Entra ID application identity availability

What and when

On Wednesday, January 11, UW-IT will change its approach to Entra ID application identities to make them significantly easier for users to obtain and use. This change also provides:

• Mitigation where there may be risks due to integration with UW confidential data
• New capabilities you may wish to leverage

What you need to do

Nothing—this notice is to make you aware that UW-IT’s Entra ID service design is changing fundamentally, and that it provides new capabilities that may interest you.

More information on the changes

Monitoring and mitigation by UW-IT: Initially, we will monitor for applications that require tenant admin permissions to approve. Examples of these kinds of permissions are described under Admin permissions for Microsoft Graph API in our Entra ID Application Identities wiki page. We will disable any application identity discovered to have “risky permissions” that hasn’t otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.

New capabilities for Entra ID application identities:

• Users can self-integrate some third party cloud-based apps, resulting in UW NetID-based authentication.

• Users can consent to allow or deny an Entra ID application to access their data in other Entra ID applications.
• Developers can self-provision identities for their application, so that it is integrated with UW NetID-based authentication; developers also can ask users to consent to access other Entra ID applications.

New capabilities to be available in the future:

• Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
• Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs.

We will let you know when you can take advantage of these forthcoming capabilities.

Details on IT Connect:

• How a user might self-integrate a 3rd party application via Entra ID
• How user consent works
• How a developer might add an Entra ID identity

Questions about this change or Azure Active Directory can be directed to help@uw.edu.

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT