Implementation Project Plan
12/5/2024 1
� Agendas
• Design Works and Planning
• Installation & Configurations
• Pilot & Full Deployment
• Go Live
• Monitoring
• UAT
• Team Structure
• Engineer contacts
• Adoption training
12/5/2024 2
� Design Work & Planning
Requirements Gathering
• Existing Identity Infrastructure:
• What directory services are currently in use (e.g., on-prem Active Directory, LDAP)?
• Are there hybrid configurations with Azure AD already in place?
• Applications and Services:
• Inventory of applications requiring integration (on-prem, SaaS, or custom applications).
• Compatibility requirements for legacy applications.
• Authentication Mechanisms:
• Current methods (e.g., passwords, smart cards).
• Plans to adopt password less or biometric authentication.
• User Base:
• Number of users, locations, and types (employees, contractors, external users).
• Any special groups requiring unique policies.
• Access Control:
• Define access requirements for roles and groups.
• Are there existing role-based access control (RBAC) policies to migrate?
• Guest Access:
• Need for external collaboration (e.g., with partners, vendors).
12/5/2024 3
� Design Work & Planning
Requirements Gathering
• Multi-Factor Authentication (MFA):
• Which methods should be enabled (e.g., SMS, phone call, app-based)?
• Are there specific Conditional Access policies to enforce MFA?
• Conditional Access:
• Define policies for location, device, and application access.
• Threat Protection:
• Are Identity Protection and risk-based conditional access required?
• Plans to monitor for risky sign-ins or compromised accounts.
• Managed Devices:
• Are devices enrolled in Endpoint Manager (Intune) or other MDM solutions?
• Requirements for device compliance policies.
• Bring Your Own Device (BYOD):
• Policies for unregistered or personal devices accessing resources.
• Third-Party Identity Providers:
• Are there existing SAML, OAuth, or OpenID Connect integrations?
• Cloud and On-Prem Services:
• Integration with existing workloads like Microsoft 365, Teams, SharePoint, or other SaaS applications.
• Requirements for hybrid identity synchronization via Azure AD Connect.
12/5/2024 4
� Design Work & Planning
Requirements Gathering
• Audit and Monitoring:
• Logging and reporting requirements for sign-in and audit logs.
• Regulatory Requirements:
Connector
• Compliance with industry standards (e.g., SOX, ISO 27001).
• Lifecycle Management:
• Policies for user onboarding, role changes, and deprovisioning.
• Access Permissions for the Implementation work
• VPN Access
• Server Access
• User credentials
• Server Requirements
• Entra connector
• Application Proxy
12/5/2024 5
� Design Work & Planning
Documentation
• Deployment Checklist
• Requirements Documentation
• Architecture and Design
• Deployment and Configuration
• Security and Compliance
• Administrator Documentation
• End-User Training Materials
• Troubleshooting Guides
• Optimization Documentation
12/5/2024 6
� Design Work & Planning
Develop project plan
• Tasks
• Dependencies
• Deliverable
• Responsibility
• Risks
• Timeline
• KBSL will provide a Project Manager to drive the project
• These project tasks will be finalized after competing the requirements gathering workshop and agreed upon the UAT
use cases.
12/5/2024 7
� Installation & Configurations
Assessment and Planning
• Evaluate Current IAM Infrastructure
• Inventory Applications and Services (Cloud & On Premise)
• Assess Compliance and Security Needs
• Evaluate User Groups and Roles
• Analyze Network and Connectivity
• Review Current Authentication Policies
12/5/2024 8
� Installation & Configurations
Installation
• Install Azure AD Connect
• Synchronize Directories
• Verify Hybrid Identity Setup
• Enable Single Sign-On (SSO)
• Enable Multi-Factor Authentication (MFA)
• Set Conditional Access Policies
• Register Applications in Microsoft Entra
• Assign Access Permissions
• Provision Users and Groups
• Assign Licenses
• Test User Access
• Enable Identity Protection
• Enable Privileged Identity Management (PIM)
• Enable Logging and Auditing
12/5/2024 9
� Installation & Configurations
Configure Multi Factor Authentication
• Licensing Requirements
• Microsoft Entra Free (with security defaults)
• Microsoft Entra P1 or P2
• Microsoft 365 Business Premium
• Access to Azure Portal
• Enable Security Defaults
• Set MFA Verification Methods
• Microsoft Authenticator app
• SMS
• Voice calls
• FIDO2 security keys
• Configure Trusted Ips
• User-Specific MFA
• Group-Based MFA
• Configure Conditional Access for MFA
• Test MFA Configuration
12/5/2024 10
� Installation & Configurations
Integration Applications
• Microsoft Entra ID can be integrated with many
applications, including SAP R/3, SAP S/4HANA, and
those using standards such as OpenID Connect,
SAML, SCIM, SQL, LDAP, SOAP, and REST
• Through these standards, you can use Microsoft
Entra ID with many popular SaaS applications and on-
premises applications, including applications that
your organization developed
• Microsoft Entra ID has a gallery that contains
thousands of enterprise applications that are already
pre-integrated.
