From 2-User Passkey Pilot to an Org-Wide Rollout (Microsoft 365 and Google Workspace)
You proved it works with a quick passkey pilot. Now make it stick across your organization—without breaking logins or drowning the help desk.
If you haven’t run the starter pilot yet, begin here: Goodbye Passwords: A 10-Minute, 2-User Passkey Pilot (Microsoft 365 + Google Workspace)👉 https://www.stammtech.com/feed/goodbye-passwords-a-10-minute-2-user-passkey-pilot-microsoft-365-google-workspace/
Why “MFA On” Isn’t the Finish Line
Attackers adapted. MFA fatigue prompts, legacy IMAP/POP, and basic auth create side doors. Winning looks like phishing-resistant sign-ins, healthy devices, smart access rules, rolled out in a calm, staged way your team can actually live with.
Here’s the practical ladder we use with Milwaukee SMBs:
Passkeys → Number-match MFA → Device compliance → Conditional Access → Kill legacy auth (plus a little upfront governance so nothing catches fire)
Step 0: Governance You’ll Be Glad You Set First
A tiny bit of structure makes the rollout smoother.
- Break-glass account policy: dedicated name, long random passphrase in a sealed place, app-based MFA, tested monthly, monitored logins.
- Help-desk SOPs: lost device, new device, travel mode, and “can’t use passkey today.”
- Exception tracking: owner, business reason, expiry date, and review cadence.
Goal: reduce “just this once” bypasses that become permanent risk.
Step 1: Passkeys for Admins & Finance, Then Leadership
Keep momentum from your pilot and expand by role, not by department.
- Start with high-risk roles: global/admin roles, finance, payroll, banking.
- Prefer phishing-resistant methods: platform/synced passkeys for day-to-day; hardware-bound keys for higher assurance needs.
- Keep a short “fallback runway”: a 24-hour emergency window (Temporary Access Pass / backup codes) when moving a cohort.
Internal link back to your pilot post in the first paragraph above ensures continuity without duplication.
Step 2: Number-Match MFA Everywhere Else (Retire SMS Where Possible)
Not everyone needs passkeys on day one. For the broader staff:
- Enforce number-match MFA (push with code confirmation).
- Turn off SMS where feasible; it’s better than nothing, but easier to phish.
- Teach the habit: “If you didn’t initiate it, deny and report.”
Outcome: fewer successful phish and fewer “approve taps”.
Step 3: Device Compliance (Only Healthy, Encrypted Devices Get In)
Identity isn’t just who you are; it’s also what you’re holding.
- Minimum OS version & patch level
- Full-disk encryption and screen-lock
- Endpoint protection on and current
- Block access from non-compliant or unknown devices
Translate for execs: “Only healthy, encrypted devices touch company data.”
Step 4: Conditional Access / Context-Aware Access
Make risky sign-ins fail quietly.
- Require phishing-resistant methods for high-risk apps (payroll, banking).
- Block/step-up by geo (impossible travel), device posture, and sign-in risk.
- Remove public admin endpoints; funnel admins through SSO.
You’ll see fewer weird prompts and fewer late-night “was that you?” messages.
Step 5: Kill the Back Doors (Legacy IMAP/POP & Basic Auth)
Sunset safely in phases:
- Audit: shared mailboxes, service accounts, scanners/MFPs, niche tools.
- Replace: modern auth connectors or app passwords as a TEMPORARY bridge with an expiry.
- Decommission: shut off legacy protocols org-wide with documented exceptions and dates.
Legacy protocols are where successful phish often hide. Close them.
Step 6: Phased Enforcement & Comms (The Calm Rollout Plan)
A five-week approach that won’t wreck productivity:
- Week 1: Admins & finance on passkeys; number-match MFA org-wide.
- Week 2: Execs on passkeys; publish the help-desk SOP and “what changes” page.
- Week 3: Enforce device compliance (start with company-owned endpoints).
- Week 4: Conditional Access rules (step-up for sensitive apps; block legacy).
- Week 5: Disable IMAP/POP/basic auth for everyone but documented exceptions; set exception expiries.
Each week lead one change, one announcement, and one office-hours session.
Help-Desk SOP (Copy/Paste)
Lost phone / new phone: verify identity, issue Temporary Access Pass or backup code, re-bind MFA & passkeys, revoke TAP.Travel: pre-enroll a second factor; have a temporary “travel access” group with a fixed end date.Can’t use passkey today: allow one-day step-down to number-match MFA then require re-binding passkey tomorrow.Service accounts / scanners: migrate to modern auth; if impossible, document the exception with an expiry and owner.
What Success Looks Like in 30 Days (KPIs)
Track these in your admin/security dashboards:
- Passkey enrollment (admins/finance/execs) - target >80% for each cohort
- Legacy-auth hits - trend to 0
- Risky sign-ins blocked - up at first (good signal), then stabilize
- MFA fatigue prompts - down significantly after number-match
- Help-desk identity tickets - small spike during Week 1–2, then quieter than baseline
If you can’t see these, we’ll help wire the right reports so you can.
Common Pitfalls (and Easy Fixes)
- Jumping to “enforce for everyone” on day one. You’re better off running a staged plan and keeping a 24-hour fallback for each cohort.
- Leaving public admin panels open “just for a week”. Make SSO the only front door.
- Forgetting printers/scanners! Catalog and migrate or document temporary exceptions.
- Never testing break-glass. Schedule a monthly login test with two people present.
Ready to Roll This Out, Calmly?
- If you’re at the pilot stage: start here - 10-Minute, 2-User Passkey Pilothttps://www.stammtech.com/feed/goodbye-passwords-a-10-minute-2-user-passkey-pilot-microsoft-365-google-workspace/
- If you’re ready for production: book a free 5-point DMARC/MFA posture check (48-hour readout). We’ll map your current state and give you a step-by-step plan.
We can also facilitate a 30-minute restore drill to prove your backups actually work, because identity and recoverability go hand-in-hand.