Log in to the Azure Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
2. Prepare a browser session for user experience:
a. Launch the Microsoft Edge dev browser with a profile for the User persona or use an in private session.
b. Log in to Outlook (https://outlook.office365.com/) as IsaiahL@<tenant>.onmicrosoft.com.
 c. Open a new browser tab, and then navigate to the Access Panel Apps portal
(https://myapps.microsoft.com).

Speaker Script Click Steps

Configure admin eligibility
1. Switch to the Azure Portal InPrivate tab
The Azure AD Privileged Identity (https://portal.azure.com).
Management console in the Azure Portal 2. In the left-hand navigation, click All services, and in
provides important information such as: the Search Everything search box, type Identity
 Alerts that point out opportunities and then click Azure AD Privileged Identity
to improve security. Management.
 The number of users who are 3. Under Manage, click AzureAD Roles.
assigned to each privileged role. 4. Under Manage, click Roles.
 The number of eligible and 5. Point to ROLE and DESCRIPTION.
permanent admins.
 Ongoing access reviews.
6. Under ROLE, click the Global Administrator role.
Contoso has several permanent Global
Admins. They have full access and control
over the directory and the Office 365
tenant all the time. This means that
Contoso is continually open to malicious
attacks. 7. In the Global Administrator - Members blade, click
Isaiah Langer.
With Privileged Identity Management 8. At the top, click Make eligible.
Contoso can decide who should have 9. Click X to close the Isaiah Langer blade.
permanent access and who should just
10. Click X to close the Global Administrator -
have temporary access when required.
Members blade.
Isaiah does not need permanent admin
access, so the admin sets him to eligible. 11. Under Manage, click Settings.
Eligible admins are users that need 12. Click Roles.
privileged access now and then, but not 13. Click Global Administrator.
every day. The role is inactive until Isaiah 14. Move the Maximum Activation duration slider to
needs access, then he completes an the left, to 0.5 hours.
activation process and becomes an active 15. Set email Notifications to Enable.
admin for a predetermined amount of time.
16. At the top, click Save.
The admin can also configure the details of
the admins access, including how long it
lasts, and if any notification or additional
authentication is needed. Note that for
certain high privileged roles, MFA is always
required.
Activate admin eligibility
When Isaiah needs higher privileges for a
specific task, he can go into Privileged
Identity Management in the Azure portal
and request activation for the access role.
Any type of admin can use Azure AD
Privileged Identity Management to activate.
First, Isaiah is prompted to verify his
identity using Multi-Factor Authentication.
Note: If Isaiah Langer has not yet been set up for MFA, you
will be prompted to set up phone verification. Complete
the setup by following the instructions to register your
phone for MFA.
Isaiah can now activate the request. Role
activation is customizable. In the PIM
settings, Isaiah can determine the length of
the activation and provide a business
justification.
Isaiah is auto-approved for the requested
access with an expiration time for that
permission.
Using Azure AD Privileged Identity
Management, the admin can track changes
in privileged role assignments and role
activation history.
The admin can see Isaiah just requested
access as a Global Administrator. This
information can be critical for auditing and
forensic investigations.
1. Switch to the browser with IsaiahL signed in and
open the tab https://outlook.office365.com/ to view
Isaiah Langer’s email.
2. Open the email from Microsoft Azure for Activating
Global Administrator.
3. Click the Activate role link in the email.
a. If you see a Welcome to Microsoft Azure
prompt, click Maybe later
b. If you are not taken to the Privileged Identity
Management blade, click the redirect to PIM
notification at the top.
c. Under Tasks, click My roles.
4. On the line for Global Administrator, click Activate.
5. On the Global Administrator blade, click Verify
your identity before proceeding.
6. Click Verify my identity.
7. Respond to the phone verification.
8. You will be returned to the Privileged Identity
Management blade.
9. Under Tasks, click My roles.
10. On the line for Global Administrator, click Activate.
11. At the top of the blade, click Activate.
12. In the Reason for role activation text box, type
Year end financials.
13. Click Activate.
14. Click X twice to close the Activation status and
Activation blades.
15. Refresh the browser, and on the Global
Administrator blade, point to Expiration.
a. After the refresh the status might not update,
wait about 2 minutes and it will. Depending
on service status this might not populate for
 some time. If it does not after a browser
refresh move on to the next step.
16. Switch back to the Azure portal logged in as
admin@<Tenant>.onmicrosoft.com.
17. Click the X to close the Roles blade.
18. Under Activity, click Directory roles audit history.
19. In the audit history list, under the Reasoning
column, indicate the business justification.

