UIAO Master Project Plan

Assessment phase through full modernization

Author

Michael Stratton

Published

April 1, 2026

UIAO Master Project Plan

Assessment Phase Through Full Modernization

UIAO Governance OS — Capstone Planning Document

Document ID: UIAO_013_Master_Project_Plan_v1.0
Classification: Controlled
Boundary: GCC-Moderate
Repository: https://github.com/WhalerMike/uiao
Author: Michael — Canon Steward
Date: 21 April 2026
Status: DRAFT

Companion Document Corpus

This Master Project Plan references and unifies the following twelve UIAO documents produced to date:

1. AD Computer Object Conversion Guide

2. Git on Windows Server 2025 with IIS — Step-by-Step Implementation Guide

3. UIAO Git Server — Windows Server 2025 with IIS Implementation Guide

4. UIAO Git Infrastructure — Architecture Decision Record

5. UIAO Platform Server Build Guide — Windows Server 2025 with Gitea and IIS

6. UIAO CLI and Operations Guide

7. UIAO Active Directory Interaction Guide

8. UIAO Identity Modernization Guide

9. UIAO DNS Modernization Guide

10. UIAO Read-Only AD Assessment Guide

11. UIAO vs Microsoft Native Tools — Gap Analysis

12. UIAO PKI Modernization Guide

1. Executive Summary

The UIAO Modernization Program transforms legacy Active Directory infrastructure into a cloud-native, governance-driven, drift-resistant operating model. The program spans five transformation pillars — Identity, Devices, DNS, PKI, and Server Management — and replaces fragile, GUI-configured infrastructure with machine-readable canonical artifacts managed through the UIAO Governance OS pipeline backed by Gitea on Windows Server 2025.

This Master Project Plan is the capstone planning document for the UIAO corpus. It defines the full lifecycle from initial assessment through steady-state governance, organized into seven phases with 48 milestones across a 52-week execution timeline. Every phase is milestone-gated: no phase transition occurs without formal review, documented approval, and artifact commitment to the UIAO Gitea repository.

The plan is structured around one central principle:

Core Principle: Assessment Before Action

No migration activity begins until the complete Active Directory forest has been inventoried, classified, and committed to the UIAO Gitea governance pipeline as machine-readable canonical artifacts. Every modernization plan — computer, identity, GPO, DNS, PKI — is generated from assessment data, not designed in isolation. The assessment phase produces every planning artifact that drives all subsequent phases.

Phase 1 (Assessment) is the most detailed phase in this document because it produces every planning artifact that drives all subsequent phases. The assessment generates 23 canonical deliverables spanning 12 AD domains. These deliverables feed eight modernization plans that define the exact scope, sequence, and success criteria for every action taken in Phases 2 through 6. Without a complete, committed, and approved assessment, the program cannot proceed.

The program draws its technical procedures, architectural decisions, and governance model from the twelve companion documents listed above. This plan does not replicate their content; it sequences their execution, assigns ownership, defines milestones, and provides the governance framework that ensures coordinated, traceable, and reversible modernization.

Program Timeline Summary

Phase Name Duration Weeks Key Milestone
0 Platform Build 3 weeks 1–3 UIAO Gitea server operational
1 Assessment 6 weeks 4–9 Full AD forest assessment committed to Gitea
2 Planning & Design 4 weeks 10–13 All modernization plans approved
3 Pilot 8 weeks 14–21 Pilot group validated on all five pillars
4 Scale 12 weeks 22–33 Full production migration
5 Cutover 8 weeks 34–41 Legacy infrastructure decommissioned
6 Steady State Ongoing 42+ Continuous governance and drift detection

[Diagram: UIAO Program Timeline — Gantt Overview]

Seven-phase horizontal timeline showing parallel workstreams per pillar (Identity, Devices, DNS, PKI, Server), milestone diamonds at phase gates, and critical path highlighted.

Diagram ID: UIAO-MPP-D001 | Dimensions: 780 × 320 px

2. Program Governance Structure

2.1 Roles and Responsibilities

Role Responsibility Person / Team
Canon Steward Final authority on governance artifacts, approval gates, document status transitions, Gitea repository integrity, and cross-pillar conflict resolution [Named Individual]
Infrastructure Lead Server builds, IIS reverse proxy, Gitea administration, network infrastructure, Azure Arc enrollment, hardware provisioning [Infrastructure Team]
Identity Lead Active Directory, Entra ID, Entra Connect, Conditional Access, PIM, OrgPath attribute design, user and group migration [Identity Team]
Endpoint Lead Intune enrollment, device compliance, GPO-to-Intune policy migration, Settings Catalog configuration, dynamic group design [Endpoint Management Team]
DNS Lead AD-integrated DNS zones, Azure DNS Private Resolver, forwarding rulesets, split-brain patterns, SRV record validation [DNS / Network Team]
PKI Lead ADCS management, Cloud PKI provisioning, Entra CBA, certificate template migration, ESC vulnerability remediation, SCEP/PKCS profile design [PKI / Security Team]
Security Lead ESC remediation, Defender for Identity integration, Conditional Access policy design, security assessment triage, risk acceptance [Security Team]
Project Manager Timeline management, milestone tracking, risk register maintenance, status reporting, steering committee coordination [Named Individual]

2.2 Decision Framework

Decision Type Authority Process
Governance decisions (artifact status, naming, schema) Canon Steward — sole approval Gitea pull request with Canon Steward review required
Technical decisions (architecture, configuration) Respective pillar lead with Canon Steward review ADR committed to Gitea, 48-hour review period
Risk acceptance Security Lead + Canon Steward joint approval Risk acceptance form committed with justification
Schedule changes (milestone date movement) Project Manager + Canon Steward Schedule change request with impact analysis
Budget / license procurement Canon Steward + organizational leadership Business case document committed to Gitea

2.3 Communication Cadence

Meeting Frequency Duration Attendees Output
Daily Standup Daily (weekdays) 15 min All pillar leads Blockers identified, today's priorities
Weekly Status Report Weekly (Friday) N/A (written) PM authors, all review Committed to Gitea as reports/weekly/YYYY-WNN.md
Biweekly Steering Committee Every 2 weeks 60 min Canon Steward + all leads Decision log, action items committed to Gitea
Milestone Gate Review At each phase gate 90 min All roles + stakeholders Go/No-Go decision, gate review report (Appendix D template)

2.4 Artifact Management

All project artifacts are committed to Gitea under the UIAO repository. The governance pipeline ensures every artifact is versioned, reviewed, and traceable.

Branch Strategy:

Naming Convention:

UIAO_NNN_Short_Title_vMajor.Minor.md

Status Lifecycle:

Status Meaning Transition Authority
DRAFT Under active authoring; may be incomplete Author creates
IN_REVIEW Pull request submitted; awaiting review Author submits PR
APPROVED Canon Steward has approved; merged to main Canon Steward merges
CURRENT Active, governing artifact Automatic upon merge to main
DEPRECATED Superseded by newer version; retained for history Canon Steward marks

3. Phase 0: Platform Build (Weeks 1–3)

Objective: Deploy the UIAO Governance OS platform server — Gitea on Windows Server 2025 behind IIS reverse proxy, integrated with Active Directory LDAP and Entra ID OAuth2 — establishing the canonical repository that will govern all subsequent phases.

Reference Documents: UIAO Platform Server Build Guide — Windows Server 2025 with Gitea and IIS (primary), UIAO Git Infrastructure — Architecture Decision Record, UIAO CLI and Operations Guide, Git on Windows Server 2025 with IIS — Step-by-Step Implementation Guide.

