mPass is already running in my environment; the next step is to wire it up to Microsoft Authenticator for multi-factor challenges and federate everything through Azure AD so users get true Single Sign-On across our corporate intranet. The end goal is a clean, one-click experience in Chrome and uninterrupted access for Outlook and other email clients. Scope of work • Connect mPass to Microsoft Authenticator and verify push, code, and fallback SMS flows. • Establish Azure AD as the identity provider, mapping existing user attributes and security groups so current permissions remain intact. • Configure seamless authentication for all internal web apps (IIS and Apache-based) under our intranet domain. • Confirm Chrome extension or browser settings force MFA only once per session while still honouring sign-out events. • Validate that desktop and mobile email clients (primarily Outlook) respect the same token and do not prompt twice. • Deliver clear rollback steps and an administrator guide for future domain additions. Acceptance criteria 1. A user browsing the intranet from Chrome receives a single Azure AD sign-in, is prompted by Microsoft Authenticator, and lands on the requested page with no extra prompts. 2. Subsequent navigation to other intranet sub-sites stays token-based without re-auth. 3. Outlook on Windows and iOS opens mail, calendar, and contacts without additional MFA after the first sign-in. 4. All activities are logged in both mPass and Azure AD with matching timestamps. 5. Documentation and configuration scripts are handed over in an editable format. Please base the work on best-practice security settings and keep downtime to a minimum during any cut-over.