Implementation of Microsoft’s Identity and Access Management Solution

The Vendor is required to provide to assess, configure, and implement Microsoft’s identity and access management (IAM) solution, in support of the County’s identity lifecycle management.
- This includes the use of Microsoft Entra ID and access management capabilities such as IAM, single sign-on (SSO), identify services and any related Microsoft solution necessary to meet the requirements outlined in this solicitation.
- Okta also provides authentication services, including multi-factor authentication (MFA), and serves as the identify provider for approximately four hundred (400) third-party applications using SAML 2.0. Application access and authorization across the environment are largely managed through Active Directory security groups, which are used to control access to both on-premises and cloud-based applications.
- Workday functions as the authoritative system of record for onboarding, offboarding, and transferring County employees between departments.
- There is limited automation between Workday and downstream systems, with Okta acting to facilitate selective lifecycle events for employees.
- The County operates a hybrid identity model, with on-premises Active Directory synchronized to Azure Active Directory (Microsoft Entra ID). This synchronization is currently configured primarily to support authentication to Microsoft 365 and a limited number of cloud-based platforms.
- Assess Active Directory and Entra ID Sync
•    Validate readiness for IAM automation and SSO replacement.
•    Analyze ad settings and configurations for best practice and secure design.
•    Evaluate domain, OU structure, role-based access control (RBAC)/delegation, security group strategy.
•    Identify and remove stale objects and lifecycle inconsistencies.
•    Ensure the identity ecosystem (Entra/ad) is configured to support IAM, and in alignment with best practice synchronization designs.
•    Identify misconfiguration, risks, and remediation needs.
- Replace current SSO
•    Ensure all currently integrated applications are migrated to Entra SSO with minimal service interruptions.
•    Ensure all user presentation and authentication processes are migrated to Entra SSO with minimal service interruptions or user interaction.
•    Manage and coordinate all communications to minimize impact to system access.
- Implement IAM automation
•    Automate workforce onboarding, offboarding, transfers, and system/resource access change assignments.
•    System should support county employee, contractor/vendor lifecycles.
•    Perform process discovery as needed to automate workflow approvals to ensure timely completion based on user requested workday or ServiceNow requested effective dates for onboarding/offboarding and transfers.
•    Implement or replace existing systems as needed to streamline IAM integrations and leverage existing investments in Microsoft licensing to reduce costs on third party platforms performing same or similar functions.
- Integrate IAM with workday and ServiceNow
•    Workday -> IAM for employee lifecycle management.
•    ServiceNow-> IAM for contractors/vendors on/offboarding and application access changes (all workforce members).
- Automate application provisioning
•    Assign basic application access to new or transferred users, determined by department and or position classification.
•    Automate necessary workflow approval notifications as needed when onboarding/offboarding or transferring employees, contractors or vendors.
•    Automate workflow routing of required approvals for application access or elevated rights requests.
•    Provide a platform/portal to easily request and automate user system access changes to access new systems, remove access from systems, or modify approved authorization levels from integrated applications. This may also require the platform to open, process and close a service now ticket request to retain request records in the current service request platform.
- Strengthening compliance & governance
•    Provide additional protections to maintain least privilege access based on data/application owner (approver) authorized levels.
•    Enforce contractor account expiration dates with an automated option to extend, with requisite approvals and authorizations.
- provide documentation, training, and transition to operations
•    Operational runbooks.
•    Architecture diagrams.
•    Knowledge transfer sessions.
•    Create knowledge base articles, and other material, or training engagements designed to fully transfer support knowledge to county workforce members.
- Goals:
•    Integrate IAM into the county computing ecosystem to automate on/off board and employee transfers.
•    Evaluate data accuracy, consistency, and integrity within the ad domain and forest environments.
•    Resolve any functional active directory synchronization issues that might hinder or overcomplicate the objectives identified in this solicitation.
•    Leverage all current county Microsoft licensing levels whenever possible.
•    Provide an IAM portal to facilitate user access changes and integrated with pre-defined authorizations and approvals as needed on a case-by-case basis.
•    Provide methodology in which stakeholders will have visibility into the progress of their requests for on/Offboarding and transfers and application change requests.
•    Provide a phased system and function delivery approach that is both adaptive and agile to minimize user and system access disruptions and to allow the county to adjust implementation strategy as needed.
•    Educate and train current support personnel on the IAM, and SSO administrative tasks required to sustain the proposed platform and related infrastructure.
•    Provide sufficient documentation and educational materials so that the county can educate our workforce management resources, such as the departmental payroll resource coordinators (PRCS), on how to effectively utilize any implemented IAM or SSO platforms, portals or other services included in the respondent's solution.