Microsoft Entra ID (formerly Azure Active Directory) and Microsoft 365 service policies at IU

• Entra ID general operational policies
• Entra ID general service policies
• Microsoft 365 licensing policies
• Entra ID user accounts
• Entra ID guest accounts
• Entra ID computer accounts
• Entra ID groups
• Entra ID App registrations
• Entra ID naming convention
• Entra ID restoration
• Entra ID deletion
• Entra ID support model
• Entra ID tenants
• Entra ID service level
• Log requests

---

Entra ID general operational policies

Microsoft Entra ID (formerly Azure Active Directory or AAD) provides a wide range of authentication services on all Indiana University campuses. Furthermore, Exchange Online, Microsoft OneDrive, Microsoft Teams, and other Microsoft cloud-based tools require users to be synchronized to or created in Entra ID.

UITS restricts departments or individuals from setting up tenants outside of the indiana.onmicrosoft.com tenant.

Entra ID general service policies

Entra ID service policies are bound by those at University-wide IT policies.

Microsoft 365 licensing policies

Microsoft licenses allow users access to Office apps, such as Outlook, Word, and Excel. They also allow access to Microsoft services, such as SharePoint, OneDrive, Teams, Planner, Power BI, and more. At IU, Microsoft 365 licenses are available and assigned to students, faculty, and staff based on the user's affiliation with the university. Any directly assigned licenses (a license applied directly by the user) will be automatically removed to avoid conflicts with the currently assigned licenses.

If you have questions about Microsoft 365 licensing at IU, contact Tier 2.

Entra ID user accounts

Every student, faculty member, and staff member on all eight IU campuses is eligible for an Entra ID account. UITS creates a unique user account for each user on every IU campus via Active Directory, which is then replicated to Entra ID.

To ensure that unique usernames exist for all students, faculty, and staff, only accounts generated by UITS may be created directly in Entra ID; any Entra ID user accounts created outside of this process may be deleted or disabled without notice.

Requests for Azure-only departmental or service accounts also go through the UITS Support Center. Tier 2 Desktop, Server, and Mobility (DSM) can help with the request for Entra ID user, resource room, and/or service accounts. For requests, contact Tier 2.

Entra ID guest accounts

Guest account invites in Entra ID can be created through many of the Microsoft tools (Microsoft Teams, SharePoint, OneDrive, Planner, etc.) but can also be created directly in the Azure Portal.

UITS does not have an inactive guest account deletion policy. If a guest account needs to be removed, contact Tier 2.

Entra ID computer accounts

Computers that join Active Directory at IU are automatically hybrid-joined to Entra ID, which allows for some policies and settings to be managed from either interface.

Computers can also be joined directly to Entra ID without an ADS connection, and can be managed from the Azure Portal or Microsoft Intune. For questions about access to Intune, contact UITS Endpoint Management Services.

Entra ID groups

Entra ID Groups created in the Azure Portal are prefixed with the "O365-" value, to prevent conflicts with any ADS groups replicated from on-premise. Other prefixes (such as "[Sec]" or "[Sec-E]") are used for services like Secure Storage. If a department requires a group without a prefix, contact Tier 2 for help.

If you wish to use an on-premises group in Entra ID, it must be a Universal Security Group that is mail-enabled.

Groups should adhere to the following practices:

• When using groups to assign permissions, follow the principle of least privilege.
• Group membership should not contain the default groups Everyone or O365-AllDevices.
• Use group nesting where appropriate and supported.
• Avoid circular nested groups.
• Use the same standard naming convention as ADS.

Entra ID App Registrations

Entra ID can have two kinds of applications, App Registrations and Enterprise Applications. The process for creating and requesting access is the same.

Follow the vendor guidelines for adding the registration, including requesting any permissions needed. If the application requires administrative permissions, contact Tier 2 with the app name and Application ID, along with any supporting documentation and justification. Delegated permissions are preferred to Application.

Requests for Application/Delegated permissions to "Directory.Read.All" or "Users.Read.All" and the like are often not a problem. The "Sites.Read.All" or "User.ReadWrite" permissions will never be approved at the Application level.

For a list of permissions, see Microsoft Permissions Reference.

