Implement AZURE Identity Management MultiFactor Authentication MFA Azure

Implement AZURE Identity Management Multi-Factor Authentication (MFA)

Azure Identity Management: Multi-Factor Authentication (MFA) Project Summary • To improve account security and protect against phishing attacks, the Information and Innovation Office will be implementing Multi-Factor Authentication (MFA). MFA requires multiple forms of identity verification to secure the organization against security breaches in the event a user’s County login credentials are stolen or compromised. When logging in remotely, users will be required to complete an additional authentication step via a smart phone app, or phone call to verify their identity • Enable Multi-Factor Authentication for all County Users accessing Applications and Services Remotely • Phase 1: Outlook, Teams, Share. Point, One. Drive • Phase 2: VPN, VDI, other County provided applications which may support MFA Pilot Groups • Server Team • Security Team • ITSS Division of IT Department – Server Team, Network Team, Desktop Support Team, Technical Support Desk Team • IT Department – Everyone else in IT Department • Communications Project Schedule • Configure and Enable MFA in environment, create Conditional Access and MFA Policies and Groups in Azure – Completed: 2/2020 • Enable MFA for Server Team to allow testing – Completed: 2/2020 11/2020 • Enable MFA for ITSS and Security Team to allow testing – Completed: 2/2021 4/2021 • In-Person Support / Training Workshops for Desktop Support and Technical Support Desk Teams – Completed: 4/2021 • Enable MFA for IT Department to provide final testing – Completed: 5/2021 • Enable MFA for Departmental Directors and key staff: Scheduled for September 2021 • Enable MFA County-Wide in a Department by Department Rollout beginning in September 2021 October 2021 • Phase 2 Apps will be enabled for MFA as the infrastructure dependencies are resolved – Late CY 2021

Azure Identity Management: Multi-Factor Authentication (MFA) Communications Plan • Email Templates and MFA User Guides have been developed • Meetings and Coordination with SDM’s will be held prior to Departmental Deployment • Communications and User Guides will be sent to end users, Department by Department, on a rolling basis • MFA Guides will be posted on COIN • Videos to assist with setup • MFA User Guides are targeted specifically to Apple or Android users depending on the type of device • A phone-only callback option guide is also available for users without smart phones Authentication Methods • Remote Access will be granted via the following second forms of authentication: • Smart Phone based authentication app (Microsoft Authenticator App) • Phone Callback VIP Handling • IT will schedule setup and assist with configuration with each of the Commissioner’s offices in person • Each District’s Commissioner and their aides will be configured at the same time, so all District staff can be done in a single visit • The County Administrator and ACA’s will be configured in person • In person assistance will be given to individual Department Directors, if requested • The Desktop Support Team will provide in person support

Azure Identity Management: Multi-Factor Authentication (MFA) End User Experience • Register user account with Microsoft MFA Service (open 1 -3 weeks) • Technology Announcement Email: one week before MFA Registration begins • Scheduled Change Notification Email: The day before Registration begins, morning of, and every 3 days until registration period ends • User registers with the MFA Service by following step by step instructions in user guide • The Apple and Android email client is no longer supported. End users must transition to the Microsoft Outlook App • Note - Enable Save Contacts in Outlook App • User may contact Technical Service Desk if questions or issues • User must register with the MFA Service during the registration period or they will not be able to access applications remotely after MFA has been enabled for their department • MFA enabled for Department • Scheduled Change Notification Email: The three days prior to MFA being enabled, warning users that they will not be able to log in unless MFA registration has been completed • Will be prompted to MFA when accessing applications remotely • Users will be prompted on their phone or receive a phone call to approve the login

Azure Identity Management: Multi-Factor Authentication (MFA) APR MAY JUN JUL ITSS Deployment and Testing IIO Deployment and Testing AUG SEPTEMBER Communications Deployment and Testing County – Wide Departmental Deployment Planning and Initial Configuration – January 2020 to April 2020 IIO Deployment and Testing – May 2021 Finalizing Deployment Configuration – May 2020 to October 2020 Departmental Deployments – September 2021 Deployment to ITSS – November 2020 to April 2021 VIP MFA Registration – September 2021 • • • • Identify requirements Meet with Stakeholders to define project goals, requirements and timelines Configure Azure Tenant for MFA Configure Conditional Access Policies and Create Azure AD Groups for MFA Testing Pilot Group Enable MFA for select ITSS Architects, Engineers and Security Team Staff Refine Requirements Refine and fine tune MFA Configuration and Settings in Azure Tenant Project put on Hold due to COVID-19 Continue testing for initial pilot group while project On Hold Resume Project Finalize MFA Deployment Settings Create Azure AD Group for Production MFA Deployment Create and approve MFA User Guides Create and approve Communications email templates Enable MFA for all remaining ITSS Employees and IIO Security Team Train Desktop Support and Technical Support Desk staff to support end users • • • Deploy to the remainder of the IIO Department Deploy to Departmental Technical Liaisons Thoroughly Test Refine communications and user guides if necessary, based on feedback from users Send initial Communications to Individual Departments a week before MFA Registration Opens Send series of Communications to Individual Departments during MFA Registration Period Support Departmental Users during MFA Registration Period Enable Individual Departments on a rolling schedule Enroll all support Vendor Accounts • Coordinate with each Commissioner District and staff to Register and Enable MFA in person • Coordinate with the County Administrator, ACA’s and other 26 th Floor staff to Register and Enable MFA in person • Department Directors and other identified VIP’s can be handled in-person based on guidance from Management or upon request

County-Wide Deployment Schedule September 2021 Week 2 Week 3 Week 4 Phase 1: Directors and Management Phase 1: County-Wide Deployment Vendors Phase 2: BOCC – County Administrator Phase 2: County-Wide Deployment

County-Wide Deployment Schedule May IT Department Testing Phase 1: September 1 – September 15 Directors and Senior-Level Departmental Staff Phase 1: September 1 – September 15 Extension Services, Arts Council, Guardian Ad Litem, Economic Development, Childrens Board, Fleet, Pet Resources, Code Enforcement, Medical Examiner, Parks and Recreation, Conservation and Environmental Lands Management, Compliance Communities and Conservation, Soil and Water Conservation, Affordable Housing, Management and Budget, Procurement Services, Human Resources, Risk Management, County Attorney Phase 2: September 13 – September 27 Library Services, BOCC, Operations and Legislative Affairs, Government Relations & Strategic Services, Independent Performance Auditor, County Administrator, Facilities Services, Development Services, Head Start, Childrens Services, Aging Services, Sunshine Line, Social Services, Health Care Services, Veterans Services, Homeless Services, THHI, Emergency Management, 911 Agency, Emergency Dispatch, Fire Rescue, Public Works, Public Utilities

Questions?