Demo Reset Steps

Perform these steps after each demo presentation to ensure re-usability of this demo environment:
1. On the Azure Portal (https://portal.azure.com), make Isaiah a permanent member of the Global
Administrator group:
a. In the left-hand navigation, click All services, and in the Search Everything search box, type
Identity, and then click Azure AD Privileged Identity Management.
b. Under Manage, click Azure AD roles.
c. Under ROLE, click the Global Administrator role.
d. In the Global Administrator - Members blade, click Isaiah Langer.
e. At the top, click Make Permanent.
Note: You may have to wait until Isaiah’s admin access expires.

Terms of Use
This demo shows how a Global Administrator can require users to accept the Terms of Use.
Note: Please ensure you’ve initialized Privileged Identity Management experience in your demo tenant, as detailed
in the Appendix before performing this demo.

Pre-Demo Steps

Prior to each demo, ensure the following setup steps have been performed in your demo tenant/device.
Detailed instructions are provided in the Appendix section.
1. Prepare a browser session for administrator experience:
a. Launch Edge dev browser with a profile for the Admin persona.
b. Log in to the Azure Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
2. Prepare a browser session for user experience:
a. Launch Edge dev browser with a profile for the User persona.
b. Log in to Outlook (https://outlook.office365.com/) as IsaiahL@<tenant>.onmicrosoft.com.
 c. Open another tab, and then navigate to the Access Panel Apps portal
(https://myapps.microsoft.com).
3. Prior to each demo, download the file toupdf.pdf for Terms of Use.
Speaker Script
Configure Terms of Use
Azure AD Terms of Use provides a simple
method that organizations can use to
present information to end users. This
presentation ensures users see relevant
disclaimers for legal or compliance
requirements.
Azure AD Terms of use uses the PDF format
to present content. The PDF file can be any
content, such as an existing contract
documents, allowing you to collect end-
user agreements during user sign-in.
When the option Create conditional access
policy later is selected, the terms of use will
appear in the grant control list when
creating a conditional access policy.
Click Steps
1. Switch to the Azure Portal InPrivate tab
(https://portal.azure.com).
2. In the left-hand navigation, click Azure Active
Directory.
3. Under Security, click Conditional Access.
4. In the Conditional Access – Policies blade, under
Manage, click Terms of use.
5. Click +New terms.
6. In the Name field enter Contoso Terms of Use
Policy.
7. In the Display Name field enter Contoso Terms of
Use.
8. Next to Terms of use document, click the folder
icon.
9. Browse to the toupdf.pdf document downloaded
and select it.
10. In the Select default language drop-down list,
select English.
11. For Require users to expand the terms of use,
select On.
12. Under Conditional access, on the Policy templates
drop-down, click Create conditional access policy
later.
13. Click Create.
14. On the Conditional access blade, click Policies.
15. On the Conditional Access - Policies blade, click
+New policy.
16. In the Name field, enter External User Saas Apps
Terms of Use Policy.
17. Create a new policy as follows:
 Under Assignments click Users and groups.
i. Click Select users and groups.
ii. Check Users and groups.
iii. Click Select.
iv. Search for and click sg-Sales and

Accept Terms of Use
An external user’s Terms of Use policy can
be verified via the newly enhanced
Conditional Access feature. This custom
control enables verification of a complete
set of terms of use to manage users and
group access.
When a company policy changes or new
compliance rules are to be enforced,
Conditional Access for Terms of Use easily
manages the changes for all users, in a
systematic and targeted way.
View acceptance report for Terms of Use
The Terms of use blade shows a count of
the users who have accepted and declined.
These counts and who accepted/declined
are stored for the life of the Terms of use.
Marketing.
v. Click Select.
vi. Click Done.
 Under Assignments click Cloud apps or
actions.
i. Click Select apps.
ii. Click Select.
iii. Click Salesforce.
iv. Click Select.
v. Click Done.
 Under Access controls, click Grant.
i. Click Grant access.
ii. Check Contoso Terms of Use Policy.
iii. Click Select.
 Under Enable policy, click On
18. Click Create.
19. Switch to the Access Panel Apps portal browser
session, (https://myapps.microsoft.com ).
20. Click Salesforce.
21. On the Contoso terms of use page, click Accept.
22. Notice that you get a warning that reading of the
Terms of Use is required.
23. Click the arrow to expand the Terms of Use.
24. Click Accept.
25. Close all browser windows.
26. Switch to the Azure Portal InPrivate tab
(https://portal.azure.com).
27. In the left-hand navigation, click Azure Active
Directory.
28. Under Security, click Conditional Access.
29. In the Conditional Access – Policies blade, under
 Manage, click Terms of use.
30. Click Contoso Terms of Use Policy to view details.
31. On the Contoso Terms of Use Policy row, under
accepted click the number.