3.1 Phase 0 Milestone Table

ID Milestone Week Deliverable Gate Criteria Owner
M-001 Server provisioned W1 Windows Server 2025 base build Server online, domain-joined, CIS L1 hardened, Windows Update current Infra Lead
M-002 IIS + Gitea operational W2 Gitea running behind IIS reverse proxy on HTTPS Clone/push/pull over HTTPS verified from workstation Infra Lead
M-003 AD LDAP auth configured W2 Gitea authenticating against AD via LDAPS AD users can login; CanonStewards group has admin role Identity Lead
M-004 Entra ID OAuth2 configured W3 Gitea SSO via Entra ID OIDC Entra SSO login verified; MFA enforced for all Gitea sessions Identity Lead
M-005 UIAO repo mirrored from GitHub W3 https://github.com/WhalerMike/uiao mirrored to Gitea All branches, tags, and full commit history verified Canon Steward
M-006 Governance hooks deployed W3 Pre-receive, post-receive, update hooks operational FOUO rejection verified; branch protection enforced Canon Steward
M-007 Azure Arc enrollment W3 Server enrolled in Azure Arc with OrgPath tags Arc agent heartbeat confirmed; Azure policies assigned Infra Lead

3.2 Detailed Task Breakdown

M-001 — Server Provisioned (Week 1)

Task Description Hours Dependencies Reference
T-001.1 Provision VM or physical server: 4 vCPU, 8 GB RAM, 100 GB SSD, Windows Server 2025 Standard 4h Hardware/VM approval Platform Server Build Guide §2
T-001.2 Join to Active Directory domain, place in designated OU, verify DNS registration 2h T-001.1 Platform Server Build Guide §3
T-001.3 Apply CIS Level 1 hardening baseline, disable unnecessary services, configure Windows Firewall 4h T-001.2 Platform Server Build Guide §4
T-001.4 Install Windows Updates, enable automatic update schedule, configure WSUS if applicable 2h T-001.3 Platform Server Build Guide §4
T-001.5 Create D:\UIAO directory structure, configure NTFS permissions for Gitea service account 1h T-001.2 Platform Server Build Guide §5

M-002 — IIS + Gitea Operational (Week 2)

Task Description Hours Dependencies Reference
T-002.1 Install IIS with URL Rewrite and Application Request Routing (ARR) modules 2h M-001 Git on Windows Server 2025 with IIS Guide §3
T-002.2 Obtain and bind TLS certificate for git.uiao.local; configure HTTPS binding on port 443 3h T-002.1, internal CA or ADCS Platform Server Build Guide §7
T-002.3 Download Gitea binary, install as Windows service, generate app.ini with PostgreSQL or SQLite backend 4h T-002.1 Platform Server Build Guide §6
T-002.4 Configure IIS reverse proxy (web.config) routing port 443 → Gitea localhost:3000 3h T-002.2, T-002.3 Platform Server Build Guide §8, Git Infrastructure ADR §4
T-002.5 Validate end-to-end: clone, commit, push, pull via HTTPS from remote workstation 2h T-002.4 CLI and Operations Guide §3

M-003 — AD LDAP Auth Configured (Week 2)

Task Description Hours Dependencies Reference
T-003.1 Create LDAP bind service account in AD with read-only access to user objects 1h None Platform Server Build Guide §9
T-003.2 Configure Gitea LDAP authentication source with LDAPS (port 636), base DN, and user filter 2h T-002.3, T-003.1 Platform Server Build Guide §9
T-003.3 Map AD group CanonStewards to Gitea admin role via group filter 1h T-003.2 Platform Server Build Guide §9
T-003.4 Test login with three AD accounts (admin, contributor, read-only) and verify role assignments 1h T-003.3 Platform Server Build Guide §10

M-004 — Entra ID OAuth2 Configured (Week 3)

Task Description Hours Dependencies Reference
T-004.1 Register Gitea as an Enterprise Application in Entra ID; configure redirect URIs 2h Entra ID Global Admin access Platform Server Build Guide §11
T-004.2 Configure Gitea OAuth2 authentication source with OIDC discovery endpoint, client ID/secret 2h T-004.1, T-002.3 Platform Server Build Guide §11
T-004.3 Configure Conditional Access policy requiring MFA for Gitea app (report-only initially) 2h T-004.1 Identity Modernization Guide §8
T-004.4 Validate SSO login flow, MFA prompt, and account linking between LDAP and OAuth2 identities 2h T-004.2, T-004.3 Platform Server Build Guide §11

M-005 — UIAO Repo Mirrored (Week 3)

Task Description Hours Dependencies Reference
T-005.1 Create UIAO organization in Gitea with team structure (CanonStewards, Contributors, Readers) 1h M-002 CLI and Operations Guide §4
T-005.2 Configure Gitea mirror from https://github.com/WhalerMike/uiao with scheduled sync 2h T-005.1, outbound HTTPS CLI and Operations Guide §5
T-005.3 Verify all branches, tags, and full commit history are present; validate commit count 1h T-005.2 CLI and Operations Guide §5

M-006 — Governance Hooks Deployed (Week 3)

Task Description Hours Dependencies Reference
T-006.1 Deploy pre-receive hook: reject commits containing FOUO markings, enforce commit message format 3h M-005 Platform Server Build Guide §12
T-006.2 Deploy update hook: enforce branch protection rules (main requires PR, no force push) 2h M-005 Platform Server Build Guide §12
T-006.3 Deploy post-receive hook: trigger notification on merge to main, update AssessmentManifest 2h M-005 Platform Server Build Guide §12
T-006.4 Test all hooks with known-good and known-bad commits; document test results 2h T-006.1 – T-006.3 Platform Server Build Guide §12

M-007 — Azure Arc Enrollment (Week 3)

Task Description Hours Dependencies Reference
T-007.1 Install Azure Connected Machine agent on UIAO Git Server 1h M-001, Azure subscription AD Computer Object Conversion Guide §8
T-007.2 Apply OrgPath tags to Arc resource (Region, Site, Department, Role = GitServer) 1h T-007.1 AD Computer Object Conversion Guide §2
T-007.3 Assign Azure Policy initiatives for Windows Server 2025 Guest Configuration 2h T-007.2 AD Computer Object Conversion Guide §8
T-007.4 Verify Arc agent heartbeat, policy compliance status, and Guest Configuration reports 1h T-007.3 AD Computer Object Conversion Guide §8

3.3 Phase 0 Exit Criteria

Phase 0 Gate Review — Go/No-Go Checklist

• Gitea web UI accessible at https://git.uiao.local

• AD LDAP and Entra ID OAuth2 authentication both operational and tested

• UIAO repository fully mirrored with complete commit history from GitHub

• Governance hooks rejecting FOUO markings and enforcing branch protection — test evidence committed

• Azure Arc enrolled with OrgPath tags applied and Guest Configuration policies compliant

• Phase 0 completion report committed to Gitea at reports/phase-gates/phase-0-completion.md

• All milestone deliverables listed in M-001 through M-007 verified and signed off by respective owner

4. Phase 1: Assessment (Weeks 4–9) — Detailed

Critical Phase

This is the most critical and detailed section of the entire project plan. Phase 1 produces every planning artifact that drives all subsequent phases. No migration activity begins until Phase 1 is complete and approved. The assessment covers 12 domains across the complete AD forest, generating 23 canonical deliverables that feed 8 modernization plans.

Reference Documents: UIAO Active Directory Interaction Guide (primary), UIAO Read-Only AD Assessment Guide, UIAO vs Microsoft Native Tools — Gap Analysis.

4.1 Assessment Scope

The assessment covers 12 domains across the complete AD forest. Each domain has a dedicated UIAO assessment function, a defined output artifact, and a reference to the companion document containing the detailed procedure.

