Contact Us
Contact Us

User Authentication & Access Management with Microsoft Entra ID

Washington County Public Schools admin building

Abstract

Data Networks collaborated with Washington County Public Schools to streamline user authentication and access management in the cloud, enhancing cybersecurity resilience. Through the migration to Microsoft Azure Active Directory (Entra ID) with multi-factor authentication, WCPS achieved centralized identity management, minimizing support issues and strengthening data security.

What Data Networks Did for WCPS

  • Analyzed WCPS’ current end user identity management and application access procedures and provided recommendations and strategy for improvement.
  • Actively assisted and consulted WCPS Technology team members during the migration of thousands of authentication records to Microsoft Azure Active Directory (Entra ID).
  • Worked with the WCPS Technology team to install Microsoft Authenticator multifactor authentication (MFA) and introduce it to end users.
  • Guided WCPS to implement Microsoft’s MyApps portal to consolidate user applications into a single web location.

The challenge

Washington County Public Schools (“WCPS”) is a public school district located in western Maryland with district offices are in Hagerstown. There are 46 schools within the district, and WCPS has a staff of more than 3,700 employees who educate and support more than 24,400 students.

WCPS had licensed 11 different applications from ten different vendors for staff and student usage daily, including Microsoft 365, Google Workspace, and several classroom learning applications. The school district’s Technology team had implemented effective user authentication features and practices in each of these applications. However, depending on the application, one of three different authentication platforms was in use – Microsoft Azure Active Directory (Entra ID), Microsoft Active Directory (on-premises), or Google.

There was another problem, too. According to Joseph Allen, WCPS’ Executive Director of Technology, “Our school district carries cybersecurity insurance. Multi-factor authentication (MFA) is a policy requirement. But we didn’t have MFA, so we weren’t meeting our cybersecurity insurance requirements, and our staff and student data were more vulnerable to attacks. WCPS had made two prior attempts at implementing cloud-based user authentication and MFA. Those projects were unsuccessful mainly due to unsatisfactory change management and training. We needed to get it correct this time.”

WCPS was already using Microsoft authentication technology for the most part. So, Allen sought a local technology partner that could assist his team in consolidating all user authentication into Azure Active Directory (Entra ID) with MFA and advise how to smoothly transition users to the new solution. WCPS chose Data Networks for the project because “they clearly demonstrated their experience and proficiency with Microsoft authentication technology as well as an ability to serve as our trusted advisor,” says Allen.

The solution

Data Networks begins all cloud IAM conversion projects with an assessment of the customer’s current environment. At WCPS, with multiple external applications in use without a single consistent access convention, it was clear that improvement was needed. This was the case not only from the standpoint of end users, but also for WCPS system administrators. If a school district staff member or student reported a log in failure, it was often difficult for a system admin to pinpoint the root cause of the problem.

For example, WCPS subscribed to Google Workspace for email communications, file storage, and other key functions. When a Google Workspace instance uses native Google authentication, it is relatively easy to troubleshoot, locate, and fix the source of a user access issue. But when leveraging a non-Google authentication platform in conjunction with Google Workspace (like WCPS does with on-premises Active Directory), resolving the problem becomes more difficult and time consuming for a system admin.

The existing Google Workspace authentication via Active Directory had additional complexity: Google does not have an application programming interface (API) integration for on-premises Active Directory. Instead, synchronization of user identity data was performed automatically every 45 minutes via an applet program. So, if a school district system administrator reset a user’s password in Google Workspace, he or she also needed to remember to reset it simultaneously and separately in Active Directory to keep the synchronization from overwriting the new password with the old one.

“Streamlining was our consensus goal for the project, said Todd Rechen, Data Networks’ Senior Microsoft Engineer. “There were two significant tasks for us to complete. First, we needed to help the WCPS Technology team redirect all applications to Azure Active Directory (Entra ID) as a single identity platform to enable school staff and student users with a true single set of credentials for all application access. Second, we needed to assist them in getting Microsoft Authenticator in place as the integrated MFA solution to sufficiently secure the technology and get WCPS in compliance with its cybersecurity insurance policy.”

With that goal and those tasks in mind, Data Networks engineers designed a solution architecture and helped WCPS Technology team members create a solid plan to complete the initiative. The school district already used Azure Active Directory (Entra ID) authentication for some of its external applications, so Data Networks recommended the project team continue to leverage this tenant for all applications. Data Networks engineers advised and worked with the WCPS Technology team to plan the migration of the on-premises Active Directory and Google security to the cloud. The existing native Google security was to be redirected to Azure Active Directory (Entra ID) automatically for authentication. The plan to upload the existing on-premises Active Directory application security was based on automation using the Azure Active Directory Connect utility, which the WCPS Technology team already had in place. Data Networks engineers recommended some improvements to its configuration, and the execution of the moves to Azure Active Directory (Entra ID) began.

Mission accomplished

Data Networks engineers actively participated in the first few migrations and rollouts to allow the WCPS team to become completely comfortable with the process. Then WCPS staff took the lead on the remainder, with Data Networks providing support and advisory services.

School district offices were completed first over the summer break, followed by all the schools during the early part of the following school year. At each school, the project team had to migrate the security data to Azure Active Directory (Entra ID), spot check user application access and Authenticator MFA for accuracy, and conduct training and support for staff as quickly as possible to minimize classroom disruption. One to two schools were completed per day on average.

Danielle Kelley, WCPS’ Information Technology (IT) Manager of Business Services and Cybersecurity, says, “Data Networks engineers were smart and helpful for us with the assessment during the early stages at the school district offices and then as advisors during the school rollouts. Their Azure Active Directory (Entra ID) knowledge was strong. They recommended and convinced us to do some things we hadn’t quite considered that made the finished solution exceed our expectations, such as guiding us to implement Microsoft’s MyApps portal to converge users’ applications into a single web location, and writing scripts to assign individual users to their correct Azure Active Directory Dynamic Groups which help simplify ongoing maintenance of user access permissions. Data Networks engineers also created Microsoft Authenticator MFA training guides for us, which we tailored and continue to use as a basis for teaching all our users how to complete our specific MFA process.”

The project results are encouraging to say the least. WCPS staff are pleased now that each only requires one Microsoft user account and one set of access credentials to get their work done. The WCPS Technology team’s system administrators are no longer concerned with maintaining authentication in multiple places. When a user arrives at, changes roles within, or departs from the school district, the system administrator merely needs to add, modify, or disable user identity at a single source.

As Allen puts it, “With the Azure Active Directory (Entra ID) and MFA integrated solution operational throughout WCPS now, we have no overwhelming user access support issues. Our user community has accepted MFA, even with it adding some steps and time to their authentication process. Most importantly, our data is more secure today than it was, and our vulnerability has been minimized. I have my capable Technology team and Data Networks engineers to thank for that.”

Click here to view the PDF version of the User Authentication & Access Management with Microsoft Entra ID case study.