The challenge
Eight locations, 11 separate logins, and shared POS terminals: with a PCI flag on the table
The chain had grown from a single flagship store to eight locations over seven years. Every system added along the way came with its own login: scheduling, inventory, POS, payroll, email, shift management, and more. Staff were managing up to 11 separate usernames and passwords, and password resets were consuming nearly eight hours of IT time every week across the organisation.
POS terminals were the most urgent issue. Staff shared terminal credentials rather than logging in individually: a practice flagged by the payment processor during a routine PCI review. High turnover made the problem worse: when staff left, there was no reliable process to revoke access, and shared credentials meant there was no way to know who had used a terminal or when. The operations director needed a fix that would survive the pace of a retail environment.
11 separate system logins per staff member
Each system had its own credentials: scheduling, POS, inventory, payroll, and more all managed separately
Shared POS terminal credentials
POS logins shared across shift staff: no individual accountability for payment system access
No MFA on any system
Email, payroll, and back-office systems all protected by password alone: zero second-factor enforcement
Unreliable offboarding on high staff turnover
No automated deprovisioning: departed staff regularly retained system access for weeks after leaving
~8 hours/week on password resets
IT fielding constant password reset requests across 8 locations: significant operational overhead
PCI flag from payment processor
Shared POS credentials flagged during routine review: resolution required before next audit cycle
Our findings
What the identity and application mapping uncovered
Before designing the SSO architecture, garrisonOne mapped every application in use across all eight locations: cataloguing login methods, user counts, SSO compatibility, and current offboarding status for each system.
11
Separate applications with individual login credentials across the chain
~8 hrs
IT time consumed weekly by password reset requests across 8 locations
0
Applications with MFA enforced: no second-factor protection anywhere
Delayed
Average offboarding: access revoked days to weeks after departure, not on last day
Seven of the eleven applications supported SAML or OIDC-based SSO: three required API-based user management integrations, and one legacy scheduling tool needed a workaround via shared account provisioning. Mapping this upfront shaped the rollout sequence and prevented delays mid-deployment.
What we did
A four-phase SSO and MFA deployment across 8 locations
Rolled out store by store to keep operations running: each location went live without affecting others during transition.
Phase 1
Application Mapping & Identity Audit
Inventoried all 11 applications in use across the chain: documented SSO compatibility, current auth methods, user counts per location, and offboarding workflows. Identified seven SAML/OIDC-compatible apps, three requiring API integration, and one requiring a provisioning workaround. Reviewed all current user accounts and flagged stale access from departed staff.
Phase 2
Identity Platform Setup: Microsoft Entra ID
Configured Microsoft Entra ID as the central identity platform. Set up user accounts, role groups, and location-based access policies for all 200+ staff. Established automated provisioning and deprovisioning rules: new accounts created from HR data, departures triggering immediate revocation across all connected systems.
Phase 3
SSO & MFA Rollout: Store by Store
Connected all 11 applications to Entra ID SSO, rolled out MFA via Microsoft Authenticator, and trained staff at each location during a single half-day visit. Stores were migrated sequentially: each location fully live before moving to the next. On-site support at each store during cutover ensured zero shift disruption. MFA deployed in report-only mode first, then enforced after two weeks of monitoring.
Phase 4
POS Individual Logins & Offboarding Automation
Worked with the POS vendor to configure individual employee logins on all POS terminals: eliminating shared credentials entirely. Configured automated offboarding: HR system departure trigger revokes access to all 11 applications within minutes. Delivered PCI documentation evidencing individual accountability on payment systems for submission to the payment processor.
Key deliverables
-
Microsoft Entra ID identity platform: configured for all 200+ staff across 8 locations with role-based access groups
-
SSO configuration for all 11 applications: 7 via SAML/OIDC, 3 via API provisioning integration
-
MFA deployment across all staff: Microsoft Authenticator with per-store onboarding sessions and a 2-week report-only period
-
Individual POS terminal logins across all 8 locations: shared credentials eliminated with full access audit trail
-
Automated offboarding workflow: HR departure trigger revokes access to all connected systems within minutes
-
PCI documentation package: individual POS accountability evidence submitted to payment processor for PCI flag resolution
Outcomes
One login, zero shared POS credentials, and 70% fewer IT tickets
The impact was visible within days of each location going live. Password reset requests dropped immediately: by the time the eighth store was complete, IT ticket volume had fallen by 70%. Offboarding became instant. The PCI flag was resolved within two weeks of POS login migration.
Resolved
PCI flag from payment processor
Individual POS credentials deployed: payment processor confirmed PCI requirement satisfied.
70%
Fewer IT password reset tickets
Self-service password reset via SSO: weekly IT overhead reduced from ~8 hours to under 2.5.
1 login
For all 11 systems across every location
Staff authenticate once: SSO handles the rest across every connected application.
Zero
Shared POS credentials remaining
Every terminal now requires individual login: full access accountability on all payment systems.
Instant
Offboarding across all systems
HR departure triggers immediate revocation: no manual steps, no access delays after last day.
MFA on
All 11 systems, all 8 locations
200+ staff enrolled with no shift disruption: MFA enforced across the entire estate.
"Our staff went from juggling 11 passwords to just one. The first week after rollout, I didn't get a single password reset call. That alone was worth it. Clearing the PCI flag was the cherry on top."
: IT Manager, Multi-Location Retail Chain
