Child pages
  • 2018-12-10 azuread-govteam mtg

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note: extra 15m from empty CAB meeting agenda

Summary agenda:

  • Updates (10m)

  • Discussion topics (55m)

  • Input on backlog & Future discussion topic input (5m)



  1. Review final implementation plans for Inactive Users

    2018/12/10it-servicechange notification - internal to UW-IT
    2018/12/12UW-IT service center apprised
    2018/12/13compdirs, mi-announce, techsupport, MI oucontacts notification
    2018/12/14Non-person account owner/admins notification (based on analysis now)
    Waiting periodProvides folks time to get accounts in exclusion group
    2019/1/9mi-announce, techsupport reminder notification
    2019/1/9Disable: 8 years inactivity (Implementation starts here)
    2019/1/30Disable: 4 years inactivity
    2019/2/20Disable: 1 year inactivity (We're to the "new" normal operations here)


    1. Analysis/Proposal: (nothing new here)

    2. Inactive User Design: (summarizes key bits)
    3. Ensure account is active: (defines what is active, how to check, & how to get exception)
    4. Re-enable my account:

    Draft Notification: Inactive users (Dec 2018) - Draft

  2. Appropriate account types for Azure AD roles

    A strawman proposal is available at:

    Review and discuss whether this proposal is acceptable to move forward as part of a CHG.

    Notes on where we left this: 
    1. Brian introduces draft proposal for review on appropriate account types.
    2. App developer role – Lots of discussion of app developer role. Brian notes that our current configuration is in alignment with the proposed wide-open acccount type for that role.
    3. Scott raises concern about Compliance Administrator not have a more stringent recommended account type like tadm. Brian explains that Compliance Administrator has a scope limited to Office 365 apps, with something close to read permissions, so has same account type recommendation as the roles for the O365 roles.
    4. We run out of time so everyone is encouraged to review this doc, and raise questions or issues. Email the mailing list or add comments to the wiki page.
    5. Guest Inviter
      1. What's the current status of guest user access? To inform discussion, it'd help to know our current design.
      2. What's the current authorization policy for inviting guests? e.g. only current quarter art majors (uw_major_art) are authorized to invite guests.
      3. What accountability do we want in the guest user access process? i.e. personal vs shared accounts
      4. Do we need to enable non-person accounts?
      5. Would use of this role ever require 2FA, either because 2FA is assigned directly to use of this role; or because 2FA is applied more widely such that use of this role requires 2FA



Discussion Notes:Attending: 

Scott asks if new operational practice on not deleting AAD guest users has customer documentation: No, not yet.

  1. No feedback of significance on Inactive Users
  2. Scott still feels Compliance Admin should be considered in higher protection level; Brian is happy to shift unless someone objects–no one objected.

    Minor discussion about Lockbox Admin, but decided to leave it as is.

    Scott notes that some existing accounts may need exception; notes hybrid Exchange scenario where the user is leveraging the global admin role instead of the Exchange Service Admin role.

    General satisfaction with this proposal; Brian will submit as a CHG for CAB approval.

Attending: Roland, James, Scott, Josh, Jonathan, John, Brian