2. Azure Identity Management:
Multi-Factor Authentication (MFA)
•To improve account security and protect against phishing attacks, the Information and Innovation Office will be implementing Multi-Factor Authentication (MFA). MFA
requires multiple forms of identity verification to secure the organization against security breaches in the event a user’s County login credentials are stolen or compromised.
When logging in remotely, users will be required to complete an additional authentication step via a smart phone app, or phone call to verify their identity
•Enable Multi-Factor Authentication for all County Users accessing Applications and Services Remotely
•Phase 1: Outlook, Teams, SharePoint, OneDrive
•Phase 2: VPN, VDI, other County provided applications which may support MFA
Project Summary
•Server Team
•Security Team
•ITSS Division of IT Department – Server Team, Network Team, Desktop Support Team, Technical Support Desk Team
•IT Department – Everyone else in IT Department
•Communications
Pilot Groups
•Configure and Enable MFA in environment, create Conditional Access and MFA Policies and Groups in Azure – Completed: 2/2020
•Enable MFA for Server Team to allow testing – Completed: 2/2020 11/2020
•Enable MFA for ITSS and Security Team to allow testing – Completed: 2/2021 4/2021
•In-Person Support / Training Workshops for Desktop Support and Technical Support Desk Teams – Completed: 4/2021
•Enable MFA for IT Department to provide final testing – Completed: 5/2021
•Enable MFA for Departmental Directors and key staff: Scheduled for September 2021
•Enable MFA County-Wide in a Department by Department Rollout beginning in September 2021 October 2021
•Phase 2 Apps will be enabled for MFA as the infrastructure dependencies are resolved – Late CY 2021
Project Schedule
3. Azure Identity Management:
Multi-Factor Authentication (MFA)
• Email Templates and MFA User Guides have been developed
• Meetings and Coordination with SDM’s will be held prior to Departmental Deployment
• Communications and User Guides will be sent to end users, Department by Department, on a rolling basis
• MFA Guides will be posted on COIN
• Videos to assist with setup
• MFA User Guides are targeted specifically to Apple or Android users depending on the type of device
• A phone-only callback option guide is also available for users without smart phones
Communications Plan
• Remote Access will be granted via the following second forms of authentication:
• Smart Phone based authentication app (Microsoft Authenticator App)
• Phone Callback
Authentication Methods
• IT will schedule setup and assist with configuration with each of the Commissioner’s offices in person
• Each District’s Commissioner and their aides will be configured at the same time, so all District staff can be done in a single visit
• The County Administrator and ACA’s will be configured in person
• In person assistance will be given to individual Department Directors, if requested
• The Desktop Support Team will provide in person support
VIP Handling
4. Azure Identity Management:
Multi-Factor Authentication (MFA)
• Register user account with Microsoft MFA Service (open 1-3 weeks)
• Technology Announcement Email: one week before MFA Registration begins
• Scheduled Change Notification Email: The day before Registration begins, morning of, and every 3 days until
registration period ends
• User registers with the MFA Service by following step by step instructions in user guide
• The Apple and Android email client is no longer supported. End users must transition to the Microsoft Outlook App
• Note - Enable Save Contacts in Outlook App
• User may contact Technical Service Desk if questions or issues
• User must register with the MFA Service during the registration period or they will not be able to access applications
remotely after MFA has been enabled for their department
• MFA enabled for Department
• Scheduled Change Notification Email: The three days prior to MFA being enabled, warning users that they will not be
able to log in unless MFA registration has been completed
• Will be prompted to MFA when accessing applications remotely
• Users will be prompted on their phone or receive a phone call to approve the login
End User Experience
5. APR MAY JUN JUL AUG SEPTEMBER
ITSS Deployment and
Testing
IIO Deployment and
Testing
County – Wide Departmental Deployment
Planning and Initial Configuration – January 2020 to April 2020
• Identify requirements
• Meet with Stakeholders to define project goals, requirements and timelines
• Configure Azure Tenant for MFA
• Configure Conditional Access Policies and Create Azure AD Groups for MFA Testing Pilot Group
• Enable MFA for select ITSS Architects, Engineers and Security Team Staff
IIO Deployment and Testing – May 2021
• Deploy to the remainder of the IIO Department
• Deploy to Departmental Technical Liaisons
• Thoroughly Test
• Refine communications and user guides if necessary, based on feedback from users
Finalizing Deployment Configuration – May 2020 to October 2020
• Refine Requirements
• Refine and fine tune MFA Configuration and Settings in Azure Tenant
• Project put on Hold due to COVID-19
• Continue testing for initial pilot group while project On Hold
Departmental Deployments – September 2021
• Send initial Communications to Individual Departments a week before MFA Registration Opens
• Send series of Communications to Individual Departments during MFA Registration Period
• Support Departmental Users during MFA Registration Period
• Enable Individual Departments on a rolling schedule
• Enroll all support Vendor Accounts
Deployment to ITSS – November 2020 to April 2021
• Resume Project
• Finalize MFA Deployment Settings
• Create Azure AD Group for Production MFA Deployment
• Create and approve MFA User Guides
• Create and approve Communications email templates
• Enable MFA for all remaining ITSS Employees and IIO Security Team
• Train Desktop Support and Technical Support Desk staff to support end users
VIP MFA Registration – September 2021
• Coordinate with each Commissioner District and staff to Register and Enable MFA in person
• Coordinate with the County Administrator, ACA’s and other 26th Floor staff to Register and Enable MFA
in person
• Department Directors and other identified VIP’s can be handled in-person based on guidance from
Management or upon request
Azure Identity Management:
Multi-Factor Authentication (MFA)
Communications
Deployment and
Testing
7. County-Wide Deployment Schedule
May IT Department Testing
Phase 1:
September 1 –
September 15
Directors and Senior-Level Departmental Staff
Phase 1:
September 1 –
September 15
Extension Services, Arts Council, Guardian Ad Litem, Economic Development, Childrens
Board, Fleet, Pet Resources, Code Enforcement, Medical Examiner, Parks and Recreation,
Conservation and Environmental Lands Management, Compliance Communities and
Conservation, Soil and Water Conservation, Affordable Housing, Management and Budget,
Procurement Services, Human Resources, Risk Management, County Attorney
Phase 2:
September 13 –
September 27
Library Services, BOCC, Operations and Legislative Affairs, Government Relations &
Strategic Services, Independent Performance Auditor, County Administrator, Facilities
Services, Development Services, Head Start, Childrens Services, Aging Services, Sunshine
Line, Social Services, Health Care Services, Veterans Services, Homeless Services, THHI,
Emergency Management, 911 Agency, Emergency Dispatch, Fire Rescue, Public Works,
Public Utilities