Contributed by: April Mardock | Originally published on May 27, 2019 (OpsecEdu Blog)


Several different districts have asked me how my large district deployed multifactor authentication (MFA) to all staff.

The short summary is:

  • We don’t MFA prompt when on district property or when using district laptops.
  • We worked with our unions in advance and created exception workflows
  • We started with our high risk phishing targets (school board, principals, etc)
  • Then we deployed other groups in waves – substitutes, secondary schools, and finally everyone.

The good news is that most staff understand the need – anyone who uses online banking these days is getting used to MFA prompts.  They may not like them, but they understand the function and the need.  Additionally, the o365 MFA system can use voice instead of texting, so a regular home land line works – no smartphone or text/data service fees are required, although most users prefer smartphone MFA prompts.

There are two primary parts to the MFA deployment plan – how you onboard the staff; and how and when you prompt for MFA.  Of course, prompting for o365 MFA requires some back end configuration – details can be found here.

The following is a workflow my district used for when to prompt with the MFA challenge:

MFA Conditional Access

And here is the workflow for how we did the actual MFA on-boarding:

MFA Notifications

  1. We used a distribution list to send MFA enrollment requests out via email.
  2. We tracked enrollment of end users.
  3. If a user didn’t enroll, we sent reminder emails for 30 days. If at the end of 30 days they are not enrolled, we put them in a cloud-access block group.
  4. We created a reset process for users who wanted another opportunity to enroll after the initial 30 day window expired.
  5. We created an MFA bypass group for special manager-justified exceptions.

Credits: James Rigert and April Mardock