Sequentur Blog

Helping you stay ahead of IT challenges

Real-world IT knowledge from engineers solving problems every day.

Practical IT knowledge for businesses that can’t afford downtime

How to deploy a password manager across your business

Password,Management,,Password,Concept,Written,Post,It.

Choosing a password manager is the easy part. Getting forty people to actually use it is the part that fails.

Most password manager rollouts do not collapse dramatically. They fade. The tool gets purchased, an admin sets it up, an email goes out with a login link, and three months later half the company still autofills from Chrome, the sales team still shares the LinkedIn password in a group chat, and the vault contains eleven entries. Nothing broke. The project simply never landed, and the business is now paying for the illusion of credential security rather than the substance of it.

This guide covers deploying a password manager properly across a business of roughly 20 to 50 people: what to configure before anyone logs in, how to phase the rollout, how to handle the employees who resist, and how to deal with the passwords already sitting in everyone’s browser. It assumes you have already worked out why you need one and which one you are buying.

What a realistic timeline looks like

Vendors will tell you that you can deploy in an afternoon. You can, in the same sense that you can move house in an afternoon if you are willing to leave most of your belongings behind.

For a 20 to 50 person business, plan for four to six weeks from purchase to the point where the tool is genuinely in use and browser password saving is switched off. It is not four to six weeks of full-time work. It is a few hours a week, spaced out so that people have time to migrate their own credentials without it becoming a crisis.

PhaseDurationWhat happens
Pre-deployment configuration3 to 5 daysAdmin accounts, policy, vault structure, SSO, recovery testing
Pilot group1 to 2 weeks5 to 8 people across different roles, real daily use, friction gets found
Phased rollout2 to 3 weeksDepartment by department, with training at each step
Enforcement and cleanup1 weekBrowser saving disabled, old credentials purged, policy in force

The single biggest scheduling mistake is compressing this into one week and running the rollout during a busy period. The second biggest is letting it stretch past two months, at which point the pilot group has lost momentum and everyone else has concluded the project is optional.

Before anyone logs in

Everything in this section happens before a single regular employee receives an invitation. Skipping it is what produces a vault full of duplicate entries and no way to recover anything.

Set up administration properly

Create at least two administrator accounts. If exactly one person holds admin rights and that person leaves, gets locked out, or is unreachable, you have a serious problem that the vendor’s zero-knowledge architecture specifically prevents them from solving for you.

Admin accounts should be separate from those people’s daily-use accounts, and every one of them should have MFA enforced. Treat these as privileged credentials, because that is what they are: the keys to every key in the business.

Test the recovery process now, not later

This is the step everyone skips and everyone later wishes they had not.

Before rollout, deliberately simulate the disaster. Take a test account, lock it out, and walk through the account recovery or break-glass procedure exactly as you would in a real emergency. Time it. Note who has to approve what. Then write it down as a runbook and store that runbook somewhere that is not inside the password manager, because a recovery procedure locked inside the system you cannot access is not a recovery procedure.

Do this during a calm week. You do not want to be discovering how emergency access works while your bookkeeper is unreachable and payroll is due.

Plan the vault structure before you fill it

Vault structure is one of those decisions that costs nothing to get right at the start and is painful to change once 400 credentials are in the system.

Keep it simple and organizational, not personal. Structure shared vaults around functional groups rather than individuals: Finance, Marketing, IT Administration, Client Accounts. A credential belongs in a shared vault when more than one person legitimately needs it, and in a private vault when it belongs to one person’s identity.

Resist the temptation to create a vault per employee, per client, and per tool. Over-segmentation is the most common structural error. It produces a permissions matrix nobody understands, and when nobody understands the permissions, people work around them by sharing passwords the old way.

Do not migrate everything. This is the moment to audit rather than to copy. Many credentials in a typical business belong to services nobody uses, former vendors, or accounts belonging to people who left two years ago. Moving them into the new system launders dead credentials into an environment that looks clean. Delete them, or at minimum park them somewhere clearly marked for review.

