The solution
Data Networks begins all cloud IAM conversion projects with an assessment of the customer’s current environment. At WCPS, with multiple external applications in use without a single consistent access convention, it was clear that improvement was needed. This was the case not only from the standpoint of end users, but also for WCPS system administrators. If a school district staff member or student reported a log in failure, it was often difficult for a system admin to pinpoint the root cause of the problem.
For example, WCPS subscribed to Google Workspace for email communications, file storage, and other key functions. When a Google Workspace instance uses native Google authentication, it is relatively easy to troubleshoot, locate, and fix the source of a user access issue. But when leveraging a non-Google authentication platform in conjunction with Google Workspace (like WCPS does with on-premises Active Directory), resolving the problem becomes more difficult and time consuming for a system admin.
The existing Google Workspace authentication via Active Directory had additional complexity: Google does not have an application programming interface (API) integration for on-premises Active Directory. Instead, synchronization of user identity data was performed automatically every 45 minutes via an applet program. So, if a school district system administrator reset a user’s password in Google Workspace, he or she also needed to remember to reset it simultaneously and separately in Active Directory to keep the synchronization from overwriting the new password with the old one.
“Streamlining was our consensus goal for the project, said Todd Rechen, Data Networks’ Senior Microsoft Engineer. “There were two significant tasks for us to complete. First, we needed to help the WCPS Technology team redirect all applications to Azure Active Directory (Entra ID) as a single identity platform to enable school staff and student users with a true single set of credentials for all application access. Second, we needed to assist them in getting Microsoft Authenticator in place as the integrated MFA solution to sufficiently secure the technology and get WCPS in compliance with its cybersecurity insurance policy.”
With that goal and those tasks in mind, Data Networks engineers designed a solution architecture and helped WCPS Technology team members create a solid plan to complete the initiative. The school district already used Azure Active Directory (Entra ID) authentication for some of its external applications, so Data Networks recommended the project team continue to leverage this tenant for all applications. Data Networks engineers advised and worked with the WCPS Technology team to plan the migration of the on-premises Active Directory and Google security to the cloud. The existing native Google security was to be redirected to Azure Active Directory (Entra ID) automatically for authentication. The plan to upload the existing on-premises Active Directory application security was based on automation using the Azure Active Directory Connect utility, which the WCPS Technology team already had in place. Data Networks engineers recommended some improvements to its configuration, and the execution of the moves to Azure Active Directory (Entra ID) began.
Mission accomplished
Data Networks engineers actively participated in the first few migrations and rollouts to allow the WCPS team to become completely comfortable with the process. Then WCPS staff took the lead on the remainder, with Data Networks providing support and advisory services.
School district offices were completed first over the summer break, followed by all the schools during the early part of the following school year. At each school, the project team had to migrate the security data to Azure Active Directory (Entra ID), spot check user application access and Authenticator MFA for accuracy, and conduct training and support for staff as quickly as possible to minimize classroom disruption. One to two schools were completed per day on average.
Danielle Kelley, WCPS’ Information Technology (IT) Manager of Business Services and Cybersecurity, says, “Data Networks engineers were smart and helpful for us with the assessment during the early stages at the school district offices and then as advisors during the school rollouts. Their Azure Active Directory (Entra ID) knowledge was strong. They recommended and convinced us to do some things we hadn’t quite considered that made the finished solution exceed our expectations, such as guiding us to implement Microsoft’s MyApps portal to converge users’ applications into a single web location, and writing scripts to assign individual users to their correct Azure Active Directory Dynamic Groups which help simplify ongoing maintenance of user access permissions. Data Networks engineers also created Microsoft Authenticator MFA training guides for us, which we tailored and continue to use as a basis for teaching all our users how to complete our specific MFA process.”
The project results are encouraging to say the least. WCPS staff are pleased now that each only requires one Microsoft user account and one set of access credentials to get their work done. The WCPS Technology team’s system administrators are no longer concerned with maintaining authentication in multiple places. When a user arrives at, changes roles within, or departs from the school district, the system administrator merely needs to add, modify, or disable user identity at a single source.
As Allen puts it, “With the Azure Active Directory (Entra ID) and MFA integrated solution operational throughout WCPS now, we have no overwhelming user access support issues. Our user community has accepted MFA, even with it adding some steps and time to their authentication process. Most importantly, our data is more secure today than it was, and our vulnerability has been minimized. I have my capable Technology team and Data Networks engineers to thank for that.”