> ## Documentation Index > Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt > Use this file to discover all available pages before exploring further. # MFA enforcement rollout to a 200-user customer > Move a customer's 200 users from optional to enforced MFA — pull the user list, stage the conditional access policy, communicate by phase, watch enrolment rate, and close the compliance loop. A customer's cyber insurance now requires enforced MFA on every account by month-end. The MSP runs the rollout: pull the live user list, classify by department and exception, stage the Conditional Access policy, communicate before each phase, watch enrolment progress, and produce the compliance report the insurer wants. ## Systems involved | System | Role | | ----------------------------- | ----------------------------------------------------------- | | BambooHR / Workday | Authoritative employee list, department, manager. | | Microsoft Entra ID | Where MFA is enforced. | | Conditional Access | The policy controlling which accounts and apps require MFA. | | Gmail / Outlook | Pre-rollout, mid-rollout, and reminder emails to users. | | Microsoft Teams `#it-support` | Helpdesk channel for the rollout week. | | ConnectWise PSA | Project tracking for the rollout phases. | | Power BI / Looker | Compliance dashboard for the customer CIO. | ## Walkthrough Copilot reads BambooHR for active employees, reads Entra ID for active accounts, and reconciles the two into one master list with department, manager, account status, and current MFA enrolment state. Service accounts, shared mailboxes, on-leave users, and break-glass accounts get tagged. Copilot flags 14 exceptions that need explicit policy carve-outs and writes them into a Markdown table for the customer to sign off. Through the Graph connector, draft the policy: scope by group, require MFA for all cloud apps, exclude break-glass group, exclude service principals. Copilot shows the draft policy as a JSON artifact for review before push. Pull the IT department first. Copilot sends a personalized email through Gmail: why, when, what to do, link to the enrolment guide, escalation contact. Each user gets the right manager copied. The CA policy goes live in report-only mode for the IT phase. Copilot pulls the sign-in logs after 24 hours, finds the legacy OAuth client one user is on, and flags it for remediation before enforcement. Copilot opens a `#it-support` Teams channel for the rollout week, posts the FAQ and the enrolment guide, and pins them. Helpdesk tickets that mention MFA get a canned first response with the guide link. Phase by phase — Sales, Engineering, Operations, Finance — Copilot repeats the email, the report-only window, the legacy-app fix, and the enforcement flip. After each phase the enrolment dashboard updates. Three days before the deadline, Copilot finds every account not enrolled, drafts a personalized reminder through their manager, and updates the PSA with each holdout's status. Generate the compliance report: total users, enforced, exceptions, evidence of enrolment, evidence of policy state. PDF goes to the customer CIO and into the cyber-insurance evidence pack. ## Where Studio earns its keep * The user list is reconciled across BambooHR and Entra in one query, not exported and joined in Excel. * The phased communication uses the same source of truth all the way through, so no one gets emailed twice or skipped. * Report-only mode catches legacy OAuth issues before users start calling the helpdesk angry. * The compliance report writes itself from the policy state, the enrolment data, and the exception sign-off — not pulled together at midnight before the audit. ## Related Microsoft Graph, BambooHR, Gmail, and Teams as Copilot tools. Promote this rollout into a procedure for the next customer.