On the Terms of use consents blade, review the

status of the users.

Demo Reset Steps

Perform these steps after each demo presentation to ensure re-usability of this demo environment:
1. On the Azure Portal (https://portal.azure.com), delete the Terms of Use, Contoso Terms of Use Policy:
a. In the left-hand navigation, click Azure Active Directory.
b. Under Security, click Conditional Access.
c. In the Conditional Access – Terms of use blade, under Manage, click Terms of use.
d. If the Contoso Terms of Use Policy is present, click it, and then click Delete terms, and then
click Yes.
2. On the Azure Portal (https://portal.azure.com), verify the conditional access policy, External User SaaS
Apps Terms of Use Policy is deleted:
a. In the left-hand navigation, click Azure Active Directory.
b. Under Security, click Conditional Access.
c. In the Conditional Access – Policies blade, verify the conditional access policy External User
SaaS Apps Terms of Use Policy is deleted.

Identity Governance
In the modern workplace, the end user’s needs can easily be at odds with the requirements an IT department
faces. Deana runs a lean team in IT and is tasked with modernizing Contoso’s identity and access management
solution, all while reducing support costs. Not only is Contoso experiencing a hiring surge to support their latest
product, Deana is dealing with an explosion in the number of apps employees are using every day to do their
jobs.
For Isaiah, as a new member of the Sales team, the ability to interact with teammates across groups and even
outside the company is important. He must work seamlessly across a wide array of apps, both internal and
external. The question is whether he can do all of this securely and easily, and still be empowered to make good
decisions for Contoso on his own.

Pre-Demo Steps

Prior to each demo, complete the following:

 1. In a separate In Private browser, navigate to https://portal.azure.com and login as
admin@<TENANT>.onmicrosoft.com with the tenant password from your tenant card found on
https://cdx.transform.microsoft.com.
2. Search for and click Identity Governance.

Speaker Script Click Steps

Entitlements and access

Identity is the center of security. More than

ever before, employees, customers and
partners share information across devices,
locations, and a world of apps. Today, the
power of the cloud is leveraged to ensure
identities and access to information and
apps are seamless and secure.
Let’s look at a specific example of how
identity improves both security and
productivity–Identity governance.
Identity Governance allows Deana to
manage, monitor and audit the end -to-
end Identity Access management lifecycle. 

When users request access to resources,

governance policies ensure access is
granted easily, securely and in line with
your security and compliance
requirements. 
Let me show you how an admin can grant
resource access to a partner company
using this capability.
The admin for Adatum Corporation wants 1. Start in the Azure portal on the Identity Governance
to enable a business partner inside blade.
Contoso to collaborate with their Sales and 2. Under Entitlement management (Preview), click
Marketing team. With the new Azure AD Access packages.
Identity Governance feature, he creates an 3. In the Access packages list, click Sales and
entitlement. Marketing.
Entitlements are the corner stone of 4. Under Manage, click Policies, and review the
governance, and allow the Administrator to policies listed.
group users, resources and policies 5. Click Initial Policy.
needed to grant access.
6. On the Policy details pane, and then click Edit.
For this demo, the Adatum Administrator 7. On the Edit policy blade, under Users who can
has already created a set of request access, click For users not in your
entitlements for his organization. Let’s look directory.
at the Sales and Marketing entitlement 8. Click +Add directories.
that will enable employees from Contoso, a 9. On the Select directories pane, search for
partner organization, to collaborate with adatum.com.
Adatum. 
10. Click Add.
11. Click Select.
12. Review the following options:
 Request
 Expiration
 Enable Policy

