Child pages
  • 2020-05-11 azuread-govteam mtg
Skip to end of metadata
Go to start of metadata

2020/05/11

Agenda:

  • Update:

    • AAD/O365 MFA project & Expand 2FA project [time boxing this to 10m max]

      • Conditional Access design/operations - includes CHG expectation: If policy involves 'all users' or 'all device platforms' or results in 'block access', open a CHG record
      • Plan to shift all AAD admins linked to UW NetIDs from Azure MFA to Duo; timing unclear but new accounts getting Duo
      • Early adoption period for individuals and organizations to always use 2FA; required to always use 2FA at later point
      • UW IdP & AAD will share implementation groups, but both may have other 2FA policies (e.g. AAD has two for admins)
      • Duo 2FA requests to UW IdP from ADFS are ignored to prevent "double" Duo
      • Exit: Timing for general opt-in is unclear; other AAD Duo 2FA policies ready for business
    • Autopilot/Intune project [time boxing this to 10m max]
      • AADJ access to move to all M365 A3 users
      • Hybrid join to be enabled in AAD Connect (each delegated OU will also need GPO)
      • Autopilot will have only 1 provisioning package:
        • use hybrid join, leveraging the existing Managed Windows VPN
        • do minimal set of config/installation (likely office proplus user)
        • Require a "claiming process" for delegated OU customers to manage the computers
      • Initial release will have no Intune features beyond autopilot; no delegation required
      • Autopilot enrollment process unclear
      • Future enhancement: AAD groups for AADJ devices needed; probably will use AAD-only groups delegated to owners with manual mgmt
      • Exit question: OK delegating decisions in this area to the project team?
  • Discuss: Failed CHG0037805 Exchange Enable all Azure AD-only licensing (lic_) groups [time boxing this to 15m max]
    • Review use cases prompting this CHG. Scott?
      • used as parameters in Exchange transport rules and policies (expressed at time of CHG creation)
    •  Options:
      • a) recreate all lic_ groups using Exchange Online
      • b) create parallel/mirror groups with same membership, but using Exchange Online to create
      • c) identify which lic_ groups actually need exchange-enable and only do a) or b) for those groups
  • Discuss: Azure AD group strategy [time boxing this to 15m max]
    • Problems:
      1. 50K member limit via sync
      2. UW Groups doesn't have all relevant AAD object types, e.g. external users, service principals, & devices
      3. Sync latency (1-60m) does meet all needs
      4. Office 365 groups have no UW Groups integration
      5. Office 365 groups and AAD-only groups require manual creation (but ownership allows delegation of mgmt)
      6. UW Group sync to AAD via AD present major data model issues
      7. AAD only groups aren't in UW Groups
      8. Member privacy for AAD security missing; exists for Office 365 groups
        • No course groups, several other very important groups missing
      9. A few use cases where nested groups don't work
      10. AAD-only groups can't be exchange enabled after the fact
    • Summary of problems: existing design/approach is not meeting the overall need, there are a lot of workarounds, and customers are confused
    • Solution toolbox:
      • a. UW Groups integration directly with AAD (UW Groups event listener to AAD)
      • b. AAD integration with UW Groups (syncing AAD-only groups back to UW groups for visibility only)
      • c. UW Groups expands membership types to include missing AAD objects (and reconcile)
      • d. Expand use of AAD-only groups; build more automation to reduce support costs
      • e. Standardize AAD-only groups practices; e.g. they are all exchange-enabled
      • f. Map all member-privacy groups to Office 365 member private groups
      • g. Turn off Azure AD Connect sync for AD groups
      • h. Populate more AAD data to enable more use of Azure AD dynamic groups
      • i. 
  • Discuss: Azure AD Strategy on a Page [time boxing this to 20m max]
    • Topic relates to AAD govteam purpose: to help guide AAD design and implementation; to explore and evaluate proposed designs
    • Topic relates to ITI division's resourcing practices; help staff who take on too many current commitments/initiatives related to AAD strategy
    • Goal of one-pager is to create a living strategy document for service design changes; linking initiatives to business needs and outcomes
    • One-pager document helps decide, communicate, and align resources with current, planned, and future initiatives
    • One-pager document also enables communication with across teams, with customers, and vendors/suppliers
    • What does the AAD govteam want to communicate through the AAD Strategy on a Page?
      • Some needs/outcomes come from Microsoft
      • Some needs/outcomes come from MI/MSCA service teams
      • Some needs/outcomes come from AAD customers
      • Some needs/outcomes come from AAD end users
      • Does every new need immediately become a current initiative?
      • Examples throughout this agenda, e.g.: consent topic, "MS recommendation", "we should", "broad agreement", "might we alert?", "should we implement?"; now, planned, future?
  • Input on backlog & Future discussion topic input

-------------------

Possible future discussion topic list:

  • Azure AD Strategy on a Page
  • Azure AD join/hybrid join/InTune
  • Azure AD Conditional Access management (this is likely to grow & there is huge potential to break things)
  • AAD token lifetime review compared to other UW tokens
  • Hybrid Cloud update
  • Current service design
  • Vendor mgmt: what are our top 10 requests for Microsoft?
  • Azure AD service catalog entry review
  • Token revocation
  • External user - what's new & current status

-------------------

Discussion Notes:

Autopilot: Brian to submit list of planned changes & expected impacts to Nathan & Scott

CHG0037805 : Try out transition approach for A5 group, then if works, transition the others. Transition approach:

  1. create new lic_ group in EO
  2. assign license to new lic_ group
  3. update subscription code to add user for given license to both old group & new group
  4. wait for relative stability, i.e. both groups have same membership
  5. remove old lic_ group from subscription code
  6. unassign license from old lic_ group
  7. transition complete

AAD group strategy: Good lists of problems & solutions. Needs to be pulled into separate strategy doc & worked in.

AAD strategy on page: Wrestling with vendor vs uw goals & the right format. Agreement that transparency and currency (keeping it up to date) are important. Also agreement that this group should have input. AAD capability map & book of work shown as possible other formats which might be useful for this.

Attending: Nathan, Scott, Roland, Jonathan, Josh, Rupert, Becky, Brian

  • No labels