Domain Assessment Tool Output Companion Document
Forest Topology Export-UIAOForestTopology ForestTopology.json AD Interaction Guide §3
OU Hierarchy Export-UIAOOUHierarchy OUHierarchy.json, OUTree.txt AD Interaction Guide §4
GPO Inventory Export-UIAOGPOInventory GPOInventory.json, XML reports AD Interaction Guide §5
DNS Infrastructure Export-UIAODNSAssessment DNSInventory.json AD Interaction Guide §6, DNS Modernization Guide §4
PKI / ADCS Export-UIAOPKIInventory PKIInventory.json, ESCVulnerabilities.csv AD Interaction Guide §7, PKI Modernization Guide §3
Computer Objects Export-UIAOComputerInventory ComputerInventory.json AD Interaction Guide §8
User Objects Export-UIAOUserInventory UserInventory.json, PrivilegedUsers.csv AD Interaction Guide §9
Group Memberships Export-UIAOGroupInventory GroupInventory.json AD Interaction Guide §9
Trust Relationships Export-UIAOTrustMap TrustMap.json AD Interaction Guide §10
Service Accounts Export-UIAOServiceAccountInventory ServiceAccounts.csv Identity Modernization Guide §6
ACL / Delegation Export-UIAOACLReport OUDelegation.json AD Interaction Guide §11
Schema Extensions Export-UIAOSchemaExtensions SchemaExtensions.json AD Interaction Guide §12

4.2 Assessment Execution Sequence

Week 4 — Pre-Assessment (Read-Only)
Task ID Task Description Hours Reference
T-4.1 Deploy assessment workstation Provision PAW or dedicated VM with Windows 11, domain-joined, restricted network access. Install PowerShell 7.x and Git for Windows. 4h Read-Only AD Assessment Guide §2
T-4.2 Install RSAT modules Install ActiveDirectory, GroupPolicy, DnsServer, and ADCSAdministration RSAT modules. Verify module import succeeds. 2h Read-Only AD Assessment Guide §3
T-4.3 Run Test-UIAOReadAccess Execute permission discovery to determine what can be assessed with current user credentials without any delegation. Document accessible vs. restricted domains. 2h Read-Only AD Assessment Guide §4
T-4.4 Execute Invoke-UIAOReadOnlyAssessment Run the master read-only orchestrator. Captures approximately 87% of total assessment value including forest topology, OU hierarchy, computer objects, user objects, group memberships, and basic GPO inventory — all without elevated permissions. 8h Read-Only AD Assessment Guide §5
T-4.5 Commit read-only assessment to Gitea Stage all output under assessments/readonly/{domain}/{timestamp}/ and push to feature/phase1-assessment branch. Create pull request for Canon Steward review. 2h CLI and Operations Guide §6
T-4.6 Generate Delegation Request From the read-only results, generate a formal delegation request documenting the specific permissions needed to assess the remaining 13%: DNS zone read, PKI CA Admin read, deleted objects read, GPO backup rights. 3h Read-Only AD Assessment Guide §8
Milestone ID Gate Criteria
Read-only assessment committed to Gitea M-008 Read-only assessment reviewed by Canon Steward; delegation request submitted to AD team
Week 5 — Delegated Assessment
Task ID Task Description Hours Reference
T-5.1 Receive delegated read access AD team grants read-only delegated access for DNS zones, PKI certificate authority, deleted objects container, and GPO backup permissions. Verify with Test-UIAOReadAccess re-run. 2h Read-Only AD Assessment Guide §8
T-5.2 Execute full DNS assessment Run Get-UIAODNSAssessment with DnsServer module access. Enumerate all forward/reverse zones, zone types (AD-integrated, primary, stub, conditional forwarder), aging/scavenging settings, and record counts. 4h AD Interaction Guide §6, DNS Modernization Guide §4
T-5.3 Execute full PKI assessment Run Get-UIAOPKIInventory with CA Admin read access. Enumerate all CAs (root, issuing, policy), certificate templates, enrollment permissions, template security descriptors, and CRL distribution points. 6h AD Interaction Guide §7, PKI Modernization Guide §3
T-5.4 Execute full GPO backup Run Backup-GPO -All to capture all GPO settings as XML. Parse XML reports with Export-UIAOGPOInventory to create structured JSON with per-setting classification. 4h AD Interaction Guide §5
T-5.5 Execute deleted objects enumeration Enumerate tombstoned objects in the AD recycled objects container to identify recently deleted accounts, groups, and computer objects that may impact migration planning. 2h AD Interaction Guide §12
T-5.6 Commit full assessment delta to Gitea Stage all new and updated artifacts under assessments/full/{domain}/{timestamp}/. Merge into feature/phase1-assessment branch. Update AssessmentManifest.json. 2h CLI and Operations Guide §6
Milestone ID Gate Criteria
Full assessment committed to Gitea M-009 Full assessment reviewed; no critical gaps remaining; all 12 domains covered
Week 6 — Security Assessment
Task ID Task Description Hours Reference
T-6.1 Run ESC vulnerability analysis Execute Test-UIAOESCVulnerabilities against all certificate templates. Identify ESC1 through ESC8 misconfigurations. Output ESCVulnerabilities.csv with per-template severity and remediation recommendation. 6h PKI Modernization Guide §3
T-6.2 Run privileged access audit Enumerate all accounts with AdminCount=1, Kerberoastable SPNs, unconstrained delegation, AS-REP roastable accounts, password-never-expires, and stale privileged accounts (>90 days inactive). 4h Identity Modernization Guide §5
T-6.3 Import Defender for Identity findings If Microsoft Defender for Identity is deployed, export Secure Score findings and import via Import-DefenderForIdentityFindings adapter. Merge with UIAO findings. 3h UIAO vs Microsoft Native Tools — Gap Analysis §7
T-6.4 Import PingCastle / Purple Knight results If third-party AD security tools have been run, import and correlate findings with UIAO assessment data. Reconcile overlapping findings to eliminate duplicates. 3h UIAO vs Microsoft Native Tools — Gap Analysis §9
T-6.5 Generate consolidated security findings report Merge all sources (UIAO, Defender for Identity, PingCastle) into a single SecurityFindings.json with deduplicated, normalized findings. 4h
T-6.6 Classify findings by severity Assign each finding: Critical (blocks migration), High (must remediate before Phase 3), Medium (remediate during Phase 4), Low (accept or track). 4h
T-6.7 Commit security assessment to Gitea Commit all security artifacts under assessments/security/{timestamp}/ and update AssessmentManifest.json. 1h CLI and Operations Guide §6
Milestone ID Gate Criteria
Security assessment complete, findings classified M-010 Critical findings identified with remediation plan drafted; High findings scheduled before Phase 3
Week 7 — Planning Document Generation

From the assessment data, the following eight planning documents are generated. Each planning document is machine-readable JSON, produced by a UIAO plan generator function, and driven entirely by assessment output — not by manual design.