13. Click Update.

First, resources must be specified and

associated with the entitlement. Here, 2
apps, 1 user group and 1 SharePoint site
are listed. More resources can be added
here, as necessary.
14. Under Manage, click Resource roles.
15. Point out:
a. SharePoint site line
b. The two application lines
c. The Security Group line

Access reviews to manage group

membership

There are quite a few ways to control

application access in Azure AD. A lot of
organizations use groups in AD or Azure
AD to control access. Users can also
request application access. And now, the
new Office 365 groups feature allows more
users across your organization to create
their own groups and pick who they want
in those groups.
Of course, over time, group memberships
and application access assignments can get
stale–people change jobs or no longer
need access to a particular application. 1. Search for and click Identity Governance.
Maybe a guest who was given access isn’t 2. Under Access reviews, click Access reviews.
affiliated with their original organization 3. Under the Control Name field, click Salesforce
any longer. This staleness can cause a Access Review.
problem for protecting business-sensitive 4. On the Overview blade, review the settings for the
assets or applications subject to review.
compliance. To avoid access getting out of a. Owner
hand, organizations can now schedule
b. App
access reviews to make sure only the users
c. Scope
they want to have access to their assets
and applications are able to. d. Review status
An access review asks users to recertify (or e. Recurrence
“attest”) to access rights to an app or
membership in a group. You can ask users
to review their own rights or select
reviewers to review everyone in a group, or
everyone currently assigned access to an
app. You can also ask the group owners to
review. And finally, for those organizations
that have other processes in place to
manage employee access, you can scope
the review to include only guest members
or guests who have access.

There are two ways users’ access can be

reviewed: by group membership or by
application access.
The access review is configured to run for a
time to allow the reviewers to review and
respond. Reviewers will receive an email
5. Open a new browser tab and navigate to
notification that an access review needs
https://myapps.microsoft.com .
their response.
6. Sign in as admin@<Tenant>.onmicrosoft.com.
To review the results, the reviewers can
click on the link in the email or access the 7. Click on the Access reviews tile.
results via https://myapps.microsoft.com 8. Click Begin review.
For a user that has not signed in recently, 9. Click a user.
the recommendation is access denial. This 10. Click Approve.
can be overridden if desired. 11. Indicate that the Reason field becomes required.
In one click, all the Access Review 12. Click Cancel.
recommendations can be accepted.
13. At the bottom of the page, click the Accept
When the review period ends, or if the recommendations button.
review is manually stopped, the results can
then be applied.
14. Review the information in the Salesforce Access
Review and then click Cancel to abort any changes.
Admins can see the results of an access
review through the Azure Identity
Governance at any time once the access
review is created. In the Results pane they
can see the list of users, the outcome, the
recommended action, the reason, and
reviewer for each entry of the access
review. Should changes be made to the
access review settings, the Admin can use
the Audit logs to review them.
Should an Admin wish to create an access
review from scratch, they may do this in the
Identity Governance – Access reviews
blade. Admins can set the frequency,
scope, and start date for the review to run.
The access review can be targeted to
members of a group or to an application.
Reviewers can be selected individually or
given to group owners. Results of the
access review can be auto-applied with or
without reviewer response. Once an access
review is started it can take some time to
complete, so reminders can be sent to
reviewers once the review is started and to
admins when a review completes.
15. Switch back to the Azure portal tab with the
Salesforce Access review open.
16. Under Manage click Results.
17. Point out the User, Outcome, and Recommended
Action columns.
18. Under Activity click Audit logs.
19. Point out the details listed in the Audit log.
20. At the top in the breadcrumbs, click Identity
Governance – Access reviews.
21. Under Access reviews, click Access reviews.
22. Click + New access review.
23. In the Review name field, enter Salesforce Access
Review Admin.
24. Click the Users to review drop down list and select
Assigned to an application.
25. Next to Scope select Everyone.
26. Click Select an application.
27. In the search box type Salesforce and click
Salesforce in the search results.
28. Click Select.
29. Under Select reviewers, click 0 users selected.
30. In the search box type Admin and click on MOD
Administrator in the search results.
31. Click Select.
32. Click Start.
NOTE: to show the new access review in the list you may
have to refresh the page.
 Appendix: One Time Demo Environment Setup
Note: These activities need to be performed only once per your demo tenant, Microsoft 365 Enterprise Demo
Content with Windows Defender ATP with the Azure Advanced Threat Protection add-on. You may have
performed some of these steps against your environment in preparation for another demo, in which case you
may skip these steps.
Important: Please note the following pre-requisite for this setup task:
 To properly demonstrate any classification-based policies you will need to ensure that the tenant you are
using is configured with Azure Information Protection templates for classifying corporate data.
 To properly demonstrate “Protect on Download” functionality, you will need to configure a third-party
SaaS app that supports session control (such as Salesforce) integrated with SAML-based single sign-on
with your demo tenant.
 For an application to appear on the proxy apps page in Cloud App Security, a user that is targeted with
access to the SaaS app with to which the proxy policy applies must have previously signed in to the app
in question (i.e. Salesforce) with SSO.

