Information technology tools and resources at the UW
20170106: Azure Active Directory application identity availability
What and when
On Wednesday, January 11, UW-IT will change its approach to Azure Active Directory (AD) application identities to make them significantly easier for users to obtain and use. This change also provides:
- Mitigation where there may be risks due to integration with UW confidential data
- New capabilities you may wish to leverage
What you need to do
Nothing—this notice is to make you aware that UW-IT’s Azure AD service design is changing fundamentally, and that it provides new capabilities that may interest you.
More information on the changes
Monitoring and mitigation by UW-IT: Initially, we will monitor for applications that require tenant admin permissions to approve. Examples of these kinds of permissions are described under Admin permissions for Azure AD Graph API in our Azure AD Application Identities wiki page. We will disable any application identity discovered to have “risky permissions” that hasn’t otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.
New capabilities for Azure AD application identities:
- Users can self-integrate some third party cloud-based apps, resulting in UW NetID-based authentication.
- Users can consent to allow or deny an Azure AD-based application to access their data in other Azure AD-based applications.
- Developers can self-provision identities for their application, so that it is integrated with UW NetID-based authentication; developers also can ask users to consent to access other Azure AD-based applications.
New capabilities to be available in the future:
- Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
- Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs.
We will let you know when you can take advantage of these forthcoming capabilities.
Details on IT Connect:
- How a user might self-integrate a 3rd party application via Azure AD
- How user consent works
- How a developer might add an Azure AD identity
Questions about this change or Azure Active Directory can be directed to firstname.lastname@example.org.
Microsoft Infrastructure Service Manager