• KBSL will onboard 5 number of applications in the
implementation stage, and this can be cloud or on
premise
• KBSL will deploy the application proxy and Connector
Bank to provide required hardware & software
resources
12/5/2024 11
� Installation & Configurations
Deploy User Policies
• Identify user groups (e.g., admins, general users, external collaborators) for MFA enforcement.
• Decide on supported authentication methods
• Ensure users are familiar with MFA and have access to required devices (e.g., smartphones for the Authenticator
app).
• Enforce basic MFA for all users
• Users or Groups: Select users, groups, or roles (e.g., “All Users” or “Admins”)
• Cloud Apps: Apply the policy to All Cloud Apps or specific apps
• Inform users about the deployment and share setup guides (e.g., installing the Microsoft Authenticator app).
• Direct users to complete enrollment via https://aka.ms/mfasetup.
• Users can set up their preferred verification methods (e.g., Authenticator app, phone number).
• Have a subset of users test MFA to ensure policies are working as intended.
• Use the Sign-ins log in the Azure portal to review MFA usage and identify failed attempts.
• Adjust Conditional Access policies based on feedback or audit findings
• Provide support for users facing setup challenges or verification failures
• Periodically review Conditional Access policies to maintain compliance and security standards.
12/5/2024 12
� Pilot & Full Deployment
Deploy Test Applications & Users
• In the pilot run we will integrate 2 applications (5 in full deployment), one from cloud and on premise and do the
functional tastings
• Select a small, representative group of 5 users (50 in full deployment), (e.g., IT staff, security team, or a specific
department).
• Include different user types, such as administrators, remote users, and external collaborators.
• Create test accounts to simulate user scenarios without affecting production accounts.
• Test the functionality of MFA (e.g., various authentication methods).
• Measure the impact on user productivity and workflows.
• Validate security policies like Conditional Access and application integration
• 95% successful MFA adoption rate among pilot users.
• No critical business disruption during the pilot.
• Positive feedback from at least 80% of pilot participants.
• Evaluate performance against the success criteria.
• Identify and document any gaps or challenges.
• Align the project plan & timeline
12/5/2024 13
� Pilot & Full Deployment
Security Validation
• Confirm that only allowed MFA methods (e.g., Authenticator App, SMS, phone call, FIDO2 keys) are available for user setup.
• Test that users can only register with approved devices and credentials.
• Verify that MFA enrollment can only occur after users authenticate with their primary credentials.
• Ensure that user account recovery processes are secure and compliant with organizational policies.
• Validate that MFA registration data (e.g., phone numbers, app keys) is encrypted at rest and in transit.
• Validate that MFA is triggered based on defined Conditional Access rules
• User group assignment
• Application access
• Risk levels (e.g., medium or high sign-in risks)
• Geographic location and IP address restrictions
• Test that trusted IP addresses or user groups excluded from MFA policies are correctly bypassing MFA.
• Validate how MFA behaves during session persistence (e.g., "Remember MFA for X days" policies).
• Validate Authentication Attempts
• Lockout Mechanisms (Validate lockout policies for repeated failed MFA attempts to prevent brute force attacks)
• Stolen Credentials Simulation (Attempt to log in with stolen primary credentials and verify MFA prevents unauthorized access.)
• Geo-Blocking (Validate that users attempting to sign in from restricted regions are blocked as per policy)
• Role-Based Access (Test MFA enforcement for privileged accounts (e.g., admins) versus standard user accounts)
• Verify that all authentication attempts, including MFA successes and failures, are recorded in Logs.
• Test that security alerts for abnormal MFA behavior are generated and routed to appropriate administrators.
• Exclude Test Users
12/5/2024 14
� Go Live
Pre-Cutover Preparation
• Finalize Policies
• Review and refine Conditional Access policies based on pilot findings.