Configure Sharing control and Data Loss Prevention

In order to configure Inspection settings in a policy, Azure Information Protection must be configured to
automatically scan new files for Azure Information Protection classification labels and content inspection
warnings.
1. Log in to the Microsoft Cloud App Security Portal (https://portal.cloudappsecurity.com) using Edge or
Edge Dev, as your demo tenant’s Global Administrator.

2. In the upper right corner, click the settings menu, and then click Settings.

3. Under Information Protection, click Azure Information Protection.

4. Under Azure Information Protection settings, click Automatically scan new files for Azure
Information Protection classification labels and content inspection warnings.

5. Under Inspect protected files, click Grant permission.

6. On the Pick an account window, click your demo tenant’s Global Administrator.

7. On the Permissions requested Accept for your organization window, click Accept.

8. Click Save.

Note: If you get an error try using a different browser.

9. Refresh the browser window to verify the updates.

Configure Salesforce Integration with Azure AD

Estimated Setup Time: 40 minutes

The Salesforce application is added to your demo Azure AD, but not yet configured for single sign-on (SSO).
Please follow the detailed guidance below to sign up for a Salesforce account for your demo tenant and
configure SSO with your tenant’s Azure AD.
Sign up for a Salesforce Developer Account
1. In a new, InPrivate Edge browser session, navigate to https://developer.salesforce.com/signup.
Complete the signup form as follows:
First Name: Contoso
Last Name: Admin
Email: admin@<Tenant>.onmicrosoft.com
Role: Administrator
Company: Contoso
Country/Postal Code: (as appropriate)
Username: admin@<Tenant>.onmicrosoft.com
2. Select the Master Subscription Agreement checkbox, then click Sign me up.
3. If necessary, click X to close the GDPR message.
4. When prompted to check email to confirm account:
a. Open a new browser tab and navigate to https://outlook.office365.com.
b. If necessary, sign in as admin@<Tenant>.onmicrosoft.com.
c. Locate the email from Salesforce, requesting account verification and click Verify Account. You’ll be
directed to Salesforce web site.

Note: The Welcome to Salesforce email used to verify your account, could be in the Other tab.
5. Provide a password for Salesforce.
6. Pick a security question and answer it.
7. Click Change Password.

Note: You’ll be directed to the Salesforce Home page. Keep this Salesforce administration tab open.
8. Classic UI: In the left navigation pane, expand Domain Management, then click My Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings, then click My Domain.

Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to Salesforce.
9. Under Choose Your Domain Name, type your tenant name in the textbox (e.g. m365x123456).
10. Click Check Availability.
11. When availability has been verified, click Register Domain.

Note: Please wait 10 - 15 minutes before proceeding to the next step. The custom domain name you just
registered requires some time to take effect.
12. In the left navigation, click My Domain again to refresh the page. The domain follows the pattern:
https://{TENANT}-dev-ed.my.salesforce.com.
 13. Click Log in. If prompted to Navigate to this page, click Open.
14. If prompted to register your mobile phone, click I Don’t Want to Register My Phone.
15. If prompted, login with your Salesforce administrator user ID (admin@<Tenant>.onmicrosoft.com) and password.

