Deploying MFA for staff in a K12 environment

Several different districts have asked me how my large district deployed MFA (multi factor authentication) to all staff. 

The short summary is:

  • We don’t MFA prompt when on district property or when using district laptops.
  • We worked with our unions in advance and created exception workflows
  • We started with our high risk phishing targets (school board, principals, etc)
  • Then we deployed other groups in waves – substitutes, secondary schools, and finally everyone.

The good news is that most staff understand the need – anyone who uses online banking these days is getting used to MFA prompts.  They may not like them, but they understand the function and the need.  Additionally, the o365 MFA system can use voice instead of texting, so a regular home land line works – no smartphone or text/data service fees are required, although most users prefer smartphone MFA prompts.

There are two primary parts to the MFA deployment plan – how you onboard the staff; and how and when you prompt for MFA.  Of course, prompting for o365 MFA requires some back end configuration – details can be found here:

The following is a workflow my district used for when to prompt with the MFA challenge.

MFA Conditional Access


And here is the workflow for how we did the actual MFA on-boarding.

MFA Notifications

  1. We used a distribution list to send MFA enrollment requests out via email.
  2. We tracked enrollment of end users.
  3. If a user didn’t enroll, we sent reminder emails for 30 days. If at the end of 30 days they are not enrolled, we put them in a cloud-access block group.
  4. We created a reset process for users who wanted another opportunity to enroll after the initial 30 day window expired.
  5. We created an MFA bypass group for special manager-justified exceptions.


James Rigert and April Mardock

Leave a Reply

Your email address will not be published. Required fields are marked *