Entra ID naming convention

A naming convention for all Computers, Groups, Microsoft Teams, App Registrations, Planners, SharePoint sites, and other Entra ID services is strictly enforced. This not only simplifies administrative tasks and prevents possible phishing or other attacks, but also is necessary to maintain a unique namespace in Entra ID. Before you add a computer, group, or Microsoft cloud service, see Recommended naming conventions for IU Windows computers and groups.

New institutional storage Microsoft Teams should be created through Manage my Secure Storage, which will help to structure a Microsoft Teams name properly. See Request institutional storage in Microsoft shared storage.

New SharePoint sites can be created via the SharePoint Online (SPO) - Site Request Form.

Entra ID restoration

Entra ID resources, structures, and data will not be restored except in the event of catastrophic failure of the directory structure. Groups, Computers, Microsoft Teams, and other directory constructs should be maintained with great care and should be carefully documented and/or backed up, so that file restoration or settings can be restored.

Many Microsoft products are tied to licenses. UITS does not have extended capability to restore deleted personal storage (such as Microsoft OneDrive, Forms, or Exchange mailboxes). For this reason, any institutional use of those products should rely on an institutional offering instead of something tied to the individual.

For Exchange, that means a group account mailbox, and for Microsoft OneDrive, Power Automate, or Forms, group accounts or Microsoft Teams are appropriate places to store that data or resource.

If something institutional was incorrectly stored in individual accounts, and the department is no longer able to access that individual storage, an IT-07 Policy request can be filed, but there is an extremely limited restoration window; for details, see Your Microsoft 365 account when you leave IU.

Entra ID deletion

Owners of Groups, Microsoft Teams, SharePoint sites, Forms, Planners, and other Microsoft 365 offerings can delete their objects. If an orphaned object needs to be deleted, contact Tier 2.

Entra ID support model

Entra ID follows the IU distributed support model for computing services. The local UITS support person may serve as the first level, or may choose to escalate issues to the UITS Support Center. The local UITS support person or Support Center may escalate issues to Tier 2 Support, which may in turn escalate issues to the various product service owners:

• Enterprise Microsoft Administration (EMA): In UITS Enterprise Systems, serves as Global Admins and directly administrates Microsoft Teams creation, Exchange Online, SharePoint Online, Enterprise and App Registrations, AD Connect, and other core properties of the suite.
• Identity Management Services (IMS): In UITS Enterprise Systems, serves as Licensing Admins and manages Grouper integration, as well as third-party contact syncing and other identity based changes.
• Enterprise Windows & Azure Administration (EWA): In UITS Enterprise Systems, serves as Power Platform admins, manages secondary licensing for Select products, and supports Power Automate and other low code/no code solutions. EWA also assists with Azure Cloud solutions.
• Endpoint Management Services (EMS): In UITS Enterprise Support Services, serves as Microsoft Intune admins, and runs SCCM Co-Manage connections. EMS also runs the Defender ATP service for desktop antivirus.
• Incident Response (IT-Incident) and the broader University Information Security Office: Serve as owners of the Safe Links/Safe Attachments policies, Security and Compliance Centers, Microsoft Information Protection, eDiscovery, and other related services and portals.
• Microsoft Teams Telephony support: Enhanced by the UITS Networks Campus Communications Infrastructure (CCI) and Communications Planning and Implementation (CPI) teams. Microsoft Teams Room hardware, and Microsoft Teams Room Video Conferencing is supported by the UITS Learning Technologies Collaboration Technologies and Classroom Support unit.

Entra ID tenants

The IU Entra ID is a single tenant that handles all IU members on each campus. IU schools, departments, and affiliated units shall not install, upgrade to, or participate in an Entra ID tenant of their own.

UITS also runs a test tenant at portal.azure.com. If developers or local UITS support people need access to IUTest to evaluate software, develop solutions, or related actions, contact Tier 2.

Entra ID service level

The Entra ID architecture was designed to provide continuous service delivery free from interruption or impact from maintenance or hardware failure. In the event of a service interruption or modification, EMA will implement the notification and resolution procedures set forth by UITS Change Management .

Log requests