Note: The My Domain page will re-load, and the URL for this page will updated to the custom domain name
containing your tenant name https://<TENANT>-dev-ed.my.salesforce.com.
16. In the SETTINGS > My Domain section, click Deploy to Users.
17. Click OK.
18. If the Classic Salesforce UI is displayed, in the upper right corner, click Switch to Lightening Experience.
Enable automatic account provisioning
1. In a new browser tab, browse to the Azure Management Portal (https://portal.azure.com).
2. If necessary, log in as the tenant’s Global Admin user, admin@<Tenant>.onmicrosoft.com.
3. In the left-hand navigation menu, click Azure Active Directory, then under Manage, click Enterprise
Applications.
4. From All applications, click Salesforce.
5. Under Manage, click Users and groups.
6. Click + Add user.
7. Click Users and groups.
8. On Users and groups blade, in the Search by name or email address, type MOD, and then click
admin@<Tenant>.onmicrosoft.com from the Users list, and then click Select.
9. Click Select Role, and then click System Administrator.
10. Click Select.
11. Click Assign.
12. On the Salesforce – Users and groups blade, click the check box for sg-Sales and Marketing, and then
click Edit.
13. Click Select Role, and then click Chatter Free User.
14. Click Select.
15. Click Assign.
Enable automatic account provisioning
1. On the Salesforce blade, under Manage, click Provisioning.
2. On the Provisioning Mode drop-down list, click Automatic.
3. Under Admin Credentials, type in the admin@<Tenant>.onmicrosoft.com and Password for
accessing Salesforce.
4. Obtain a Secret Token as follows:
a. Switch to the Salesforce administration browser tab.
b. Click the user menu (user name at the top-right corner of the page), then click Settings.
c. In the left navigation, click Reset My Security Token.
 d. Click Reset Security Token button.
e. Navigate back to the administrator’s inbox, and then copy the security token.
f. Switch back to the Azure portal, the Salesforce – Provisioning blade.
5. In the Secret Token textbox, paste in the security token string.
6. Click Test Connection.
Note: You should see a notification saying “Testing connection to Salesforce. The supplied credentials are
authorized to enable provisioning”.
7. Set Notification Email to admin@<Tenant>.onmicrosoft.com and check Send an email notification
when a failure occurs.
8. At the top of the Salesforce – Provisioning blade, click Save.
9. Under Settings, set the Provisioning Status to On.
10. At the top of the Salesforce – Provisioning blade, click Save to complete account provisioning settings.
Configure SSO for Azure AD
1. Under Manage, click Single sign-on.
2. On the Select a single sign-on method, click SAML to enable single sign-on.
3. In step 1 Basic SAML configuration, click the pen to edit the Sign on URL and Identifier:
o Identifier (Entity ID) (Required): https://{Tenant}-dev-ed.my.salesforce.com
o Sign-on URL (Required): https://{Tenant}-dev-ed.my.salesforce.com
Note: Verify that there is NO space after the URL https://{Tenant}-dev-ed.my.salesforce.com.
4. At the top of the Basic SAML Configuration pane, click Save. After the configuration is successfully
saved, click X to close the Basic SAML Configuration blade.
5. If you are prompted to Test single sign-on with Salesforce, click No, I’ll test it later.
6. In step 3 SAML Signing Certificate, on the Federation Metadata XML option, click Download. Save
this XML file to your local system, you will use it later in Salesforce.
Set up Salesforce for SSO
1. Switch to the Salesforce administration browser tab.
2. In the upper right-hand corner, click the configuration cog, and then click Setup.
3. Classic UI: In the left navigation pane, expand Security Controls, then click Single Sign-On Settings.
Lightning UI: In the left navigation pane, under SETTINGS, expand Identity, then click Single Sign-On Settings.

Note: You can verify you are using the Lightning UI if lightning.force is included in the URL to Salesforce.
4. Classic UI: On the Federated Single Sign-on Using SAML section, click Edit, click SAML Enabled and then click
Save. On the Single Sign-on Settings section, click New from Metadata File to configure SAML sign-on settings.