• Ensure policies cover all user groups, applications, and risk scenarios
• User Readiness
• Confirm all users are informed and trained on the MFA process
• Distribute guides and resources for setup
• Test Backup Mechanisms
• Validate account recovery processes, including alternative authentication methods.
• Verify Infrastructure
• Confirm that authentication infrastructure (e.g., Microsoft Authenticator, network configurations) is operational.
• Ensure necessary licenses are provisioned for all users.
• Set Communication Plan
• Schedule and send final notifications with the cutover date, time, and support contact details.
12/5/2024 15
� Go Live
Cutover Execution
• Enable MFA Organization-Wide for the agreed applications & Users
• Update policies to include all user groups and applications
• Monitor in Real Time
• Monitor for sign-in issues, unusual patterns, or increased help desk calls
• Provide Real-Time Support
• Have a dedicated team available to assist users during the cutover period
16
� Go Live
Post Cutover Validation
• Confirm MFA Enforcement
• Verify that all users are prompted for MFA during sign-in attempts.
• Ensure MFA is enforced for high-risk sign-ins and critical applications.
• Audit Sign-In Activity:
• Review logs for failed MFA attempts and investigate anomalies.
• Ensure compliance with Conditional Access policies.
• Gather User Feedback:
• Survey users to understand their experience with the cutover.
• Address any usability or technical challenges reported.
12/5/2024 17
� Monitoring
Monitor & Report the Functions
• Monitor User Authentication Activity
• Review Sign-In Logs
• Successful and failed authentication attempts
• Analyze MFA Usage Trends
• Identify the percentage of users successfully using MFA
• Review the most frequently used authentication methods (e.g., Microsoft Authenticator, SMS)
• Monitor Risky Sign-Ins
• High-risk user accounts
• Sign-ins flagged for unusual locations, impossible travel, or unfamiliar IP addresses
• Validate Policy Enforcement
• Verify that all policies are applied correctly, especially for high-risk scenarios.
• Test policies for specific groups or applications to ensure MFA triggers as expected.
• Security Incident Monitoring
• Set Up Alerts: Configure notifications for suspicious activity or policy violations
• Performance and Scalability Monitoring
• Authentication Response Times
• Service Health
• Audit and Compliance Checks
• Continuous Improvements
12/5/2024 18
� UAT
Confirm Functionality
• Usability and Accessibility Test Cases
• User Enrollment Test Cases • First-time MFA setup experience
• MFA registration for new users • User expérience on mobile devices
• Registration with different MFA methods • Fallback method during authentication failure
• Invalid phone number during registration • Logging and Monitoring Test Cases
• Authentication Test Cases • Sign-in log accuracy
• MFA prompt during login • Risk detection logging
• Incorrect MFA code • Policy change audit logging
• Login from new device • Backup and Recovery Test Cases
• Risk-based MFA enforcement • Recover access after losing a device
• Locked out after multiple failed MFA attempts • Account lockout recovery
• Conditional Access Test Cases
• MFA for specific user groups
• Exclusion of trusted IPs from MFA
• MFA for high-risk sign-ins
• MFA for specific applications
• Exclusion policy validation
12/5/2024 19
�TEAM STRUCTURE
Mr. Kagnroath Uk
Project Director
Mr. Sophorn Ros
Project Manager
Mr. Phy Khuon Mr. Winu Peththawadu
Technical Lead (KBSL) Account Manager
Mr. Mengsron Seng Mr. Vuthy Lach Mr. Lyhour Hout
System Engineer System Engineer System Engineer
12/5/2024 20
�CONTACT ENGINEER
Positron Contact List
Name Email Telephone Project Role
Mr. Kagnroath UK [email protected] (855) 95 555 175 Project Director
Mr. Sophorn Ros [email protected] (855) 10 360 222 Project Manager
Mr. Phy Khuon [email protected] (855) 10 496 222 Technical Lead
Mr. Mengsron Seng [email protected] (855) 70 756 225 Project Engineer
Mr. Lyhour. Hout [email protected] (855) 93 932 014 Project Engineer
Mr. Vuthy Lach [email protected] (855) 93 932 014 Project Engineer
12/5/2024 21
� LIST OF ADOPTIONS TO BE PROVIDED
# Program
1 Admin Training & Knowledge transfer
2 Administrator and implementation documents
12/5/2024 22
�Thank you
