Child pages
  • 2018-12-10 azuread-govteam mtg
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »


Note: extra 15m from empty CAB meeting agenda

Summary agenda:

  • Updates (10m)

  • Discussion topics (55m)

  • Input on backlog & Future discussion topic input (5m)


-Updates on past topics & items of interest (10m)


-Discussion topics (55m)

  1. Review final implementation plans for Inactive Users

    2018/12/10it-servicechange notification - internal to UW-IT
    2018/12/12UW-IT service center apprised
    2018/12/13compdirs, mi-announce, techsupport, MI oucontacts notification
    2018/12/14Non-person account owner/admins notification (based on analysis now)
    Waiting periodProvides folks time to get accounts in exclusion group
    2019/1/9mi-announce, techsupport reminder notification
    2019/1/9Disable: 8 years inactivity (Implementation starts here)
    2019/1/30Disable: 4 years inactivity
    2019/2/20Disable: 1 year inactivity (We're to the "new" normal operations here)


    1. Analysis/Proposal: (nothing new here)

    2. Inactive User Design: (summarizes key bits)
    3. Ensure account is active: (defines what is active, how to check, & how to get exception)
    4. Re-enable my account:

    Draft Notification: Inactive users (Dec 2018) - Draft

  2. Appropriate account types for Azure AD roles

    A strawman proposal is available at:

    Review and discuss whether this proposal is acceptable to move forward as part of a CHG.

    Notes on where we left this: 
    1. Brian introduces draft proposal for review on appropriate account types.
    2. App developer role – Lots of discussion of app developer role. Brian notes that our current configuration is in alignment with the proposed wide-open acccount type for that role.
    3. Scott raises concern about Compliance Administrator not have a more stringent recommended account type like tadm. Brian explains that Compliance Administrator has a scope limited to Office 365 apps, with something close to read permissions, so has same account type recommendation as the roles for the O365 roles.
    4. We run out of time so everyone is encouraged to review this doc, and raise questions or issues. Email the mailing list or add comments to the wiki page.
    5. Guest Inviter
      1. What's the current status of guest user access? To inform discussion, it'd help to know our current design.
      2. What's the current authorization policy for inviting guests? e.g. only current quarter art majors (uw_major_art) are authorized to invite guests.
      3. What accountability do we want in the guest user access process? i.e. personal vs shared accounts
      4. Do we need to enable non-person accounts?
      5. Would use of this role ever require 2FA, either because 2FA is assigned directly to use of this role; or because 2FA is applied more widely such that use of this role requires 2FA


-Input on backlog & possible future discussion topic input (5m)

  • MI activities - high level summary is high-level summary of current, planned and possible future investments, given resourcing & priority
  • Possible future discussion topic list:
    • Azure AD join/hybrid join/InTune
    • Enable Password Hash Sync (for possible business continuity & to enable Microsoft signaling of known pwned accounts)
    • Azure AD Conditional Access management (this is likely to grow & there is huge potential to break things)
    • AAD token lifetime review compared to other UW tokens


Discussion Notes:


  • No labels