Our client, a global professional services firm, engaged us to help them implement multi-factor authentication (MFA) to increase email security. Because the organization had experienced phishing attacks—and due to a prior, failed attempt to implement MFA—this project carried an especially high profile.
Ultimately the focus of this project was deploying MFA for Exchange Online—but to get there required attention to several complex issues.
One major complication was the need to exclude domain-joined devices from MFA requirements, since the identity of users operating those devices has already been established through login to the device itself. By excluding domain-joined devices, users are spared unnecessary authentication steps. In this case, we needed to update the Active Directory system as a necessary precursor to the MFA deployment. Our client runs Active Directory on-premises, whereas MFA is run from the cloud. That’s a workable scenario, but only with the latest Active Directory version run locally. Therefore, we worked quickly with our client’s internal IT team and its outsourced IT infrastructure management service provider to establish the new Active Director environment and cut over to it rapidly.
Another key requirement was deploying the hybrid Azure Active Directory join agent—software that enables older devices to authenticate to the cloud—across the organization’s Windows 7 devices. For this phase, we worked closely with our client’s application deployment team and accomplished a rapid rollout throughout the company.
A third complicating factor was the need to create and apply conditional-access policies to ensure users are presented with MFA requirements only when needed. For example, one policy allows the domain-joined Windows devices to skip MFA. Other policies require MFA for mobile devices using iOS or Android-native mail applications—but not the Outlook app available for mobile devices, as that app authenticates directly. Another policy requires MFA on Mac devices, unless the devices itself is Intune-enrolled (meaning already authenticated at the device level with Microsoft’s cloud-based Intune service, which registers the devices together with an associated user-provided cell phone number).
Finally, we needed to ensure that even domain-joined and Intune-enrolled devices require users to authenticate via MFA on the first
time they connect to Exchange.
Once all these factors were accommodated and addressed, we moved forward with actually rolling out MFA requirements at the user level, working through batches of several hundred users each day. Within a few weeks, thousands of users throughout the company were successfully enrolled.
On this project, the Concurrency team included a technical architect, a business analyst and a project manager. To best support a rapid organizational change, Concurrency also provided Organizational Change Management (OCM) support. To read more about those portions of the projects, click here