Summary agenda:


-Updates on past topics & items of interest (10-15m)


-Discussion topics (50m)

  1. Enable PHS sync option - Brian
    1. Provides business continuity option
    2. Enables Microsoft signaling of known pwned accounts
    3. Required for Azure AD Domain Services
    4. May be chosen architecture via MFA project. We may be able to demo this configuration (on a per user basis) after enabling this.
  2. AAD role approval practices - Brian
    1. https://wiki.cac.washington.edu/x/BJAzBQ

      Notes on where we left this: 
      -Scott raises concern about Compliance Administrator not have a more stringent recommended account type like tadm. Brian explains that Compliance Administrator has a scope limited to Office 365 apps, with something close to read permissions, so has same recommendation as the O365 roles. Brian extends compromise to include Compliance Administrator in higher security account grouping.
  3. AAD-only groups or Cloud only Exchange Distribution Lists or template for briefing - Scott and Nathan


-Input on backlog & possible future discussion topic input (5m)


Discussion Notes:

On CISO/Medicine O365 log requirements, I believe Becky et al described what meets were met through the recent meeting; and no pressing unmet needs remain?

On CHG0037717 (passwd hash sync), when we discussed which CAB mgr would approve the CHG, I recall saying "go for it" and Scott was going to approve it.

On our MI page describing high-level activities, I said I'd update the category descriptions to align with simpler current, next, future designations.

On AAD-only security groups, distribution lists, and O365 groups, Scott said he can't do business analysis, but we offered to discuss it as a topic at a future meeting.