--- name: mfa-rollout-planner description: Produce a phased MFA deployment plan for an SMB across Microsoft 365, Google Workspace, and SSO-connected apps, with break-glass procedures, legacy-auth disablement, comms pack, and fallback handling. version: 1.0.0 author: VantagePoint Networks author_url: https://www.vpnetworks.co.uk audience: IT Managers, Identity Admins, MSP Consultants, IT Security Leads, CISOs of SMBs output_format: Formatted Markdown MFA rollout plan with current-state audit, method matrix, phased rollout, break-glass procedure, Conditional Access policies, comms pack, and rollback plan. license: MIT last-reviewed: 2026-04 --- # MFA Rollout Planner A Claude Code skill for IT managers rolling out multi-factor authentication across an SMB without locking out the CEO, breaking the CFO's inbox, or getting called at 7am because the shared mailbox stopped working. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/mfa-rollout-planner`. Describe your environment in plain English. Answer the clarifying questions and receive a finished rollout plan. ## When to use this - Your insurer, client, or auditor has asked for MFA on all staff accounts and you need a defensible plan by end of month. - You've enabled MFA for a few people already and it's gone wrong enough times that you need a proper phased approach. - You're preparing for Cyber Essentials Plus, SOC 2, or an SRA/FCA client-audit response and MFA coverage is the weakest control. - You have legacy auth still in use (POP/IMAP, older Outlook, line-of-business apps) and want a safe way to get off it. - You want a break-glass procedure documented **before** you turn enforcement on, not after someone gets locked out. ## What you'll get A single Markdown document containing: - A **current-state audit** of identity providers, legacy auth usage, app inventory, and existing MFA coverage - A **method matrix** showing which authentication method is assigned to which user role and why - A **break-glass procedure** with named break-glass accounts, storage, and test cadence - A **phased rollout plan** (exec pilot → IT/security team → department waves → enforcement) - A **Conditional Access policy set** specifying named policies, scope, exclusions, and fallback - A **legacy-auth disablement plan** tied to app-by-app dependency mapping - A **comms pack** (pre-launch, launch week, enforcement week, FAQ, helpdesk scripts) - A **rollback & exception handling** flow for users who legitimately can't enrol - A **success metrics** table with weekly targets ## Clarifying questions I will ask you Before producing the plan, I will ask: 1. **What is your identity provider?** (Entra ID / M365, Google Workspace, Okta, JumpCloud, Active Directory only, mixed) 2. **How many users total, and how many are "high-risk"?** (execs, finance, HR, admins, partner/director-level) 3. **What is the state of MFA right now?** (not enabled, security defaults on, per-user MFA legacy, Conditional Access, mixed) 4. **Are any mailboxes shared, delegated, or using legacy auth?** (POP/IMAP, older Outlook, Apple Mail, line-of-business apps polling mailboxes) 5. **What apps are in scope?** (M365 only, M365 + N SaaS apps via SSO, VPN/remote access, on-prem apps, line-of-business software) 6. **Preferred authentication method for the majority?** (authenticator app, phishing-resistant passkey / FIDO2 / hardware key, SMS only if nothing else) 7. **Do you have existing break-glass accounts?** (yes, documented, tested; yes, exist but not tested; no) 8. **Are there users who genuinely cannot use a smartphone?** (field staff, elderly directors, regulated roles without personal devices) — and how many? 9. **Regulatory or contractual driver?** (Cyber Essentials Plus, SOC 2, SRA, FCA, client contract, cyber-insurance renewal) 10. **What's your target enforcement date?** (date, or "flexible but by Q") 11. **What's your tolerance for user friction?** (zero — staged over 3 months; moderate — 6 weeks; high — rip the plaster, enforce in 2 weeks) 12. **Do you have a helpdesk / someone who will handle enrolment support?