Information technology tools and resources at the UW
20170209: Azure Active Directory application identities: risk mitigation
What is happening and when:
This notice is to make you aware that UW-IT’s Azure AD service design is changing fundamentally, providing risk mitigation processes as well as new capabilities.
On Wednesday, February 15, UW-IT will change its approach to Azure Active Directory (AD) application identities to make them easier for users to obtain and use, while addressing potential risk to UW confidential data. The UW-IT Microsoft Infrastructure service will:
- Monitor for risks of integration with UW confidential data
- Disable any Azure AD application identity that presents risk to UW confidential data
Note that if you choose to add or consent to an Azure AD application provided by a third party, there is a risk that UW confidential data may intentionally or unintentionally be accessed, collected, or used by the third party. UW organizations are responsible for evaluating the risk and implementing controls for their unique technical deployments.
If you’ve evaluated the risk and decided to use a third party application, then it should meet the UW data security and privacy goals for contracting with vendors. This may include the need for a Data Security and Privacy Agreement or a Business Associate Agreement. Additional responsibilities may be required by UW Medicine for use of Azure AD applications with protected health information.
If you’d like help analyzing third party applications, adding an Azure AD application, or understanding the Azure AD change, please contact UW-IT at email@example.com.
Monitoring and mitigation by UW-IT: We will monitor for applications that require tenant admin permissions to approve. Tenant admin permissions generally correspond to those permissions that cross a single user resource boundary, e.g., the ability to read all Skype user contacts and groups. More examples of these kinds of permissions are described under More Details on our Risky Azure AD application permissions page. We will disable any application identity discovered to have admin permissions that have not otherwise been explicitly approved via a risk evaluation or acceptance by the appropriate data steward.
We will not provide automatic mitigations for permissions that individual users grant to applications, but you can find out what permissions have been granted by a given user.
New capabilities for Azure AD application identities:
- Users can self-integrate some third party cloud-based apps, resulting in UW NetID based authentication.
- Users can consent to allow or deny an Azure AD-based application to access their data in other Azure AD based applications.
- Developers can self-provision identities for their application, so that it is integrated with UW NetID based authentication. Developers also can ask users to consent to access other Azure AD based applications.
- Business stakeholders can request that UW-IT monitor for and block applications that require a specific set of permissions because of concerns about confidential data related to those permissions.
- Business stakeholders can find which application permissions a given user has consented to, in order to meet regulatory or audit needs. Business stakeholders may consider actions taken by individuals risky, and this capability provides the ability to find out what permissions have been granted by a given user.
Details on IT Connect:
- How a user might self-integrate a 3rd party application via Azure AD
- How user consent works
- How a developer might add an Azure AD identity
- How to request that UW-IT monitor for additional Azure AD application permissions
If you have questions about this change, please contact UW-IT via firstname.lastname@example.org.
Microsoft Infrastructure Service Manager