Skip to content

Fresh Tenant Setup

These are the steps I typically take to set up a fresh M365 E5 tenant. This is not complete. I'm documenting this (finally) as I rebuild a new test tenant.

Azure AD

Azure AD Connect

Assuming you already have a Lab Domain Controller and Server for AAD Connect.

Install AAD Connect, use Express Settings aad_connect_1

After it is finished, re-run and enable Hybrid Join

aad_connect_2 aad_connect_3

Enable Group Writeback

On the AzureAD Connect server, run the following commands to enable Group Writeback in Windows PowerShell

Set-ADSyncScheduler -SyncCycleEnabled $false
Set-ADSyncAADCompanyFeature -GroupWritebackV2 $true
Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle -PolicyType Initial

Hybrid Cloud Trust

Create AzureAD Kerberos Server

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = "contoso.com"

# Enter a UPN of an Azure Active Directory global administrator
$userPrincipalName = "admin@contoso.com"

# Enter a domain administrator username and password.
$domainCred = Get-Credential

# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Azure AD.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred

# Verify server
Get-AzureADKerberosServer -Domain $domain -DomainCredential $domainCred -UserPrincipalName $userPrincipalName

Id                 : 17530
UserAccount        : CN=krbtgt_AzureAD,CN=Users,DC=contoso,DC=com
ComputerAccount    : CN=AzureADKerberos,OU=Domain Controllers,DC=contoso,DC=com
DisplayName        : krbtgt_17530
DomainDnsName      : contoso.com
KeyVersion         : 27591
KeyUpdatedOn       : 10/13/2022 9:23:43 PM
KeyUpdatedFrom     : CONTOSO-DC-01.contoso.com
CloudDisplayName   : krbtgt_17530
CloudDomainDnsName : contoso.com
CloudId            : 17530
CloudKeyVersion    : 27591
CloudKeyUpdatedOn  : 10/13/2022 9:23:43 PM
CloudTrustDisplay  :

Entra

Authentication Settings

User Settings

  • Toggle Off
    • Users can register Applications
    • Show keep user signed in
  • Toggle On
    • Restrict non-admin users from creating tenants
    • Restrict access to Entra ID administration portal entraid_user_settings

User Feature Settings

  • Select All for Users can use preview features for My Apps

Device Settings

EntraID Local Admin Password Solution

entra_device_laps

[!tip] LAPS docs

Enterprise State Roaming

Enable Enterprise State Roaming

Identity Protection

Multifactor authentication registration policy

  • Create a AAD group called Service Accounts, add the AzureAD Connect sync account
  • Enable the policy, targeting all users and excluding

Diagnostic Settings

Portal Docs

  • Enable all diagnostic settings to log to your Sentinel's log analytics workspace

Global Secure Access

https://entra.microsoft.com/#view/Microsoft_Azure_Network_Access/Welcome.ReactView

Intune

Tenant Administration

Defender for Endpoint Connector

  • Enable compliance policy evaluation for all platforms
  • Enable app sync
  • Enable App protection policy evaluation

Devices

Enroll Devices

Windows Enrollment

Windows enrollment - Automatic Enrollment intune_auto_enrollment

Windows enrollment - Autopilot deployment Profiles

Create a new Autopilot deployment profile

intune_autopilot_profile intune_autopilot_profile_1

iOS Enrollment

Configure Apple MDM Push Certificate Instructions: Get an Apple MDM Push certificate for Intune | Microsoft Learn

Enrollment Profile Configure an enrollment profile Enrollment type profiles - Microsoft Intune admin center

Create a profile that allows user choice of type of device (corporate vs user), target all users.

Apple Configurator Profile Portal Docs

There are two options for Apple Config profile - with user affinity and without. For testing, enrollment with User Affinity with the Company Portal app mimics how devices might be distributed to end users. 1. Create a new Enrollment Profile. On the settings step, select: User affinity: Enroll with User Affinity Select where users must authenticate: Company Portal 2. Export the profile you just created. Copy the URL. 3. Create a csv file with the serial numbers of iPads you wish to enroll. Serial number,device details 4. Upload the csv file in the portal under Devices. Assign the profile you just created. 5. In Apple Configurator, choose Settings -> Servers. Click + to add a server. Add the URL you copied from step 2. 6. Connect a device, and at the main screen, click Prepare. Leave the default options unchanged. 7. Choose the Intune MDM server defined in Step 5. 8. Skip Apple Business Manager sign-in if prompted. At the Organization screen select a previous org or create a new one. This is shown in the settings app in iOS. 9. Choose to generate a new supervision Identity or reuse an existing one. 10. Choose which steps to display in the Setup Assistant. Click Prepare to start the process.