** (yes, internal; yes, external MSP; no — you are the helpdesk) If any of these are unknown, I will flag the gap in the plan and add a pre-rollout discovery task rather than guessing. ## Output template ```markdown # MFA Rollout Plan — ## 1. Executive Summary - **Scope:** users across apps - **Primary driver:** - **Chosen primary method:** - **Enforcement date:** - **Largest risk:** - **Break-glass accounts:** named, tested on ## 2. Current-State Audit | Area | Current state | Gap | Action | |---|---|---|---| | Identity provider | | | | | MFA enforcement | | | | | Legacy auth (POP/IMAP/basic) enabled | | | | | Per-user MFA (legacy) in use | | | | | Security defaults on | | | | | Conditional Access policies | | | | | App inventory (SSO vs standalone) | | | | | Break-glass accounts exist | | | | | Authenticator app enrolled users | | | | | Hardware-key population | | | | ## 3. Method Matrix (who gets what) | Role group | Primary method | Fallback | Reason | |---|---|---|---| | Directors / Partners | Passkey (platform) + Authenticator app | Authenticator app | Frequent travel, high-value targets | | Finance / Payroll | Hardware key (FIDO2) | Authenticator app | Targeted fraud risk | | General staff | Authenticator app | SMS to company mobile only | Lowest friction | | Field staff without smartphone | Hardware key (FIDO2) | Temporary Access Pass | No personal device available | | Shared mailbox / service account | No interactive MFA — app password with Conditional Access restriction | n/a | Legacy integration | | Break-glass account | Hardware key in safe | Second hardware key in separate safe | Last-resort admin access | ## 4. Break-Glass Procedure - **Accounts created:** , named , - **Credentials stored:** - **Hardware keys stored:** - **Excluded from:** all Conditional Access policies, geo-block, risky-sign-in policies - **Monitoring:** alert on any sign-in (Sentinel / Defender / Google alert rule) - **Test cadence:** signed-off test every months by - **Who can use:** named individuals — . No others. ## 5. Phased Rollout | Phase | Week | Cohort | Activities | Exit criteria | |---|---|---|---|---| | 0. Prep | -3 to 0 | IT admins only | Break-glass setup + test, CA policy authoring, legacy-auth audit | Break-glass tested, all legacy-auth documented | | 1. IT team pilot | 1 | IT + security team () | Enrol, enforce, validate all apps | Zero unresolved auth failures | | 2. Leadership pilot | 2-3 | Directors / partners () | White-glove enrolment, 1:1 support | 100% enrolled, 0 lockouts | | 3. Wave 1 | 4-5 | High-risk depts (finance, HR, IT-adjacent) | Self-serve with helpdesk on call | ≥ 95% enrolled before wave 2 | | 4. Wave 2 | 6-7 | Remaining staff | Self-serve + enrolment drop-in sessions | ≥ 95% enrolled before enforcement | | 5. Enforcement | 8 | All | Conditional Access moves from "report" to "block" | 100% MFA or documented exception | | 6. Legacy auth kill | 9-10 | All accounts | Block legacy protocols at tenant level | Zero legacy-auth sign-ins in audit for 7 days | ## 6. Conditional Access Policies (named) Each policy documented as: **name · assignment · grant/block · exclusions · report-only duration**. 1. **CA-001 — Require MFA for all users** - Assignment: All users - Grant: require MFA - Exclusions: break-glass accounts - Pilot: report-only for 7 days, then enforce 2. **CA-002 — Block legacy authentication** - Assignment: All users - Condition: client apps = exchange active sync, other clients (legacy) - Grant: block - Exclusions: named service-account group 3. **CA-003 — Require compliant or hybrid-joined device for admin roles** - Assignment: admin-role group - Grant: require device compliance OR hybrid Azure AD join - Exclusions: break-glass 4. **CA-004 — Geo-block for unexpected countries** - Assignment: All users - Condition: locations = outside - Grant: block - Exclusions: break-glass + travelling-exec group (with expiry) 5. **CA-005 — Session lifetime** - Assignment: All users - Session control: sign-in frequency days; persistent browser session off for shared devices 6. **CA-006 — High-risk sign-in blocked** - Assignment: All users - Condition: sign-in risk = high - Grant: block + require password change ## 7. Legacy Authentication Disablement | Protocol / app | Currently used by | Replacement | Kill date | |---|---|---|---| | POP3 | | IMAP (disabled) or Modern Outlook | | | IMAP | | Modern Outlook / Web | | | Older Outlook (pre-2016 build) | | Outlook 365 upgrade | | | Apple Mail on iOS < 14 | | Outlook for iOS | | | Scanners / MFPs sending SMTP-auth email | | SMTP relay or app password with scoped restriction | | | Line-of-business app A | | OAuth integration / app password | | | Line-of-business app B | | OAuth integration / vendor engagement | | Any item without a replacement by = documented exception with compensating control. ## 8. Communications Pack ### Pre-launch email (T-14 days) > Subject: Multi-factor authentication is coming — what it means for you > ... ### Enrolment step-by-step (per method) - Authenticator app on a phone - Passkey on laptop / phone - Hardware key ### FAQ (top 10) 1. **Will this work if I have no signal?