Update: AAD/O365 2FA project & Expand MFA project [time boxing this to 15m max]
- Conditional Access design/operations (includes CHG expectations)
- Azure MFA remember me settings to match emerging Duo remember me
- Per-User opt-in & per-org requirement, with UW requirement following later in year
- Both Shib & AAD likely to share same opt-in group, but still need to work out how to handle exceptions
- Likely to prevent MFA requests to Shib IdP at ADFS from AAD relying party (to prevent "double" MFA logons)
- Timing still unclear, but as you know we have some users already in place, so timing is about being ready at scale
- Discuss: MS recommendation to remove user consent [time boxing this to 15m max]
- Current status: no change has been made. Acknowledgement that we should consider adding additional conditions to monitor/alert.
- Is there broad agreement that removing user consent is too disruptive w/o better rationale?
- What additional conditions might we alert on? And/or what additional review practices should we implement?
- Discuss: Azure AD Strategy on a Page [time boxing this to 20m max]
- Discuss: Enable hybrid AAD join & office proplus device licensing [time boxing this to 15m 10m max]
- Some very limited exploration of hybrid join happening today.
- Would like agreement we can expand exploration as broadly as all MWS computers to explore the impacts in a semi-well understood environment before we consider flipping to a default of all NETID joined are hybrid joined.
- Hybrid joined is needed for Office ProPlus device licensing, and also enables a variety of security controls and scenarios
- Update: AMC SSO conversations [time boxing this to 5m max]
- Draft report written by UWM staff presented to Slayton/Cris; unclear what will happen next
- Solutions require significant resourcing and/or strategy shift from UWM
- Update: Hybrid Cloud for AD joined: Expressroute hub vnet project to get resourcing [time boxing this to 5m max]
- Input on backlog & Future discussion topic input