NOTE: This is a copy of the original document. This copy is intended for those outside the Microsoft Infrastructure service team to reference.
Status: Production (prior version of this document)
Existing version of this document will become production on 1/11/2017
A request fulfillment process for handling MI requests for Azure AD applications with risky permissions.
- Enable business use
- Show due care for integration with UW confidential data
The following parties are involved in this process. Listed by name, role, and responsibilities.
Submit the request for Azure AD application with sufficient information needed by approvers.
Support the requestor through this process.
Configure/create application if the request is approved.
AAD App Risk Scoring Team
For approvals, assess application as fit for use, identifying potential/necessary mitigations so applications are fit for use
|AAD App Risk Review Team||Reviewer/Consultant||On a periodic basis, review applications for risk. On an as needed basis, provide consulting on application risks and suggested mitigations.|
|MI Service Manager||Approver||For basic approvals, approve application as fit for use. For extended approvals, taking risk assessment and ensuring any necessary mitigation is applied to applications before approving application for use.|
The MI Support role is filled by the service team members.
The MI Engineering role is filled by the service team engineers.
The AAD App Risk Scoring team is:
- Eric Kool-Brown
- Shawn Drew
- Jonathan Pass
- Roland Lai
The AAD App Risk Review Team is filled by a representative from the Attorney General's Office, Office of the CISO, and Risk Management.
The MI Service manager is filled by the service manager or their designated alternate during leave.
- Applicant submits MI Azure AD Application Request Form resulting in a new UW Connect record.
- The UW Connect record is assigned to CI=Azure AD, Assignment Group=Microsoft Infrastructure.
- MI Support reviews the customer's request for required information:
- Verify the Type of AAD application is provided.
- Verify the Access to other AAD applications being requested is described sufficiently that we know what the client is requesting.
- Verify the Business Need is described.
- Verify the Data Use & Exposure is described.
- Coordinate with Customer to ensure all required information is available for approvers.
- If necessary, add application in dogfood tenant to determine any unclear information and/or clarify with the customer anything missing or unclear.
- When required information is provided, coordinate expectations with Customer: you're now moving on to the approval stage.
- MI Support passes the baton to a member of the AAD App Risk Scoring Team:
- MI Support creates a RTASK assigned to a member of the AAD App Risk Scoring Team. Description should clearly say "we have a risky AAD app which needs analysis for approval".
- RTask owner on AAD App Risk Scoring Team notifies AAD App Risk Scoring Team about need to review app
- AAD App Risk Scoring Team reviews details provided, does whatever activities are needed, and renders a decision. That decision may include conditional approval pending mitigations. NOTE: If there is a clear service manager/owner, system manager/owner, or data custodian representing the AAD application permission that the requested risky AAD app needs, then that individual can/should be approached to make a risk acceptance decision. In that case, no decision is needed from App Risk Scoring team, and in step #4 we open a routine change which does not need CAB approval. For example, if application Q wanted Directory.Read.All, the MI service manager could make a decision. If application J wanted OneDrive.SpecialAdminPermission (there is no such thing), the MSCA service manager could make a decision.
- RTask owner documents decision and the rationale behind that decision and any suggested mitigations for historical review.
- RTask owner communicates decision. If discussion is needed, coordinate and facilitate mitigation discussion.
- RTASK is marked complete.
- MI Support reviews decision on whether to proceed with approval
- MI Service Manager discusses potential mitigations with requestor to identify if they are acceptable.
- If an application has acceptable risk it is approved
- MI Service Manager send app approval to AAD Change Advisory Board for additional decision. NOTE: if in 2c the risk was accepted by a specific owner/manager/steward, then a routine change is open, approved, and no decision by the CAB is needed.
AAD CAB supplies its own process for reviewing app approvals. Note
- If approved, move on to #7.
- If denied, service manager reviews concerns and may start over at a prior step or communicate denial to customer.
- Request owner coordinates access with MI Engineering.
- Ask MI Engineering to add requested AAD application.
- MI Engineering adds requested AAD application.
- MI Support updates MI AAD Apps - Fulfilled Requests Azure AD Application - Fulfilled Requests
- Record the Application that was authorized and the requestor.
- Record the access granted.
- Record the UW Connect record number tied to the request and approvals.
- Record the status of the request.
- Record the data exposure.
- Record any required mitigations
- Record the approval date.
- Record notes as needed.
- MI Support responds to Customer: You're good to go.
- MI Support resolves UW Connect record.