IT KORR Knowledge Center
MFA Rollout Checklist
A step-by-step checklist for rolling out multi-factor authentication without a support-desk avalanche.
Before Rollout
- Highest-value accounts (admins, finance, executives) identified for priority enrollment.
- Primary MFA method selected for general staff, with a documented fallback method.
- Legacy authentication protocols inventoried and a plan set for disabling them.
- Break-glass account(s) established and excluded from any Conditional Access policy in progress.
- Communication drafted and scheduled — sent before enforcement, not during.
During Rollout
- Administrative and high-value accounts enrolled first, on phishing-resistant methods where possible.
- Self-enrollment window provided to general staff before enforcement begins.
- Push-notification MFA configured with number-matching, if used.
- New Conditional Access policies tested in Report-only mode before enforcement.
- Support desk briefed on expected enrollment issues and the documented recovery process.
After Rollout
- MFA coverage confirmed at 100% of active accounts, with any exceptions explicitly documented.
- Legacy authentication protocols confirmed blocked.
- Lost-device / lockout recovery process tested at least once with a real (non-emergency) scenario.
- Coverage and method-strength reviewed on a recurring schedule, not just at initial rollout.
Related Resources
- Multi-Factor Authentication: Methods and Best Practices — /knowledge-center/cybersecurity/identity-access-management/mfa-guide
- Identity & MFA Readiness Assessment — /tools/identity-mfa-readiness-assessment