Task ID Planning Document Description Input Artifacts Reference
T-7.1 ComputerModernizationPlan.json Classify every computer object into migration path: Entra Join, Hybrid Join, Azure Arc, Retain, or Decommission. Include OS version, last logon, OrgPath assignment, and target Intune policy group. ComputerInventory.json AD Computer Object Conversion Guide
T-7.2 IdentityModernizationPlan.json Classify every user, group, and service account into migration path: Cloud-only, Synced, gMSA conversion, Workload Identity, or Retain. Map privileged accounts to PIM roles. UserInventory.json, GroupInventory.json, ServiceAccounts.csv Identity Modernization Guide
T-7.3 GPOMigrationPlan.json Decompose every GPO into individual configuration intents. Classify each intent into Intune policy type (Settings Catalog, Endpoint Security, ADMX template, custom OMA-URI, or no equivalent). Track per-intent migration status. GPOInventory.json AD Computer Object Conversion Guide §4
T-7.4 DNSModernizationPlan.json Classify every DNS zone and record into migration path: Azure DNS Private Zone, Azure DNS Public Zone, Private Resolver Forwarding, Retain AD-Integrated, or Decommission. DNSInventory.json DNS Modernization Guide
T-7.5 PKIModernizationPlan.json Classify every certificate template into MIGRATE (Cloud PKI), BRIDGE (hybrid issuance), RETAIN (on-prem only), or RETIRE. Include ESC remediation status per template. PKIInventory.json PKI Modernization Guide §4
T-7.6 OrgPathDesign.json Define canonical OrgPath dimensions (Region, Site, Department, Role, Environment) and value lists. Map OU hierarchy analysis to OrgPath dimension values. Define extension attribute assignments. OUHierarchy.json AD Computer Object Conversion Guide §2
T-7.7 TrustDecommissionPlan.json Map trust reduction sequence: identify each trust, classify as essential/non-essential, define decommission prerequisites and validation steps. TrustMap.json Identity Modernization Guide §10
T-7.8 SecurityRemediationPlan.json Remediation steps for every finding with assigned owner, SLA based on severity, and verification procedure. Critical/High findings must have remediation completed before Phase 3 gate. SecurityFindings.json PKI Modernization Guide §3, Identity Modernization Guide §5
Milestone ID Gate Criteria
All planning documents generated and committed to Gitea M-011 Eight planning documents committed under plans/ directory; all pass schema validation
Week 8 — Planning Review and Approval
Task ID Task Description Hours
T-8.1 Canon Steward reviews all planning documents Full review of all eight planning documents for completeness, consistency, and governance compliance. Verify cross-references between plans are accurate. 16h
T-8.2 Pillar leads review their respective plans Each pillar lead reviews their domain-specific plan: Identity Lead reviews Identity + Trust plans, Endpoint Lead reviews Computer + GPO plans, DNS Lead reviews DNS plan, PKI Lead reviews PKI plan. 8h each
T-8.3 Security Lead approves security remediation plan Security Lead validates severity classifications, remediation steps, SLAs, and owner assignments. Confirms no critical findings are unaddressed. 8h
T-8.4 Steering committee approval of combined plan Formal steering committee meeting to approve the combined assessment and planning output. Go/No-Go decision for Phase 2. 4h
T-8.5 Resolve conflicts, update plans, re-commit Address all review comments, resolve cross-plan conflicts (e.g., PKI plan depends on Identity plan timing), update, and re-commit to Gitea. 8h
Milestone ID Gate Criteria
All planning documents APPROVED status M-012 Combined plan approved by Canon Steward and steering committee; all documents status = APPROVED
Week 9 — Pre-Pilot Preparation
Task ID Task Description Hours Reference
T-9.1 Identify pilot groups Select 50–100 devices, 20–50 users per pillar, 2–3 servers, and 1–2 certificate use cases. Selection criteria: representative of environment, low-risk, willing participants. 4h ComputerModernizationPlan, IdentityModernizationPlan
T-9.2 Create OrgPath dynamic groups for pilot scope Build Entra ID dynamic groups using OrgPath extension attributes to target pilot devices and users. Validate group membership accuracy. 4h AD Computer Object Conversion Guide §3
T-9.3 Begin critical/high security finding remediation Execute remediation steps for Critical and High severity findings identified in Week 6. Verify remediation with re-scan. All Critical findings must be resolved before Phase 3. 20h SecurityRemediationPlan.json
T-9.4 Configure Intune for pilot policies Create Intune configuration profiles and compliance policies from GPOMigrationPlan.json. Assign to pilot dynamic groups but set to Not Applicable until Phase 3. 12h AD Computer Object Conversion Guide §4
T-9.5 Configure Conditional Access in report-only mode Deploy 15+ Conditional Access policies per Identity Modernization Guide in report-only mode targeting pilot users. Monitor sign-in logs for impact analysis. 8h Identity Modernization Guide §8
T-9.6 Provision Cloud PKI Deploy Cloud PKI Root CA or configure BYOCA per PKI Modernization Plan. Create initial SCEP profile for pilot certificate template. 8h PKI Modernization Guide §5
T-9.7 Deploy Azure DNS Private Resolver Deploy Private Resolver in hub VNet per DNS Modernization Plan. Configure forwarding rulesets for AD DNS zones. Do not enable conditional forwarding changes yet. 6h DNS Modernization Guide §6
Milestone ID Gate Criteria
Pre-pilot infrastructure ready M-013 Pilot scope defined; infrastructure provisioned; critical security findings remediated; Conditional Access running in report-only for 7+ days with no unexpected impact

4.3 Assessment Phase Deliverables Summary

Deliverable Format Gitea Path Produced By Consumed By
ForestTopology.json JSON assessments/full/ Invoke-UIAOADAssessment All planning documents
OUHierarchy.json JSON assessments/full/ Export-UIAOOUHierarchy OrgPath Design, GPO Migration Plan
GPOInventory.json JSON assessments/full/ Export-UIAOGPOInventory GPO Migration Plan
GPO XML Reports XML assessments/full/GPO/Reports/ Get-GPOReport GPO Migration Plan
DNSInventory.json JSON assessments/full/ Export-UIAODNSAssessment DNS Modernization Plan
PKIInventory.json JSON assessments/full/ Export-UIAOPKIInventory PKI Modernization Plan
ESCVulnerabilities.csv CSV assessments/full/PKI/ Test-UIAOESCVulnerabilities Security Remediation Plan
ComputerInventory.json JSON assessments/full/ Export-UIAOComputerInventory Computer Modernization Plan
UserInventory.json JSON assessments/full/ Export-UIAOUserInventory Identity Modernization Plan
GroupInventory.json JSON assessments/full/ Export-UIAOGroupInventory Identity Modernization Plan
ServiceAccounts.csv CSV assessments/full/ Export-UIAOServiceAccountInventory Identity Modernization Plan
TrustMap.json JSON assessments/full/ Export-UIAOTrustMap Trust Decommission Plan
OUDelegation.json JSON assessments/full/ Export-UIAOACLReport Identity Modernization Plan
SchemaExtensions.json JSON assessments/full/ Export-UIAOSchemaExtensions OrgPath Design
AssessmentManifest.json JSON assessments/full/ Invoke-UIAOADAssessment Governance tracking
ComputerModernizationPlan.json JSON plans/ Phase 1 Week 7 Phase 3–5
IdentityModernizationPlan.json JSON plans/ Phase 1 Week 7 Phase 3–5
GPOMigrationPlan.json JSON plans/ Phase 1 Week 7 Phase 3–5
DNSModernizationPlan.json JSON plans/ Phase 1 Week 7 Phase 3–5
PKIModernizationPlan.json JSON plans/ Phase 1 Week 7 Phase 3–5
OrgPathDesign.json JSON plans/ Phase 1 Week 7 Phase 2–6
SecurityRemediationPlan.json JSON plans/ Phase 1 Week 7 Phase 2–5
TrustDecommissionPlan.json JSON plans/ Phase 1 Week 7 Phase 5

5. Phase 2: Planning and Design (Weeks 10–13)

Objective: Transform assessment-driven planning documents into detailed technical designs, tested configurations, and approved blueprints ready for pilot deployment.

Reference Documents: AD Computer Object Conversion Guide, Identity Modernization Guide, DNS Modernization Guide, PKI Modernization Guide.

5.1 Phase 2 Milestones

ID Milestone Week Deliverable Owner
M-014 OrgPath taxonomy finalized W10 Extension attribute mapping, canonical value lists, governance rules committed Identity Lead
M-015 Dynamic group design complete W10 All dynamic group rules documented and tested in non-production Endpoint Lead
M-016 Intune policy design complete W11 All GPO-to-Intune policy mappings with Settings Catalog configurations Endpoint Lead
M-017 Conditional Access policy design W11 15+ CA policies designed and running in report-only mode for 7+ days Security Lead
M-018 Entra Connect sync design W12 Filtering rules, attribute flow, sync method (PHS/PTA) documented Identity Lead
M-019 Azure DNS Private Resolver design W12 Hub-spoke topology, forwarding rulesets, split-brain patterns documented DNS Lead
M-020 Cloud PKI design complete W13 Root or BYOCA decision finalized, template migration matrix, SCEP profile designs PKI Lead
M-021 Phase 2 design review approved W13 All designs approved by Canon Steward and steering committee Canon Steward

5.2 Detailed Task Breakdown

M-014 — OrgPath Taxonomy (Week 10)

Task Description Hours Dependencies Reference
T-14.1 Define OrgPath dimensions from OU hierarchy analysis: Region, Site, Department, Role, Environment 4h OrgPathDesign.json AD Computer Object Conversion Guide §2
T-14.2 Map dimensions to Entra ID extension attributes (extensionAttribute1–15) 3h T-14.1, SchemaExtensions.json AD Computer Object Conversion Guide §2
T-14.3 Create canonical value lists with validation rules (e.g., Region must be from approved list) 4h T-14.1 AD Computer Object Conversion Guide §2
T-14.4 Define OrgPath governance rules: who can modify, approval workflow, drift detection 2h T-14.3 CLI and Operations Guide §7
T-14.5 Commit OrgPathTaxonomy.json to Gitea with APPROVED status 1h T-14.4