Configure policy before invitations go out

Set your requirements at the tenant level so they apply from the first login rather than being retrofitted later: minimum master password strength, mandatory MFA on the vault, restrictions on exporting or sharing credentials outside the organization, and session timeout behavior.

These settings should mirror what your written cybersecurity policy says. If the policy document and the tool disagree, the tool wins in practice and the document becomes fiction. Configuring policy first also means employees encounter the rules as simply how the system works, rather than as restrictions imposed on them later, which is a meaningfully different psychological experience.

Integrate SSO, if you have it

If you run an identity provider such as Microsoft Entra ID, connect it now rather than after rollout. Migrating people from standalone vault logins to SSO afterward means asking everyone to change how they authenticate a second time, and every additional disruption costs you adoption.

Verify that offboarding actually cascades. Disable a test user in your identity provider and confirm the vault access disappears. That linkage is much of the reason to bother with SSO, and it is worth confirming rather than assuming. If you already run conditional access, extend those policies to cover the password manager.

Run a pilot before the rollout

Pick five to eight people and give them two weeks of real use before anyone else sees the tool.

Choose the pilot group deliberately. You want one person from each major department, at least one who is enthusiastic about the change, and, importantly, at least one who is skeptical. The skeptic is the most valuable person in the group. Enthusiasts will route around friction without mentioning it. Skeptics will tell you precisely where the tool is annoying, and that friction is what determines whether the wider rollout succeeds.

Have the pilot group do the real thing: migrate their actual credentials, use the browser extension and mobile app daily, share something through a team vault, and try to break the workflow. Collect what they hit. Some of it will be configuration you can fix, some will be training material you need to write, and some will be genuine product friction you need an answer for before forty people encounter it at once.

The pilot also produces something more useful than a list of bugs. It produces advocates. When the rollout reaches the marketing department, the fact that their own colleague has been using it for two weeks and says it is fine carries more weight than anything the IT contact or an outside consultant says.

Roll out in phases

Go department by department, one at a time, roughly a week apart. Do not send a company-wide invitation email. A company-wide invitation email produces a company-wide pile of support requests on the same afternoon, which is how a rollout acquires a reputation for being a mess in the first week and never recovers it.

For each department, the sequence is the same. Run a short live session, thirty minutes is plenty. Show the actual tool, not slides. Cover exactly three things: how to log in and set up MFA, how to save and autofill a credential, and how to reach a shared vault. Everything else can wait.

Then have people migrate their own credentials during that session, with someone available to help. This matters more than it appears to. If employees leave the session without having moved a single password, most of them will never start. Twenty minutes of guided migration, in the room, converts a task people intend to do into a task they have begun.

Set a clear deadline for that department to finish migrating, typically a week, and be explicit that browser password saving will be disabled afterward. People need to know the old path is closing, or they will keep walking down it.

Handling the employees who resist

Some resistance is inevitable, and it usually is not really about the password manager. It is about someone being asked to change a workflow that, from their perspective, has never caused a problem.

Take the objections seriously, because they are mostly reasonable on their face.

“My passwords are fine.” They are usually not, and this is the one case where evidence beats argument. Most business password managers include credential health reporting that will show reused passwords and credentials found in known breaches. Show the person their own results privately, never in a group setting. Being told your passwords are weak is embarrassing, and embarrassment produces entrenchment. Being quietly shown that a password you use in three places appeared in a breach produces action.

“This will slow me down.” For the first week, honestly, it will. After that it is faster than typing passwords from memory or resetting the ones you forgot. Say this plainly. Do not promise that the transition is seamless, because the person will discover within a day that it is not, and then they will discount everything else you told them.

“I do not trust putting all my passwords in one place.” This is the most intellectually serious objection and it deserves a real answer rather than reassurance. The concentration is real. The alternative, however, is not that the passwords are safely distributed. The alternative is that they are reused across dozens of sites, stored in a browser profile synced to a personal account, and written in a notebook. A zero-knowledge vault with MFA is a substantially harder target than any of those, and the risk it concentrates is a risk that was already spread everywhere in a much less defensible form.