Lightning UI: On the Federated Single Sign-on Using SAML section, click Edit, click SAML Enabled and then click
Save. On the Single Sign-on Settings section, click New from Metadata File to configure SAML sign-on settings.
5. Upload the Federation Metadata XML you downloaded from Azure portal.
 6. Click Create.
7. On the SAML Single Sign-On Settings configuration page, make the following updates or verify the
information:
o Name: AzureSSO
o API Name: AzureSSO
o Entity ID: https://{Tenant}-dev-ed.my.salesforce.com
o SAML Identity Type: Assertion contains the User's Salesforce username
o Identity Provider Login URL: (copy/paste from the Configure sign-on blade in the Azure window,
e.g. https://login.microsoftonline.com/8511cd8b-2ab4-45c7-a8c2-13c5b961a134/saml2)
o Identity Provider Logout URL: (copy/paste from Azure window, e.g.
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 )
8. Click Save to apply your SAML single sign-on settings.
9. Classic UI: In the left navigation pane, expand Domain Management, then click My Domain.
Lightning UI: In the left navigation pane, under SETTINGS, expand Company Settings, then click My Domain.
10. Scroll down to the Authentication Configuration section, and click the Edit button, and then click
Open.
11. Under Authentication Service, uncheck Login Form, then select AzureSSO as Authentication Service of
your SAML SSO configuration, and then click Save.

Set up Salesforce for SSO

1. Switch back to the Azure portal, on the Salesforce - SAML-based sign-on, under Manage, click Single sign-on.
2. In step 5, Test single sign-on with Salesforce, click Validate.
3. Click on Sign in as current user.
4. You will be redirected to the Salesforce homepage.

Initialize Azure AD Privileged Identity Management (PIM)

1. Launch an InPrivate Edge browser session.

2. Log in to the Azure Management Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
3. In the search box at the top of the Azure Portal, enter Identity governance, and click on Identity
Governance in the results.
4. Under Privileged Identity Management, click Azure AD roles.
5. On the Privileged Identity Management - Quick start blade, click Consent to PIM.
6. On the Privileged Identity Management - Consent to PIM blade, click Verify my identity.
7. Follow the prompts to set up and verify Multi-Factor Authentication (MFA) using phone verification.
8. Navigate back to the Privileged Identity Management – Consent to PIM blade.
9. On the Privileged Identity Management – Consent to PIM blade, click Consent, and then click Yes.
10. Under Manage, click Azure AD Roles.
 a. NOTE: You may have to go back to the Identity Governance blade then return to the Privileged Identity
Management blade in order to refresh it.
11. On the Azure AD roles – Quick start blade, click AzureAD Roles, then click Activate your role.
12. On the Azure AD roles – Quick start blade, click You need to sign up Privileged Identity Management for
Azure AD roles to use this function. Click here to sign up.
13. On the Sign up for PIM pane, click Sign up, and then click Yes.
14. Click X to close the Sign up for PIM pane.

Enable Access Reviews

1. Launch an InPrivate Edge browser session.
2. Log in to the Azure Management Portal () as admin@<tenant>.onmicrosoft.com.
3. In the search box at the top of the Azure Portal, enter Identity governance, and click on Identity
Governance in the results.
4. Under Access reviews, click Onboard.
5. In the Onboard access reviews blade, click Onboard Now.
6. In the search box at the top of the Azure Portal, enter Identity governance, and click on Identity
Governance in the results.
7. Under Access reviews, click Access reviews.
8. Click + New access review.
9. In the Review name field, enter Salesforce Access Review.
10. Click the Users to review drop down list and select Assigned to an application.
11. Next to Scope select Everyone.
12. Click Select an application.
13. In the search box type Salesforce and click Salesforce in the search results.
14. Click Select.
15. Under Select reviewers, click 0 users selected.
16. In the search box type Admin and click on MOD Administrator in the search results.
17. Click Select.
18. Click Start.
19. Close the InPrivate browser windows.
20. Launch a new InPrivate Edge browser session.
21. Log in to https://myapps.microsoft.com as isaiahl@<tenant>.onmicrosoft.com.
22. Click the Salesforce tile.
23. Close the InPrivate browser window.

Configure BrowserStack SaaS Application with Azure AD 

Estimated Setup Time: 5 minutes 
You will be using the BrowserStack app to demonstrate Self-Service Group Management in MyApps. 
Sign up for a Demo BrowserStack Account 
You will need to sign up for a new BrowserStack account, if you don’t have a demo BrowserStack account
already. 
1. In a new InPrivate browser session, navigate to https://browserStack.com/users/sign_up. 
2. Complete the form with following information: 
 Full Name: Contoso Demo 
 Email:admin@<Tenant>.onmicrosoft.com 
 Password: (Example: Contoso1) 
3. Click to agree to BrowserStack’s terms of service and privacy policy. 
4. Click Sign me up, and then verify your sign up.

