Update: AAD/O365 2FA MFA project & Expand MFA 2FA project [time boxing this to 15m max]
- Conditional Access design/operations; for MFA? (includes CHG expectations)
- Azure MFA remember me settings to match emerging Duo remember mePer-User opt-in & per-org requirement, with UW requirement following UW Identity Provider (IdP) remember me
- Early adoption period for individuals and organizations to always use 2FA; required to always use 2FA later in year
- Both Shib UW IdP & AAD likely to share same opt-in groupor coordinate implementation groups, but still need to work out how to handle exceptions
- Likely to prevent MFA requests to Shib UW IdP at ADFS from AAD relying party (to prevent "double" MFA logons; count=1K users?)
- Timing still unclear, but as you know we have some users already in place (count<=100), so timing is about being ready at scale
- Discuss: MS recommendation to remove user consent [time boxing this to 15m max]
- Current status: no change has been made.
- Acknowledgement that we should consider adding additional conditions to monitor/alert.
- Is there broad agreement that removing user consent is too disruptive w/o better rationale?
- What additional conditions might we alert on? And/or what additional review practices should we implement?
- Discuss: Azure AD Strategy on a Page [time boxing this to 20m max]
- Topic relates to AAD govteam purpose: to help guide AAD design and implementation; to explore and evaluate proposed designs
- Topic relates to ITI division's resourcing practices; help staff who take on too many current commitments/initiatives related to AAD strategy
- Goal of one-pager is to create a living strategy document for service design changes; linking initiatives to business needs and outcomes
- One-pager document helps decide, communicate, and align resources with current, planned, and future initiatives
- One-pager document also enables communication with across teams, with customers, and vendors/suppliers
- What does the AAD govteam want to communicate through the AAD Strategy on a Page?
- Some needs/outcomes come from Microsoft
- Some needs/outcomes come from MI/MSCA service teams
- Some needs/outcomes come from AAD customers
- Some needs/outcomes come from AAD end users
- Does every new need immediately become a current initiative?
- Examples throughout this agenda, e.g.: consent topic, "MS recommendation", "we should", "broad agreement", "might we alert?", "should we implement?"; now, planned, future?
- Discuss: Enable hybrid AAD join & office proplus device licensing [time boxing this to 10m max]
- Some very limited exploration of hybrid join happening today.
- Would like agreement we can expand exploration as broadly as all MWS computers to explore the impacts in a semi-well understood environment before we consider flipping to a default of all NETID joined are hybrid joined.
- Hybrid joined is needed for Office ProPlus device licensing, and also enables a variety of security controls and scenarios
- Update: AMC SSO conversations [time boxing this to 5m max]
- Draft report written by UWM staff presented to Slayton/Cris; unclear what will happen next
- Solutions require significant resourcing and/or strategy shift from UWM
- Update: Hybrid Cloud for AD joined: Expressroute hub vnet project to get resourcing [time boxing this to 5m max]
- Input on backlog & Future discussion topic input