Silent non-adoption. The hardest case is not the vocal objector but the person who agrees in the meeting and then changes nothing. This is why enforcement exists, and why deadlines have to be real. The admin console will tell you who has logged in and how many credentials they have stored. Use it. A quiet conversation in week two is far better than discovering in month six that a third of the company never onboarded.

The consistent principle here is that adoption is a management problem wearing a technical costume. The tool cannot make anyone use it. Visible leadership use, a real deadline, and a manager who follows up will accomplish more than any feature.

Dealing with browser-saved passwords

This is the step most rollouts leave undone, and leaving it undone quietly negates much of the project.

If Chrome still offers to autofill everything, employees will keep using Chrome to autofill everything, because it is right there and it requires nothing of them. Worse, you now have credentials living in two places, which is strictly less secure than either one alone: the vault is incomplete, and the browser copies are stale, unmanaged, and invisible to you.

Work through it in order. Have employees export their browser-saved credentials and import them into the vault during the migration session, since every major password manager provides an importer for this. Then have them delete the saved passwords from the browser and, critically, turn off the browser’s offer to save new ones. Verify it rather than trusting it, because the setting frequently survives as enabled on a second profile or a personal device.

Then remove the choice. Disable browser password saving through policy rather than instruction. If you manage devices with Microsoft Intune or Group Policy, you can enforce this centrally across Chrome and Edge, which is the only approach that reliably holds. An instruction that people should stop saving passwords in the browser will be followed for about a week.

Sequence this carefully. Disable browser saving after a department has migrated, never before. Doing it first locks people out of credentials they have not moved yet, generates a support queue, and hands every skeptic a story about how the new system broke their day.

Browser-saved passwords are a large enough topic that they deserve separate treatment, particularly around the malware that specifically harvests them, and a later article in this series covers that ground.

After the rollout

A password manager is not a project that finishes. Three things need to persist.

Offboarding has to include the vault. When someone leaves, revoking their vault access and rotating any shared credentials they could see becomes part of the standard offboarding checklist. This is one of the main reasons the business bought the tool, and it only pays off if the process actually runs every time.

Someone has to read the credential health report. Monthly is a reasonable cadence. Reused and breached passwords accumulate quietly, particularly around new hires and newly adopted SaaS tools. The report is only valuable if a specific person owns it.

New hires start in the vault on day one. Their first exposure to how the company handles credentials should be the password manager, not a colleague sending them a shared login over chat because that is faster. Whatever a new employee experiences in their first week becomes their default for years.

Common mistakes

Rolling out to everyone at once. Produces a support pile-up and a first impression of chaos. Phase it.

Skipping the pilot. You will find the friction either way. The only question is whether you find it with six people or with fifty.

Leaving browser password saving enabled. Credentials end up in two places, the vault is never authoritative, and the security benefit largely evaporates.

Migrating everything without auditing. Dead credentials and former vendors get carried into a system that now looks clean and is not.

Never testing recovery. Discovered during an emergency, which is the worst possible moment to learn how it works.

Treating it as an IT project rather than a business change. IT can configure the tool. Only management can make using it non-optional.

Deadlines with no follow-through. If the migration deadline passes and nothing happens, everyone correctly concludes the deadline was decorative, and the next one will be ignored too.

Getting it right is mostly about sequencing

There is nothing conceptually hard in this process. The steps are ordinary and the tools do most of the work. What separates a rollout that lands from one that fades is order and follow-through: configure and test recovery before anyone logs in, pilot before you scale, migrate before you enforce, and enforce before you declare it finished.

Do that and within six weeks the business genuinely runs on unique, strong, managed credentials. Skip the sequencing and you will own an expensive subscription, a half-full vault, and the same passwords in the same browsers as before.

How Sequentur can help

If you want help planning or running a password manager rollout, or you have one that stalled halfway and needs restarting, schedule a call and we will work through it with you.

Get the Best IT Support

Schedule a 15-minute call to see if we’re the right partner for your success.

Invalid Email
Invalid Number
Please check the captcha to verify you are not a robot.
Testimonials

What Our Clients Say

Here is why you are going to love working with Sequentur

Need help?

FAQs About Our Managed IT Services