Body
Overview
VUIT is advancing a focused, proactive strategy to enhance the security, governance, and audit capabilities of our EntraID environment. This initiative establishes clear ownership, consistent approval requirements, and defined controls for enterprise application access and permissions.
These guidelines apply to all application requests that integrate with EntraID and leverage Microsoft Graph or related permissions.
Why This Change Is Needed
A review of the current state of application-enabled Entra ID identified gaps that materially increase security exposure and limit effective governance of application access, including unclear ownership, inconsistent permission reviews, and limited audit ability. Without standardized controls, applications may be granted excessive or unmanaged access to sensitive systems and data.
This updated process aligns with institutional information security policies and Microsoft Entra ID best practices, ensuring each application is reviewed based on its specific permission requirements.
Application Permission Requirements and Approval Thresholds
This section defines the permission levels that an application may require before it can be enabled in Microsoft EntraID. The intent is to help requesters understand why approval may be required by illustrating the risk level associated with the permissions an application requires.
Permission Tiers
|
Tier
|
Description
|
Permission Type Examples
|
Approval Requirement
|
|
Level 1 – Low Impact
|
Read-only or self-service permissions with minimal organizational risk
|
User profile read, group membership read, basic reporting access
|
Automatically approved or single-level approval
|
|
Level 2 – Moderate Impact
|
Write or management permissions scoped to specific applications or groups
|
Application configuration write, group membership management, user attribute update (scoped)
|
Formal approval is required prior to enabling.
|
|
Level 3 – High Impact
|
Broad or unrestricted permissions affecting the directory or security posture
|
Directory-wide write, security policy modification, authentication, or access control changes
|
Formal approval plus additional governance review
|
Approval Trigger
Applications requesting Level 2 (Moderate Impact) or Level 3 (High Impact) permission require documented approval before enabling. This ensures elevated access is granted only when there is a validated business need and appropriate acceptance of risk.
Approval by University Affiliation
Approval must align with the requester’s university role.
|
Audience
|
Approval Required From
|
|
Staff and Faculty
|
Direct Manager
|
|
Undergraduate Students (Coursework-Related Requests)
|
Course Instructor / Professor
|
|
Undergraduate Students
(On Behalf of Undergraduate Organizations)
|
Organizational Faculty Adviser
|
|
Graduate and Professional Students
|
Faculty Adviser
|
All approvals must be documented with the TDX request submission.
Artificial Intelligence (AI) Application (Currently approved)
Vanderbilt has approved the following enterprise-level AI applications for use:
These tools meet current enterprise standards for security, compliance, and data protection. Requests for additional AI-based applications will be evaluated on a case-by-case basis in accordance with the application permission requirements outlined above.
Application Usage Review and Lifecycle Management
To reduce risk and maintain a clean application environment:
This process ensures least-privilege of access and reduces unnecessary exposure.
All application review and approval requests must be submitted through the TDX service:
Request Form - Microsoft 365 Application Request