M-015 — Dynamic Group Design (Week 10)

Task Description Hours Dependencies Reference
T-15.1 Design dynamic group rules for each OrgPath dimension combination used in migration waves 6h M-014 AD Computer Object Conversion Guide §3
T-15.2 Create test dynamic groups in non-production Entra ID tenant and validate membership 4h T-15.1 AD Computer Object Conversion Guide §3
T-15.3 Document group naming convention and lifecycle management procedures 2h T-15.1
T-15.4 Validate dynamic group processing time is within acceptable thresholds (<15 min refresh) 2h T-15.2

M-016 — Intune Policy Design (Week 11)

Task Description Hours Dependencies Reference
T-16.1 Map each GPO intent from GPOMigrationPlan.json to Settings Catalog, Endpoint Security, or ADMX template 16h GPOMigrationPlan.json AD Computer Object Conversion Guide §4, Gap Analysis §4
T-16.2 Identify GPO intents with no Intune equivalent; document workarounds or acceptance decisions 8h T-16.1 Gap Analysis §4
T-16.3 Build Intune configuration profiles in non-production and export as JSON 12h T-16.1 AD Computer Object Conversion Guide §4
T-16.4 Create compliance policies aligned with configuration profiles 4h T-16.3 AD Computer Object Conversion Guide §5
T-16.5 Commit IntunePolicy.json exports to Gitea under plans/intune/ 2h T-16.4

M-017 — Conditional Access Policy Design (Week 11)

Task Description Hours Dependencies Reference
T-17.1 Design 15+ Conditional Access policies covering: MFA, device compliance, app protection, location, authentication strength, sign-in risk 12h IdentityModernizationPlan.json Identity Modernization Guide §8
T-17.2 Deploy all policies in report-only mode; monitor sign-in logs for 7+ days 4h T-17.1 Identity Modernization Guide §8
T-17.3 Analyze report-only impact: identify users/apps that would be blocked or challenged 4h T-17.2 Identity Modernization Guide §8
T-17.4 Document exception policies and break-glass accounts 2h T-17.3 Identity Modernization Guide §7

M-018 — Entra Connect Sync Design (Week 12)

Task Description Hours Dependencies Reference
T-18.1 Define OU-based and attribute-based sync scope filtering rules from IdentityModernizationPlan.json 4h IdentityModernizationPlan.json Identity Modernization Guide §3
T-18.2 Design attribute flow rules including OrgPath extension attributes to Entra ID 4h T-18.1, M-014 Identity Modernization Guide §3
T-18.3 Select sync method: Password Hash Sync (PHS) recommended, with Pass-Through Auth (PTA) as alternative 2h Identity Modernization Guide §3
T-18.4 Document staging mode deployment plan for safe initial sync 2h T-18.1–T-18.3 Identity Modernization Guide §3

M-019 — Azure DNS Private Resolver Design (Week 12)

Task Description Hours Dependencies Reference
T-19.1 Design hub-spoke DNS topology: hub VNet with Private Resolver, spoke VNets linked to hub 6h DNSModernizationPlan.json DNS Modernization Guide §6
T-19.2 Define forwarding rulesets: AD DNS zones → on-prem DCs, Azure Private Zones → resolver inbound 4h T-19.1 DNS Modernization Guide §7
T-19.3 Document split-brain patterns for zones served by both on-prem and Azure DNS 4h T-19.2 DNS Modernization Guide §8
T-19.4 Design monitoring and alerting for DNS resolution failures 2h T-19.1 DNS Modernization Guide §10

M-020 — Cloud PKI Design (Week 13)

Task Description Hours Dependencies Reference
T-20.1 Finalize Root CA decision: Cloud PKI Root vs. BYOCA (Bring Your Own CA). Document ADR. 4h PKIModernizationPlan.json PKI Modernization Guide §5
T-20.2 Design SCEP profile configurations for each migrating certificate template 8h T-20.1 PKI Modernization Guide §6
T-20.3 Design Entra CBA binding rules: certificate-to-user mapping, authentication strength integration 4h T-20.1 PKI Modernization Guide §7
T-20.4 Document certificate lifecycle: issuance, renewal, revocation, and monitoring procedures 4h T-20.2 PKI Modernization Guide §8
T-20.5 Commit all PKI design artifacts to Gitea 1h T-20.4

6. Phase 3: Pilot (Weeks 14–21)

Objective: Validate the complete modernization stack — Identity, Devices, DNS, PKI, and Server Management — against a representative pilot group before scaling to the full environment.

6.1 Pilot Scope Definition

Pillar Pilot Scope Selection Criteria
Devices 50–100 devices across 2–3 sites Mix of Windows 10/11, laptop/desktop, representative OrgPath values
Identity 20–50 users across 3–4 departments Mix of standard users, power users, and 2–3 pilot admins
Servers 2–3 servers for Arc enrollment Non-critical tier, representative OS versions
PKI 1–2 certificate use cases Wi-Fi authentication certificate and/or VPN certificate
DNS Pilot sites only Sites with both on-prem and Azure workloads

6.2 Phase 3 Milestones

ID Milestone Week Deliverable Owner
M-022 Entra Connect deployed W14 Sync operational with PHS; staging mode validated; pilot users synced Identity Lead
M-023 Pilot devices Entra-joined or hybrid-joined W15 50+ devices registered with OrgPath attributes populated in Entra ID Endpoint Lead
M-024 Intune policies assigned to pilot W16 GPO-equivalent policies deployed via OrgPath-based dynamic groups Endpoint Lead
M-025 Conditional Access enforced for pilot W17 MFA, device compliance, and authentication strength policies active Security Lead
M-026 PIM configured for privileged roles W18 All pilot admin accounts PIM-eligible; zero permanent Global Admins Identity Lead
M-027 DNS hybrid resolution validated W19 On-prem → Azure and Azure → on-prem resolution confirmed at pilot sites DNS Lead
M-028 Cloud PKI certificates issued to pilot W20 SCEP profiles deployed; Wi-Fi/VPN auth verified with Cloud PKI certificates PKI Lead
M-029 Entra CBA validated for pilot users W20 Certificate-based SSO working with staged rollout for pilot users PKI Lead
M-030 Arc pilot servers enrolled and compliant W21 Guest Configuration policies applied; Azure Policy compliance confirmed Infra Lead
M-031 Pilot success criteria met W21 >95% policy compliance, zero auth failures, all tests passed PM

6.3 Pilot Success Criteria

Criteria Target Measurement Pass/Fail Threshold
Device enrollment success rate >98% Intune enrollment report <95% = FAIL
Policy compliance rate >95% Intune compliance dashboard <90% = FAIL
Authentication success rate >99% Entra sign-in logs <97% = FAIL
Certificate issuance success >95% Intune certificate report <90% = FAIL
DNS resolution success >99.5% Monitoring queries (synthetic and organic) <99% = FAIL
User satisfaction (survey) >80% positive Pilot user survey <70% = FAIL
Help desk ticket volume <5% of pilot users Ticket tracking system >10% = FAIL
Mean time to compliance <4 hours Intune reporting >24 hours = FAIL

6.4 Rollback Procedures

Pillar Rollback Trigger Rollback Procedure Recovery Time
Identity (Entra Connect) Sync corruption, duplicate objects, authentication failures Disable sync scheduler, restore from staging mode server, re-enable AD-only auth in Gitea. Per Identity Modernization Guide §12. <2 hours
Devices (Intune) Policy conflict causes device lockout, compliance failures >10% Unassign Intune profiles from pilot group, re-enable GPO links for pilot OUs. Per AD Computer Object Conversion Guide §7. <4 hours
Conditional Access Legitimate users blocked, break-glass needed repeatedly Switch all policies back to report-only mode. Per Identity Modernization Guide §8. <30 min
DNS Resolution failures >1%, SRV record lookup failures Revert conditional forwarder changes on-prem, disable Private Resolver forwarding rules. Per DNS Modernization Guide §11. <1 hour
PKI (Cloud PKI) Certificate issuance failures, auth failures with new certs Re-enable ADCS auto-enrollment for pilot templates, remove SCEP profiles from pilot group. Per PKI Modernization Guide §10. <4 hours
Servers (Azure Arc) Arc agent causes performance degradation, policy conflicts Uninstall Connected Machine agent, remove Arc resource from Azure. Per AD Computer Object Conversion Guide §8. <1 hour

7. Phase 4: Scale (Weeks 22–33)

Objective: Extend the validated modernization stack from pilot to the full production environment through a wave-based rollout organized by OrgPath dimensions.

