Status: Draft (not proposed or accepted)
This page describes the AAD CAB, including the goals, roles, and operational processes used to manage changes to our enterprise Azure AD tenant(uwnetid.onmicrosoft.com).
- Enable business use
- Mitigate risks
- Provide excellent infrastructure via reliable service design
- Show due care for the impact of changes on services dependent on our enterprise Azure AD
These goals imply a variety of desired outcomes which we won't explicitly call out, e.g. communication with customers, roll-back plans, pursuing solutions that broadly meet business needs, etc.
The following parties are involved in this process. Listed by name, role, and responsibilities.
|Customer||Requestor||Submit a request for AAD change with sufficient information about business need.|
Support the requestor through this process, at times suggesting or supplying technical detail and specifics the customer won't be able to supply.
Guide requested change through the process to completion.
|UWWI Engineering||Solution Designer, Implementer|
As needed, design solutions which meet requests.
Implement approved changes.
|UWWI Service Manager|
Approver (Gate #1),
|Approve change to be submitted ...|
|Azure AD Governance team||Approver (Gate #2)|
|AAD CAB||Approver (Gate #4)|
The UWWI Support role is filled by the service team members.
The UWWI Engineering role is filled by the service team engineers.
The UWWI Service manager is filled by the service manager or their designated alternate during leave.
The AAD Governance team is defined separately at https://wiki.cac.washington.edu/x/9UtJB.
The AAD CAB is comprised of:
- UWWI Service Owner, which currently is Brad Greer
- MSCA Service Owner, which currently is Tom Lewis
Change Request Process
Standard Change Request vs. Expedited Change Request
Standard changes include the following:
Expedited changes include the following:
The UWWI service has a request for a change to:
- the enterprise Azure AD tenant design, including the following items
- namespace design or accepted domains,
- tenant-wide configuration settings,
- enable or disable a new Azure AD capability that Microsoft has released (depends on what the default state of the new capability is)
- change to provisioning or authentication integration design
- Azure services which can only be enabled or changed by a tenant global admin (e.g. Azure RMS, InTune, and many more)
- a one-time change or recurring change--outside existing service design--to some number of objects in our AAD
- implement significant management or operational practices (e.g. AAD app approval process or tenant global admin practices)
- a change to MSCA service design which may have impact to the Azure AD design (note: MSCA may have a separate change approval process, but when a change intersects with AAD design should also use this mechanism)