A request fulfillment process for handling UWWI handling MI Azure AD application requests.
Submit the request for Azure AD application with sufficient information needed by approvers.
UWWI MI Support
Support the requestor through this process.
UWWI MI Engineering
Configure/create application if the request is approved.
AAD App Risk Scoring Team
For extended approvals, assess application as fit for use, identifying potential/necessary mitigations so applications are fit for use
|AAD App Risk Review Team||Reviewer/Consultant||On a periodic basis, review application risk scores. On an as needed basis, provide consulting on application risk scoring and suggested mitigations.|
|UWWI MI Service Manager||Approver||For basic approvals, approve application as fit for use. For extended approvals, taking risk assessment and ensuring any necessary mitigation is applied to applications before approving application for use.|
The UWWI MI Support role is filled by the service team members.
The UWWI MI Engineering role is filled by the service team engineers.
The AAD App Risk Review Team is filled by a representative from the Attorney General's Office, Office of the CISO, and Risk Management.
The UWWI MI Service manager is filled by the service manager or their designated alternate during leave.
Basic requests include the following:
Extended requests include the following:
- Applicant submits UWWI MI Azure AD Application Request Form resulting in a new UW Connect record. Or they initiate some future AAD app request workflow, hopefully also resulting in a new UW Connect record.
- The UW Connect record is assigned to CI=UW Windows Infrastructure, Assignment Group=UW Windows Infrastructure.
- UWWI MI Support reviews the customer's request for required information:
- Verify the Type of AAD application is provided.
- Verify the Access to other AAD applications being requested is described sufficiently that we know what the client is requesting.
- Verify that if there are Terms of Service, a URL to them is provided.
- Verify the Business Need is described.
- Verify the Data Use & Exposure is described.
- Coordinate with Customer to ensure all required information is available for approvers.
- If necessary, add application in dogfood tenant to determine any unclear information and/or clarify with the customer anything missing or unclear.
- When required information is provided, coordinate expectations with Customer: you're now moving on to the approval stage.
- Based on Type of AAD application and Access to other AAD applications being requested determine which kind of approval is needed: Basic or Extended. Basic approval is fulfilled by UWWI MI Service Manager. Extended approval is fulfilled by the AAD App Approval team.
- If required, UWWI MI Support coordinates approval from UWWI MI Service Manager.
- UWWI MI Support creates a RTASK assigned to UWWI MI Service Manager.
- UWWI MI Service Manager documents simple application scores based on supplied information.
- UWWI MI Service Manager indicates approval decision to UWWI MI Support.
- If required, UWWI MI Support coordinates approval from the AAD App Risk Scoring Team. Assign request to UWWI MI Service Manager.
- UWWI MI Support creates a RTASK assigned to AAD App Risk Scoring Team. <details of what is in that RTASK to be decided and added here>
- RTask owner on AAD App Risk Scoring Team creates an entry for the app at https://sharepoint.washington.edu/uwtech/CollabApps/ERMMSCloud/default.aspx.
- RTask owner on AAD App Risk Scoring Team asks team to review app and submit scores.
- RTask owner on AAD App Risk Scoring Team tallies scores and computes average score.
- RTask owner on AAD App Risk Scoring Team determines if team needs to discuss mitigations. If discussion is needed, coordinate and facilitate mitigation discussion.
- RTask owner on AAD App Risk Scoring Team documents average score and any suggested mitigations for historical review.
- Via the RTASK, the RTask owner on AAD App Risk Scoring Team indicates score and suggested mitigations to UWWI MI Service Manager and marks the RTASK complete.
- UWWI MI Service Manager reviews risk scores and any suggested mitigations then makes a decision on whether to proceed with approval
- UWWI MI Service Manager discusses potential mitigations with requestor to identify if they are acceptable.
- If an application has acceptable risk it is approved
- UWWI MI Service Manager send app approval to AAD Change Advisory Board for additional decision.
AAD CAB supplies its own process for reviewing app approvals
- If approved, move on to #7.
- If denied, service manager reviews concerns and may start over at a prior step or communicate denial to customer.
- Request owner coordinates access with UWWI MI Engineering.
- Ask UWWI MI Engineering to add requested AAD application.
- UWWI MI Engineering adds requested AAD application.
- UWWI MI Support updates UWWI updates MI AAD Apps - Fulfilled Requests <need link here>
- Record the Application that was authorized and the requestor.
- Record the access granted.
- Record the UW Connect record number tied to the request and approvals.
- Record the status of the request.
- Record the data exposure.
- Record any required mitigations
- Record the approval date.
- Record notes as needed.
- UWWI MI Support responds to Customer: You're good to go.
- UWWI MI Support resolves UW Connect record.