** ... 2. **What if I lose my phone?** ... 3. **Do I need to do this for my personal accounts?** ... 4. **What if I don't have a work phone?** ... 5. **Why are we doing this?** ... 6. ... ### Helpdesk runbook - Tier 1 scripts for the 5 most common enrolment problems - How to issue a Temporary Access Pass - Escalation matrix - When to create an exception (and when to refuse one) ## 9. Exception Handling Any user who cannot enrol has one of three paths: 1. **Issue a hardware key and enrol face-to-face** (default for directors without smartphone) 2. **Temporary Access Pass** (24-72 hour expiring code for recovery scenarios) 3. **Documented exception** with compensating control (signed by IT + department head, reviewed quarterly, target end-state date) Exception register: | User | Reason | Compensating control | Review date | Target removal | |---|---|---|---|---| | | | | | | ## 10. Rollback Triggers - **> % of users locked out on enforcement day:** pause enforcement, switch CA to report-only, investigate, re-communicate. - **Break-glass account sign-in alerted:** investigate immediately. If unauthorised, rotate break-glass credentials. - **Regulator / client query mid-rollout:** keep rollout active; respond in writing; escalate to leadership. ## 11. Success Metrics | Metric | Baseline | Week 4 target | Week 8 (enforcement) target | |---|---|---|---| | Users enrolled in MFA | | ≥ 60% | 100% (or exception documented) | | Legacy-auth sign-ins (30-day count) | | ↓ 80% | 0 | | Helpdesk tickets related to MFA | n/a | ≤ / week | ≤ / week (declining) | | Break-glass account sign-ins | 0 | 0 | 0 | | Documented exceptions | 0 | ≤ | ≤ with dated removal plans | ## 12. Decisions Needed From Leadership - [ ] Budget approval for hardware keys ( × £) - [ ] Agreement on enforcement date — is it immovable? - [ ] Named break-glass-authorised individuals - [ ] Exception-approval authority (who can sign) - [ ] Communications tone (firm / supportive / technical) ## 13. Out of Scope (Flagged) - Passwordless rollout (can follow MFA as phase 2) - Privileged Access Management / PIM - Device compliance beyond basic (see separate Zero Trust plan) - User provisioning / HR integration ``` ## Example invocation **User:** "We're 45 staff on M365 Business Premium. Security defaults are on for some users, per-user MFA for others. Two partners still use IMAP on their iPads. Cyber insurance is asking us to prove MFA coverage by end of Q2. No break-glass accounts documented." **What the skill will do:** 1. Ask the 12 clarifying questions, probing hard on the two IMAP-on-iPad users (they are the single biggest lockout risk) and the Cyber-insurance deadline (which sets the enforcement date). 2. Produce the complete plan with: - A readiness audit flagging "no break-glass accounts" as a stop-the-rollout issue - A method matrix putting the two partners on hardware keys + Outlook for iOS (not IMAP) - A 10-week phased rollout ending with enforcement by the insurance deadline - Six named Conditional Access policies with a 7-day report-only pilot before each enforcement - A legacy-auth kill date tied to the insurance evidence submission 3. Flag that the partners' iPads need a dedicated 1-to-1 white-glove session in week 2, not self-serve enrolment. ## Notes for the requester - **Set up break-glass accounts before you do anything else.** Two of them. Hardware keys. Stored in separate physical locations. Test them before you create the first Conditional Access policy. This is the rule you will thank me for the day something goes wrong. - **Report-only mode is your friend.** Every policy gets 7 days in report-only before enforcement. You will be amazed what breaks that you didn't expect — a legacy scanner, a shared mailbox, a line-of-business app that connects once a week. - **Legacy auth is the reason most rollouts fail.** If you skip section 7, you will have users enrolled in MFA but still signing in via IMAP without MFA challenge, defeating the whole purpose. - **Don't grant Director-level exceptions "because they complained".** An exception without a compensating control and a dated target-removal is just a permanent weakness. - **Good looks like:** enforcement day passes with fewer than 5 helpdesk tickets, zero break-glass usage, zero successful legacy-auth sign-ins in the 30 days after cut-over, and a signed evidence pack you can hand to your insurer or auditor. --- *VantagePoint Networks · · Authored by Hak · Free under the MIT licence*