7.1 Scaling Strategy

7.2 Phase 4 Milestones

ID Milestone Week Scope Owner
M-032 Wave 1 complete (Region 1) W24 ~25% of devices, users, and servers migrated All Leads
M-033 Wave 2 complete (Region 2) W27 ~50% cumulative All Leads
M-034 Wave 3 complete (Region 3) W30 ~75% cumulative All Leads
M-035 Wave 4 complete (All remaining) W33 100% migrated All Leads
M-036 Legacy GPO disabled for migrated OUs W33 No GPO links remain on migrated OUs Endpoint Lead
M-037 All dynamic groups populated and validated W33 OrgPath attribute coverage = 100% Identity Lead

7.3 Scaling Risk Management

Risk Impact Mitigation Contingency
Wave N exposes applications not found in pilot Authentication failures, business disruption Pre-wave application discovery scan; Conditional Access report-only for 48h before enforcement Exclude application from Conditional Access; add to exception policy
GPO-to-Intune parity gaps discovered at scale Configuration drift, compliance failures Maintain GPO links in parallel during wave; only unlink after 7-day compliance validation Re-enable GPO for affected OUs; file Intune feature request
Dynamic group processing delays at high user counts Policy assignment delays, enrollment gaps Stagger OrgPath attribute writes; monitor dynamic group processing time Convert to assigned groups for critical policies
Cloud PKI capacity limits during mass certificate issuance Certificate issuance failures, VPN/Wi-Fi disruption Stagger SCEP profile deployment across wave days; monitor issuance rate Throttle enrollment; extend wave duration
DNS split-brain inconsistencies at multi-site scale Name resolution failures for hybrid resources Deploy monitoring probes at each site; test forward and reverse resolution Revert specific forwarding rules; retain AD DNS for affected zones
User resistance increases with scale Help desk volume spikes, negative sentiment Pre-wave communications, training materials, department champions Pause wave; increase training; add support resources
Key personnel unavailable during critical wave Wave delayed, knowledge gaps Cross-train 2 people per pillar; document all procedures in Gitea Shift wave schedule; activate backup personnel

8. Phase 5: Cutover (Weeks 34–41)

Objective: Decommission legacy infrastructure components that have been fully replaced by modernized equivalents. Each cutover action is irreversible and requires formal gate approval.

8.1 Phase 5 Milestones

ID Milestone Week Action Owner
M-038 ADFS decommission (if applicable) W35 Convert federated domains to managed; disable ADFS farm Identity Lead
M-039 ADCS issuance stopped W36 Auto-enrollment disabled; certificate templates locked; CA set to maintenance-only for CRL PKI Lead
M-040 AD DNS conditional forwarders migrated W37 All conditional forwarding via Azure DNS Private Resolver; on-prem forwarders removed DNS Lead
M-041 Legacy GPO links removed W38 All GPOs unlinked from all OUs; GPO objects retained for audit but non-functional Endpoint Lead
M-042 Trust relationships reduced W39 Non-essential trusts removed per TrustDecommissionPlan.json Identity Lead
M-043 Legacy server decommission begins W40 NDES servers, secondary Issuing CAs, and secondary DNS servers decommissioned Infra Lead
M-044 Cutover validation complete W41 All modernization plans show 100% completion in Gitea; no legacy dependencies Canon Steward

8.2 Cutover Validation Checklist

# Validation Item Method Owner
1 All user accounts synced to Entra ID with correct OrgPath attributes Entra ID export vs. IdentityModernizationPlan.json Identity Lead
2 Zero permanent Global Admin assignments PIM role assignment report Identity Lead
3 All Conditional Access policies in enforced mode CA policy status report Security Lead
4 All devices enrolled in Intune with compliant status Intune compliance dashboard Endpoint Lead
5 All GPO links removed from all OUs Get-GPLink across all OUs returns empty Endpoint Lead
6 No device receiving GPO-delivered settings gpresult /r on sample devices returns no applied GPOs Endpoint Lead
7 All SCEP/PKCS certificates issued by Cloud PKI Intune certificate report — 0 ADCS issuances in last 30 days PKI Lead
8 ADCS auto-enrollment disabled on all templates certutil -template audit PKI Lead
9 All ESC vulnerabilities remediated or accepted with documentation SecurityRemediationPlan.json — all items closed Security Lead
10 CRL distribution points still accessible for existing certificates certutil -verify against issued certificates PKI Lead
11 DNS resolution working for all zones via Private Resolver nslookup/dig tests from all sites DNS Lead
12 No conditional forwarders remaining on on-prem DNS servers DNS server configuration audit DNS Lead
13 SRV records for AD services still resolvable (AD remains for auth) nslookup -type=SRV _ldap._tcp.domain DNS Lead
14 Azure Arc enrolled for all in-scope servers Arc resource inventory vs. ComputerModernizationPlan.json Infra Lead
15 Guest Configuration policies compliant on all Arc servers Azure Policy compliance dashboard Infra Lead
16 All trusts marked for removal have been removed TrustDecommissionPlan.json — all non-essential trusts removed Identity Lead
17 ADFS farm disabled (if applicable) ADFS service stopped; no federated domains remain Identity Lead
18 Service accounts migrated to gMSA or Workload Identity ServiceAccounts.csv — all migrated or documented exception Identity Lead
19 Drift detection running and producing weekly reports Gitea commit history shows weekly assessment diffs Canon Steward
20 All planning documents updated to CURRENT status Gitea file status audit Canon Steward
21 Decommissioned servers removed from AD computer objects ComputerInventory.json re-scan shows removal Infra Lead
22 Monitoring and alerting configured for all modernized services Alert test verification for each pillar All Leads
23 Break-glass accounts tested and documented Break-glass login test successful Security Lead
24 Operational runbooks drafted for steady-state operations Runbooks committed to Gitea All Leads
25 Phase 5 completion report committed to Gitea Gate review report at reports/phase-gates/phase-5-completion.md PM

8.3 Rollback Plan for Cutover Actions

Cutover Action Rollback Possibility Procedure Time Window
ADFS decommission Reversible within 72h Re-enable ADFS service; convert managed domains back to federated via PowerShell 72 hours
ADCS issuance stopped Reversible Re-enable auto-enrollment on templates; restart CA issuance. CRL must remain valid. Indefinite (while CA online)
DNS forwarder migration Reversible Re-create conditional forwarders on on-prem DNS servers; disable Private Resolver rules Indefinite
GPO link removal Reversible Re-link GPOs to OUs. GPO objects retained specifically for this purpose. Until GPO objects deleted (Phase 6+)
Trust removal Requires recreation Recreate trust with same partner domain. Requires admin access on both sides. 4–8 hours
Server decommission Requires rebuild Re-provision from backup or rebuild from documented procedure. This is the point of no easy return. 24–48 hours

9. Phase 6: Steady State (Week 42+)

Objective: Operate the modernized environment under continuous governance with automated drift detection, scheduled re-assessment, and periodic access reviews — all tracked through the UIAO Gitea pipeline.

9.1 Continuous Governance Operations

Operation Cadence Tool / Process Output
Scheduled re-assessment Weekly Invoke-UIAOADAssessment runs as scheduled task; diffs committed to Gitea assessments/weekly/{YYYY-WNN}/delta.json
Drift detection Daily Invoke-UIAODriftDetection compares current state against canonical plans Gitea issues created with assigned owner and SLA per severity
Compliance monitoring Continuous Intune compliance dashboard, Azure Policy compliance, Entra sign-in health Monthly compliance report committed to Gitea
Certificate lifecycle Daily monitoring Cloud PKI renewal monitoring; Entra CBA binding validation Certificate expiration alerts 30/14/7 days before expiry
DNS health Continuous SRV record validation probes; Private Resolver health checks; query analytics DNS health dashboard; alert on resolution failure rate >0.1%
Access reviews Quarterly PIM role assignment reviews; group attestation; app consent reviews in Entra ID Access review results committed to Gitea

9.2 Steady State Milestones

ID Milestone Cadence Owner
M-045 Weekly drift assessment Weekly (automated) Automation / Canon Steward review
M-046 Monthly compliance report Monthly Security Lead
M-047 Quarterly access review Quarterly Identity Lead
M-048 Annual architecture review Annual Canon Steward

9.3 SLA Framework for Drift Remediation

Finding Severity Detection SLA Remediation SLA Escalation
Critical < 1 hour < 4 hours Canon Steward + Security Lead notified immediately
High < 4 hours < 24 hours Pillar Lead notified within 4 hours
Medium < 24 hours < 7 days Pillar Lead notified within 24 hours
Low < 7 days < 30 days Tracked in Gitea issue; reviewed at weekly standup

10. Risk Register

Risk ID Risk Description Prob. Impact Mitigation Strategy Owner Status
R-001 Assessment reveals undocumented AD trusts blocking migration Medium High Read-only assessment (Phase 1 Week 4) identifies all trusts before any migration. TrustMap.json drives decommission plan. Identity Lead OPEN
R-002 ESC critical findings require emergency PKI remediation before Phase 3 High Critical Security assessment (Week 6) identifies all ESC1–ESC8 vulnerabilities. Critical findings remediated in Week 9 before pilot. PKI Lead OPEN
R-003 Legacy applications dependent on NTLM authentication discovered High High Application inventory during assessment; NTLM audit logs enabled in Phase 2; application exception policies in Conditional Access. Security Lead OPEN
R-004 Entra Connect sync failures during Phase 3 Medium High Deploy in staging mode first; validate sync before enabling scheduler; monitor sync errors via Entra Connect Health. Identity Lead OPEN
R-005 Cloud PKI licensing delay Medium Medium Procure Intune Suite licenses in Phase 2; validate licensing before Phase 3 pilot. PM OPEN
R-006 DNS resolution failure during hybrid coexistence Medium High Test bidirectional resolution at pilot sites; deploy synthetic monitoring probes; maintain AD DNS as fallback. DNS Lead OPEN
R-007 User resistance to passwordless authentication Medium Medium Pilot with willing early adopters; provide training materials; department champions; phased enforcement. Identity Lead OPEN
R-008 Gitea server hardware failure (single point of failure) Low High Daily backup to Azure Blob or network share; GitHub mirror as secondary source; Active-Passive replication (follow-on document P2). Infra Lead OPEN
R-009 Azure Arc agent deployment blocked by endpoint security Medium Medium Pre-approve Connected Machine agent in endpoint protection policies; test on pilot servers first. Infra Lead OPEN
R-010 GPO-to-Intune settings not supported in Settings Catalog High High Gap Analysis document identifies unsupported settings; use custom OMA-URI or ADMX ingestion; document accepted gaps. Endpoint Lead OPEN
R-011 Certificate strong mapping failures on legacy DCs Medium Critical Audit SID-based vs. explicit mapping on all templates; update mappings per PKI Modernization Guide §7 before enabling CBA. PKI Lead OPEN
R-012 Budget constraints delaying license procurement Medium Medium Submit license business case in Phase 1; obtain budget approval before Phase 2 design begins. PM OPEN
R-013 Key personnel departure during critical phase Low High Cross-train 2 people per pillar; all procedures documented in Gitea; no single-person dependencies. PM OPEN
R-014 Regulatory audit occurs during migration window Low Medium Maintain compliance documentation in Gitea with full audit trail; freeze changes during audit if required. Security Lead OPEN
R-015 Split-brain DNS causes production outage Low Critical Design split-brain patterns carefully (DNS Modernization Guide §8); test at each wave; maintain AD DNS as authoritative fallback. DNS Lead OPEN
R-016 Dynamic group membership rules produce incorrect scope Medium Medium Validate all dynamic group rules in non-production (Phase 2 M-015); monitor membership changes during scale. Endpoint Lead OPEN
R-017 Entra CBA certificate-to-user binding breaks during migration Medium High Staged CBA rollout; monitor sign-in logs for binding failures; maintain password fallback during transition. PKI Lead OPEN
R-018 Gitea mirror sync from GitHub fails silently Low Low Post-receive hook validates sync timestamp; alert if stale >24h. Infra Lead OPEN
R-019 Schema extension conflicts block OrgPath attribute assignment Low Medium SchemaExtensions.json assessment identifies in-use extension attributes; select unused attributes for OrgPath. Identity Lead OPEN
R-020 ADFS decommission breaks legacy application authentication Medium High Inventory all ADFS relying party trusts before decommission; migrate each to Entra ID Enterprise App; 72h rollback window. Identity Lead OPEN
R-021 Assessment workstation compromised with sensitive AD data Low Medium Use PAW with restricted network access; encrypt assessment output; destroy workstation after Phase 1. Security Lead OPEN
R-022 Pilot user survey returns negative results Low Low Conduct mid-pilot check-in at Week 18; address concerns before end-of-pilot survey. PM OPEN

11. Dependency Map

[Diagram: UIAO Milestone Dependency Network]

Directed acyclic graph showing milestone-to-milestone dependencies. Critical path highlighted in blue: M-001 → M-002 → M-005 → M-008 → M-009 → M-011 → M-012 → M-022 → M-023 → M-024 → M-031 → M-032 → M-035 → M-044.

Diagram ID: UIAO-MPP-D002 | Dimensions: 780 × 450 px

11.1 Milestone Dependency Table

Milestone Depends On Blocks
M-001 (Server provisioned) M-002, M-007
M-002 (IIS + Gitea) M-001 M-003, M-004, M-005
M-003 (AD LDAP auth) M-002 M-005
M-004 (Entra ID OAuth2) M-002 M-006
M-005 (Repo mirrored) M-002, M-003 M-006, M-008
M-006 (Governance hooks) M-005, M-004 M-008
M-007 (Azure Arc) M-001 M-030
M-008 (Read-only assessment) M-006 M-009
M-009 (Full assessment) M-008 M-010, M-011
M-010 (Security assessment) M-009 M-011
M-011 (Planning docs generated) M-009, M-010 M-012
M-012 (Planning docs approved) M-011 M-013, M-014 – M-021
M-013 (Pre-pilot ready) M-012 M-022
M-014 (OrgPath taxonomy) M-012 M-015, M-018
M-015 (Dynamic groups) M-014 M-016, M-023
M-016 (Intune policy design) M-015 M-024
M-017 (Conditional Access) M-012 M-025
M-018 (Entra Connect design) M-014 M-022
M-019 (DNS Private Resolver) M-012 M-027
M-020 (Cloud PKI design) M-012, M-010 M-028
M-021 (Phase 2 approved) M-014 – M-020 M-022
M-022 (Entra Connect deployed) M-018, M-021 M-023
M-023 (Pilot devices joined) M-015, M-022 M-024
M-024 (Intune policies assigned) M-016, M-023 M-025, M-031
M-025 (CA enforced) M-017, M-024 M-031
M-026 (PIM configured) M-022 M-031
M-027 (DNS validated) M-019 M-031
M-028 (Cloud PKI certs issued) M-020 M-029, M-031
M-029 (Entra CBA validated) M-028 M-031
M-030 (Arc servers compliant) M-007 M-031
M-031 (Pilot success) M-024 – M-030 M-032
M-032 (Wave 1) M-031 M-033
M-033 (Wave 2) M-032 M-034
M-034 (Wave 3) M-033 M-035
M-035 (Wave 4) M-034 M-036, M-037, M-038
M-036 (GPO disabled) M-035 M-041
M-037 (Dynamic groups 100%) M-035 M-044
M-038 (ADFS decommission) M-035 M-044
M-039 (ADCS stopped) M-035 M-043
M-040 (DNS forwarders migrated) M-035 M-043
M-041 (GPO links removed) M-036 M-043
M-042 (Trusts reduced) M-035 M-044
M-043 (Server decommission) M-039, M-040, M-041 M-044
M-044 (Cutover validated) M-037 – M-043 M-045
M-045 – M-048 M-044

