Entra ID application identities: risk mitigation

What is happening and when:

This notice is to make you aware that UW-IT’s Entra ID service design is changing fundamentally, providing risk mitigation processes as well as new capabilities.

On Wednesday, February 15, UW-IT will change its approach to Entra ID application identities to make them easier for users to obtain and use, while addressing potential risk to UW confidential data. The UW-IT Microsoft Infrastructure service will:

• Monitor for risks of integration with UW confidential data
• Disable any Entra ID application identity that presents risk to UW confidential data

Note that if you choose to add or consent to an Entra ID application provided by a third party, there is a risk that UW confidential data may intentionally or unintentionally be accessed, collected, or used by the third party. UW organizations are responsible for evaluating the risk and implementing controls for their unique technical deployments.

If you’ve evaluated the risk and decided to use a third party application, then it should meet the UW data security and privacy goals for contracting with vendors. This may include the need for a Data Security and Privacy Agreement or a Business Associate Agreement. Additional responsibilities may be required by UW Medicine for use of Entra ID applications with protected health information.

If you’d like help analyzing third party applications, adding an Entra ID application, or understanding the Entra ID change, please contact UW-IT at help@uw.edu.

Monitoring and mitigation by UW-IT: We will monitor for applications that require tenant admin permissions to approve. Tenant admin permissions generally correspond to those permissions that cross a single user resource boundary, e.g., the ability to read all Skype user contacts and groups. More examples of these kinds of permissions are described under More Details on our Risky Entra ID application permissions page. We will disable any application identity discovered to have admin permissions that have not otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.

We will not provide automatic mitigations for permissions that individual users grant to applications, but you can find out what permissions have been granted by a given user.

New capabilities for Entra ID application identities:

• Users can self-integrate some third party cloud-based apps, resulting in UW NetID based authentication.

• Users can consent to allow or deny an Entra ID application to access their data in other Entra ID based applications.
• Developers can self-provision identities for their application, so that it is integrated with UW NetID based authentication. Developers also can ask users to consent to access other Entra ID based applications.
• Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
• Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs. Business stakeholders may consider actions taken by individuals risky, and this capability provides the ability to find out what permissions have been granted by a given user.

Details on IT Connect:

• How a user might self-integrate a 3rd party application via Entra ID
• How user consent works
• How a developer might add an Entra ID identity
• How to request that UW-IT monitor for additional Entra ID application permissions

If you have questions about this change, please contact UW-IT via help@uw.edu.

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT