Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


This working draft document collects objectives, requirements, and current proposals in a single collaborative document.

REQ2815414 is source.



Provisioning to AAD design proposals

A: Proposed near-term plan -


less work, same update latencies*


  1. the desired exchange-enabled group can include other exchange-enabled groups; i.e. it doesn't have to be flat.
  2. none of the groups above will exceed 50K direct members any time soon.
  3. TBD Azure Connect 50K limit is on direct membership, not effective membership.
  4. TBD All Clinical Shared UW NetIDs by definition and design are in Azure AD; any that aren't in AAD should be.
    1. Therefore, Azure AD is a copy of the system of record (Identity Registry)
    2. Therefore, we can use Identity Registry as the data source for maintaining a group of all Clinical Shared UW NetIDs
  5. * Once IAM releases real-time updates to uw_affiliation groups, update latencies will be equivalent to what they'd be with Subscriptions (plan B).

Here's a near-term plan, based on the requirements, constraints, and assumptions:

  1. MSCA - create a group in the groups service (e.g. u_msca_uwm-exchange-access)
  2. IAM - create Clinical shared UW NetID group
    1. e.g. TBD g_clinical-shared-uwnetids
    2. draft and review proposed design: Clinical shared UW NetID group design
    3. implement proposed design
  3. MSCA / UWM - confirm which of these groups are fit for purpose:
    1. 13: UW Medicine Workforce = uw_affiliation_uw-medicine-workforce
    2. 76: UWP Provider = uw_affiliation_uwp-provider
    3. 77: UWP Admin Staff = uw_affiliation_uwp-staff
    4. 80: UWPN Admin Staff = uw_affiliation_uwnc-staff (TBD? maybe?)
    5. 104: NWHMC Admin Staff = uw_affiliation_nwh-staff
    6. 105: NWHMC Provider = uw_affiliation_nwh-provider
    7. TBD and/or define any new memberships that are needed.
  4. IAM - obtains approval from each group data owner to share UWM group memberships with AAD and Exchange audiences
    1. IAM - remove viewer controls on approved groups
    2. IAM - exchange-enable approved groups
  5. MSCA - add other reference groups to the policy group, as desired
    1. Azure Connect - notice and does its thing per current service design
    2. MSCA - confirms everything looks as desired
  6. IAM - enable real-time updates to uw_affiliation groups
    1. April/May - complete design and testing
    2. April/May - draft, schedule, and approve change (RFC-0562)
    3. May - release to production

B: Alternative plan using Subscriptions - requires more work from IAM

Here's an alternative plan based on UW Subscriptions like is done to populate Azure AD licensing groups:.

Note: this plan will require Ken to develop code to , similar to that for AAD licensing groups, that talks to the Graph API.

  1. Who – task or step in plan
  2. Who – task or step in plan
  3. Who – task or step in plan
  4. Who – task or step in plan
  5. etc.