Android Enrollment

Instructions: Android device enrollment guide for Microsoft Intune | Microsoft Learn

Managed Google Play Account Linking

Apps

Windows

Add app -> Microsoft 365 Apps for Windows 10 and Later. Assign to all devices.

intune_windows_m365_apps intune_windows_m365_apps_1

iOS

Portal Docs

Defender for Endpoint on iOS

Endpoint security

Endpoint detection and response

Create a new policy targeting Windows 10,11 and Server. Target all devices.

intune_edr_profile

intune_edr_profile_1

Security Baselines

Create a new Microsoft Defender for Endpoint Baseline policy and target all devices.

intune_security_baselines

Account Protection

After enabling LAPS in Entra, create a Windows LAPS profile and apply to all devices. intune_laps_profile

intune_laps_profile1

M365 Defender

Email & collaboration

Policies & Rules -> Threat Policies -> Preset Security Configurations

Enable Standard Protection Preset Policies. mdo_protection_policies

mdo_protection_policies_exo

mdo_protection_policies_m365

MDCA

In the Defender Portal, go to Settings -> Cloud Apps

System

Preview Features
  • Toggle Enable
IP address Ranges
  • If you have IP Ranges as Trusted Named Locations in EID, add them as Custom IP Address Ranges in MDCA with the category of Corporate mdca_ip_address_range

Cloud Discovery

Defender for Endpoint
  • Enforce App Access with Defender for Endpoint mdca_mde
User Enrichment
  • Enable User Enrichment mdca_user_enrichment

Information Protection

Microsoft Information Protection
  • Enable automatically scan new files
  • Enable scanning protected files. You'll need to go through the OAUTH grant process. mdca_mip
Files
  • Enable file monitoring mdca_files

App governance

Service Status
  • Turn on app governance mdca_enable_app_gov

Connected Apps

App Connectors
  • Hit Connect an app, choose Microsoft 365 from the list. Select all options.

mdca_app_connectors_m365

SIEM Agents

  • Add the Azure Sentinel integration

MDE

In the Defender Portal, go to Settings -> Endpoints

Advanced Features

Set the features configured below

mde_advanced_features

Defender for Identity (MDI)

General

In the Defender Portal, go to Settings -> Identities

Sensors

Click +Add Sensor, and download the installer and copy the Access key mdi_add_new_sensor

Install the sensor on all DCs in AD. Use the access key when prompted by the installer. mdi_sensor_install

After installing, configure the Active Directory requirements listed below.

AD Configuration

  • Configure Event Collection via GPO
  • Configure Group Managed Service Account account
    • On the first DC
      • Create root KDS key powershell Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
      • Purge kerberos tickets powershell klist purge -li 0x3e7
      • Create the gMSA ``` powershell New-ADServiceAccount accountname -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers" -DNSHostName accountname.domain.contoso.com
                - Install the gMSA on the DC
                  ``` powershell
                  Install-ADServiceAccount -Identity 'accountname'
        
    • On the other DCs, purge kerberos tickets and install the service account
    • Add the gMSA in the portal Adding a gMSA account

Microsoft Purview

Sensitivity Labels

Enable labeling for Protected content & PDFs

With the SharePoint Module in PowerShell 5

connect-sposervice -url 'https://<tenant>-admin.sharepoint.com/'
Set-SPOTenant -EnableAIPIntegration $true
Set-SPOTenant -EnableSensitivityLabelforPDF $true

Enable Labeling for Containers

In a fresh tenant, there will not be any EntraID group settings configured, so those need to be created. After that, you can enable the label sync.

With the AzureADPreview module in Windows PowerShell (PS5)

Connect-AzureAd
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
$setting = $Template.CreateDirectorySetting()
$setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $Setting

Then, with the ExchangeOnlineManagement module in PS5/PS7+

Connect-IPPSSession
Execute-AzureAdLabelSync

Enable co-authoring for Encrypted Files

This can be done in the portal, or via PowerShell.

With the ExchangeOnlineManagement module in PS5/PS7+

Connect-IPPSSession
Set-PolicyConfig -EnableLabelCoauth:$true

DLP

Endpoint DLP

Settings

Portal Docs

In Settings, change the following: - Advanced classification scanning and protection: On

MIP Scanner

Portal Docs

Prerequisites - Service account in AD, exclude from MFA registration and CAs - SQL server for the scanner, as well as a windows server.

Deployment 1. Create a Scanner Cluster 2. Create a Content Scan Job. Be sure to disable any of the auto options - this will just be for scanning.