Systems involved
| System | Role |
|---|---|
| BambooHR / Workday | Authoritative employee list, department, manager. |
| Microsoft Entra ID | Where MFA is enforced. |
| Conditional Access | The policy controlling which accounts and apps require MFA. |
| Gmail / Outlook | Pre-rollout, mid-rollout, and reminder emails to users. |
Microsoft Teams #it-support | Helpdesk channel for the rollout week. |
| ConnectWise PSA | Project tracking for the rollout phases. |
| Power BI / Looker | Compliance dashboard for the customer CIO. |
Walkthrough
Build the canonical user list
Copilot reads BambooHR for active employees, reads Entra ID for active accounts, and reconciles the two into one master list with department, manager, account status, and current MFA enrolment state.
Classify exceptions
Service accounts, shared mailboxes, on-leave users, and break-glass accounts get tagged. Copilot flags 14 exceptions that need explicit policy carve-outs and writes them into a Markdown table for the customer to sign off.
Stage the Conditional Access policy
Through the Graph connector, draft the policy: scope by group, require MFA for all cloud apps, exclude break-glass group, exclude service principals. Copilot shows the draft policy as a JSON artifact for review before push.
Communicate phase one
Pull the IT department first. Copilot sends a personalized email through Gmail: why, when, what to do, link to the enrolment guide, escalation contact. Each user gets the right manager copied.
Apply policy in report-only mode
The CA policy goes live in report-only mode for the IT phase. Copilot pulls the sign-in logs after 24 hours, finds the legacy OAuth client one user is on, and flags it for remediation before enforcement.
Open the helpdesk channel
Copilot opens a
#it-support Teams channel for the rollout week, posts the FAQ and the enrolment guide, and pins them. Helpdesk tickets that mention MFA get a canned first response with the guide link.Roll forward by department
Phase by phase — Sales, Engineering, Operations, Finance — Copilot repeats the email, the report-only window, the legacy-app fix, and the enforcement flip. After each phase the enrolment dashboard updates.
Chase the non-enrollees
Three days before the deadline, Copilot finds every account not enrolled, drafts a personalized reminder through their manager, and updates the PSA with each holdout’s status.
Where Studio earns its keep
- The user list is reconciled across BambooHR and Entra in one query, not exported and joined in Excel.
- The phased communication uses the same source of truth all the way through, so no one gets emailed twice or skipped.
- Report-only mode catches legacy OAuth issues before users start calling the helpdesk angry.
- The compliance report writes itself from the policy state, the enrolment data, and the exception sign-off — not pulled together at midnight before the audit.
Related
Connectors and MCP
Microsoft Graph, BambooHR, Gmail, and Teams as Copilot tools.
Procedures
Promote this rollout into a procedure for the next customer.