Confirm email address for BrowserStack account 

5. In a new browser tab, navigate to https://outlook.office365.com and log in
as admin@<Tenant>.onmicrosoft.com. 
6. Locate the email from BrowserStack, then click Confirm my account link on the email body. 
7. If prompted, log in as admin@<tenant>.onmicrosoft.com. 

Configure BrowserStack for Conditional Access with Azure AD 

8. In a new browser tab, browse to the Azure Management Portal (https://portal.azure.com). 
9. If necessary, log in as the tenant’s Global Admin user, admin@<Tenant>.onmicrosoft.com. 
10. In the left-hand navigation, click Azure Active Directory, then click Enterprise applications. 
Note: if BrowserStack isn’t in the list of applications, manually add BrowserStack from the Azure SaaS
applications gallery by clicking + New application. 
11. Under Security, click Conditional access. 
12. Click + New policy. 
13. Type a name for the new rule, e.g. Require two-factor authentication for BrowserStack. 
14. Complete the following settings: (the remaining settings can remain at their defaults) 
 Users and groups > Include > All users 
 Cloud apps or actions > Select apps / BrowserStack 
 Grant > Grant access > Require multi-factor authentication 
 Enable policy > On 
15. Click Create to save the policy settings. 
16. Click X to close the Conditional Access – Policies blade. 

Configure SSO for BrowserStack 
17. Under Manage, click All applications. 
18. Click BrowserStack. 
19. Under Manage, click Single sign-on. 
20. Click Password-based, and then click Save. 
 21. Under Manage, click Users and groups, and then on the left-hand side of the row, click the check box
for ssg-Contoso bug Bashers. 
22. Click Update Credentials. 
23. Type in the BrowserStack account you configured earlier (email and password) in the text box, then
click Save.
24. Click X to close the Update Credentials blade. 

Add Isaiah to ssg-Contoso bug Bashers

1. Launch an InPrivate Edge browser session.
2. Log in to the Azure Management Portal (https://portal.azure.com) as
admin@<tenant>.onmicrosoft.com.

3. Click Azure Active Directory.

4. Click Groups.
5. Search for and click ssg-Contoso Bug Bashers.
6. Click Members.
7. Click +Add members.
8. Search for and click Isaiah Langer.
9. Click Select.
10. Once Isaiah is added to the member list, close the browser window.

Setup MFA for Isaiah

1. Launch an InPrivate Edge browser session and clear all browser history (including passwords, cache, and
cookies).
2. Log in to the MyApps Portal (https://myapps.microsoft.com) as isaiahl@<tenant>.onmicrosoft.com.
3. Click the BrowserStack icon.

Note: You may be prompted to install a browser extension. Do so then return to the MyApps Portal and
click BrowserStack.
4. Follow the prompts to set up the Mobile app authenticator.
5. After setup is complete, close the browser.

Setup Sales and Marketing Access Package

1. Launch an InPrivate Edge browser session.
2. Log in to the Azure Management Portal (https://portal.azure.com) as admin@<tenant>.onmicrosoft.com.
3. Search for and click Identity Governance.
4. Under Entitlement management (Preview) click Access packages.
5. Click +New access package.
6. In the Name field enter: Sales and Marketing.
7. In the Description field enter: Access for Sales and Marketing users and guests.
8. Click Next: Resource roles.
9. Click +Groups.
10. Search for and click sg-Sales and Marketing.
11. Click Select.
12. Under Role change the drop down to Member.
13. Click +Applications
14. Click Box.
15. Click Salesforce.
16. Click Select.
17. On the Salesforce line, under Role, change *No role selected to Chatter Free User.
18. On the Box line, under Role, change *No role selected to User.
19. Click +SharePoint sites.
20. Scroll to and click Sales and Marketing.
21. Click Select.
22. On the SharePoint Site line, under Role, change *No role selected to Sales and Marketing Members.
23. Click Next: Policy
24. Under Users who can request access, click None (administrator direct assignments only).
25. Under Enable policy click Yes.
26. Click Next: Review + Create.
27. Click Create.
28. On the Sales and Marketing blade, under Manage, click Policies.
29. Click +Add policy.
30. Name: Initial Policy
31. Description: Policy for Sales and Marketing
32. Under Users who can request access, click None (administrator direct assignments only).
33. Enable policy: Yes
34. Click Create.
35. Close all browser windows.