2017 April

April 21, 2017

Here’s our semi-annual newsletter update on recent happenings with the Microsoft Infrastructure.


==== New Capabilities and Improvements ====


* Self-service Entra ID application identities. On 2/15/2017, we enabled UW users to create and integrate Entra ID application identities. This provides an easy way for developers to integrate with UW identities, but also allows a variety of 3rd party applications to easily be integrated. Users are advised to carefully evaluate the risk of application integrations. This new capability also introduces the ability for users to individually consent to applications acting on their behalf with other applications. More info is available at https://itconnect.uw.edu/wares/msinf/aad/apps/.


* Preferred name data source. On 3/1/2017, we added the preferred name data source to existing data sources that result in the name commonly shown in a variety of locations like Exchange. This improvement means that all UW NetIDs now have a self-service method to update their Microsoft Infrastructure user name value, and significantly increased control of the resulting value. Via a customer survey 8 years ago, you indicated this was your top desired change for this service, and we have been advocating for this type of solution over that entire time period, so we are very pleased to be able to have implemented this. Detailed documentation about how your Microsoft Infrastructure user name value is chosen is at: https://itconnect.uw.edu/wares/msinf/design/arch/id-data-mapping/#name.


* Entra ID Connect. On 1/6/2017, we replaced our aging Entra ID Dirsync infrastructure with the latest Entra ID sync tool. This did not result in immediate new capabilities, but does set us up to take advantage of some new capabilities in the future.




* Microsoft Technology Community. Brian Smith has formed a new community for those active with Microsoft technologies, and the Microsoft Infrastructure service team are active participants. In fact, we’ve given a couple presentations on Microsoft Infrastructure capabilities there. We encourage you to consider joining this community. See https://itconnect.uw.edu/work/resources/ms-tech/ for how to join.


* Microsoft LAPS in the NETID domain. Many of you have asked for a solution to managing local admin passwords. We evaluated the need and possible solutions, and explored whether LAPS met UW security expectations or not. At the April meeting of the Microsoft Technology community (4/19 1:30-3p, Odegaard 220), Patrick Lavielle will present our findings and discuss our plans to provide a solution.


* Entra ID  monitoring. Eric Kool-Brown has built special tools for our service to identify Entra ID configurations which are risky in nature, so we are alerted and can take action. Part of this work included exploring the Entra ID Audit API (which is still in preview) and leveraging data from it. One of the user-visible aspects of this effort will be a tool we’ll release that allows you to find Entra ID app user consent details. More info will be provided when that tool is released.


==== What’s Next ====

Our objectives for the 6 months from April through October 2017 include:

* Support Managed Workstation migration into the NETID domain (~3300 computers)

* Identity a delegation and support model to release MBAM for Bitlocker recovery key support. We deployed MBAM in the last 6 months, but still need to find a way to delegate access before releasing it for use.

* ADFS modernization. We’re now 2 major versions behind and plan to jump ahead to ADFS 2016. We’ll work with existing customers to migrate, when ready.

* DC modernization. We need to upgrade all the NETID domain controllers to WS2016. 3 of the 5 DCs are also near end of life, so need to be replaced. Expect lots of communication about this.

* AD-CS stabilization. The issuing CA’s cert is very short-lived, which limits the lifetime of certs it issues and creates maintenance friction. We’ll be replacing the existing issuing CA cert with a longer term one. Expect communication on this planned change.

* Engage with UW MFA program to add future capabilities for Microsoft technologies

* Software deployment capability via central SCCM based service option

* Computer domain join refactor. Supporting the Managed Workstation adoption of the NETID domain, along with plans to move some MWS capabilities (like SCCM) to the Microsoft Infrastructure service, has given us a fresh opportunity to tweak the existing approach and add some new options. We’ll share more when these new options are ready, but know that the existing approach will continue to work as is.

* Release a ‘UW network’ Windows firewall GPO for re-use by delegated OU customers. This reference GPO will be maintained by us, and you’d be able to make a copy (and refresh your copy), without doing any of the work of building it or keeping current on what the existing definition of the UW network space is.


* Refactored identity data integration. This is a longer-running goal to replace our integration based on MIM and file-based data to an event-based architecture. This likely won’t come to fruition for a while, but we are investing in it. The upside for customers will be lower latency of identity data changes, more stability, and increased agility.

* Invest in mitigations to reduce risks from privilege escalation

Of the 13 objectives listed in the last MI news, here’s a review of how they turned out:

  • 7 were successfully completed: LAPS analysis, forms refactor, Entra ID monitoring, Entra ID Connect, RMS, self-svc Entra ID Apps, Preferred name
  • 5 were started and continue: MBAM, SCCM, reference firewall, ID agent refactor, Entra ID Audit API
  • 1 was started by dependent service, but hasn’t yet reached the point where we can start: MWS migration
  • 0 were not started


==== Trends ====

* Since September, MI has sustained growth: +6 delegated OUs (135 total), 0 trusts (51 total), +~1200 computers (16356 total), +63k users (900K total), +9k groups (113K total).

* MI support requests are up 48%. 432 MI support records resolved between 9/30/16 and 3/31/2017 (vs. 292 in prior period).

==== Your Feedback ====

Supporting your needs for MI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the MI service more valuable to you.

The MI service has a capability map publicly visible at https://itconnect.uw.edu/wares/msinf/design/capability-map/, which was just updated.

Many more details are available about the 6 month objectives listed above, and you are welcome to engage with us to find out more.

For broad discussion about the Microsoft Infrastructure, the mi-discuss@uw.edu mailing list is a great option.

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, MI Service Manager