11.2 Critical Path

The critical path through the project is:

M-001 → M-002 → M-005 → M-006 → M-008 → M-009 → M-011 → M-012 → M-014 → M-015 → M-016 → M-023 → M-024 → M-031 → M-032 → M-033 → M-034 → M-035 → M-044

Parallelizable Milestones

Phase 0: M-003 (AD LDAP) and M-004 (Entra OAuth2) can run in parallel after M-002. M-007 (Arc) can run in parallel with M-002–M-006.

Phase 2: M-017 (Conditional Access) and M-019 (DNS Private Resolver) can run in parallel with the M-014 → M-015 → M-016 identity/device track. M-020 (Cloud PKI) runs in parallel but depends on M-010 (security assessment) for ESC remediation status.

Phase 3: M-026 (PIM), M-027 (DNS), M-028 (Cloud PKI), and M-030 (Arc) can run in parallel after their respective Phase 2 designs are complete.

Phase 5: M-038 (ADFS), M-039 (ADCS), M-040 (DNS), M-041 (GPO), and M-042 (Trusts) can all execute in parallel after Wave 4 completion.

Key dependency: PKI always depends on Identity — certificate templates require user/device objects to be synced and mapped before CBA can be validated.

[Diagram: Phase Transition Flow]

Flowchart showing the seven phases as sequential blocks with gate review diamonds between each phase. Each gate diamond shows the Go/No-Go decision with criteria summary. Parallel pillar workstreams shown within each phase block.

Diagram ID: UIAO-MPP-D003 | Dimensions: 780 × 280 px

12. Budget and Resource Estimate

12.1 License Requirements

License Required For Phase Needed Quantity Basis
Microsoft Entra ID P2 PIM, Identity Protection, Access Reviews, Conditional Access (risk-based) Phase 2 Per user (all synced users)
Microsoft Intune Plan 1 Device management, compliance policies, configuration profiles Phase 2 Per device (all enrolled devices)
Microsoft Intune Suite (includes Cloud PKI) Cloud PKI certificate issuance, SCEP/PKCS profiles Phase 3 Per device (Cloud PKI scope)
Microsoft Defender for Identity AD security posture assessment, threat detection, lateral movement path analysis Phase 1 Per user (all AD users)
Azure Arc (Server) Server management, Guest Configuration, Azure Policy for on-prem servers Phase 3 Per server
Azure DNS Private Resolver Hybrid DNS resolution between on-prem and Azure Phase 3 Per instance (min. 2 endpoints)

12.2 Infrastructure Requirements

Resource Specification Phase Cost Estimate
UIAO Git Server (Windows Server 2025) 4 vCPU, 8 GB RAM, 100 GB SSD Phase 0 Hardware/VM cost (existing infra or ~$200/mo VM)
Assessment Workstation (PAW) 2 vCPU, 4 GB RAM, 50 GB SSD Phase 1 Hardware/VM cost (temporary — decommission after Phase 1)
Entra Connect Server 4 vCPU, 8 GB RAM, per Microsoft sizing guidance Phase 3 Hardware/VM cost
Azure DNS Private Resolver 2 endpoints minimum (inbound + outbound) Phase 3 Azure consumption (~$400/mo per endpoint)
Log Analytics Workspace Per-GB ingestion for Entra, Intune, Arc telemetry Phase 3 Azure consumption (varies by volume)
Azure Blob Storage (Gitea backups) LRS, Cool tier, ~50 GB projected Phase 0 Azure consumption (~$1/mo)

12.3 People Requirements

Role FTE Estimate Duration Phase(s)
Canon Steward 0.5 FTE 52 weeks + ongoing All
Infrastructure Lead 1.0 FTE Weeks 1–41 Phase 0–5
Identity Lead 1.0 FTE Weeks 4–41 Phase 1–5
Endpoint Lead 1.0 FTE Weeks 10–41 Phase 2–5
DNS Lead 0.5 FTE Weeks 4–41 Phase 1–5
PKI Lead 0.5 FTE Weeks 4–41 Phase 1–5
Security Lead 0.5 FTE Weeks 4–52+ Phase 1–6
Project Manager 0.5 FTE 52 weeks All
Total 5.5 FTE

13. Copilot Code Integration — Proposed Next Steps

This section defines how Copilot Code should proceed to operationalize this Master Project Plan. Each sprint produces committed, tested PowerShell modules and configuration artifacts that directly enable phase execution.

13.1 Immediate Actions (Sprint 1 — Next 2 Weeks)

# Deliverable Description Source Document
1 UIAOADAssessment.psm1 PowerShell module implementing all assessment functions: Export-UIAOForestTopology, Export-UIAOOUHierarchy, Export-UIAOGPOInventory, Export-UIAOComputerInventory, Export-UIAOUserInventory, Export-UIAOGroupInventory, Export-UIAOTrustMap, Export-UIAOACLReport, Export-UIAOSchemaExtensions AD Interaction Guide
2 UIAOReadOnlyAssessment.psm1 Module implementing Test-UIAOReadAccess and Invoke-UIAOReadOnlyAssessment master orchestrator for non-delegated assessment Read-Only AD Assessment Guide
3 UIAOPKIAssessment.psm1 Module implementing Export-UIAOPKIInventory and Test-UIAOESCVulnerabilities (ESC1–ESC8 detection) PKI Modernization Guide
4 UIAODNSAssessment.psm1 Module implementing Export-UIAODNSAssessment (zone enumeration, record inventory, aging analysis) DNS Modernization Guide
5 Invoke-UIAOFullAssessment Master orchestrator calling all assessment modules, generating AssessmentManifest.json, and staging output for Gitea commit All assessment guides
6 app.ini (Gitea configuration) Complete Gitea configuration file with LDAP, OAuth2, repository settings, and governance parameters Platform Server Build Guide
7 web.config (IIS reverse proxy) IIS URL Rewrite / ARR configuration for HTTPS reverse proxy to Gitea Platform Server Build Guide
8 Git hooks (pre-receive, post-receive, update) All three governance hooks implementing FOUO rejection, branch protection, and notification Platform Server Build Guide §12

13.2 Short-Term Actions (Sprint 2–3 — Weeks 3–6)

# Deliverable Description Source Document
1 Import-GPOAnalyticsReport adapter Imports GPO Analytics results from Intune portal and correlates with GPOInventory.json Gap Analysis §9
2 Import-DefenderForIdentityFindings adapter Imports Defender for Identity Secure Score findings and normalizes to UIAO finding format Gap Analysis §7
3 New-UIAOComputerModernizationPlan Consumes ComputerInventory.json; classifies each object into migration path AD Computer Object Conversion Guide
4 New-UIAOIdentityModernizationPlan Consumes UserInventory.json + GroupInventory.json; classifies identities into migration path Identity Modernization Guide
5 New-UIAOGPOMigrationPlan Consumes GPOInventory.json; decomposes GPOs into intents with per-intent Intune mapping AD Computer Object Conversion Guide §4
6 New-UIAODNSModernizationPlan Consumes DNSInventory.json; classifies zones and records into migration path DNS Modernization Guide
7 New-UIAOPKIModernizationPlan Consumes PKIInventory.json; classifies templates into MIGRATE/BRIDGE/RETAIN/RETIRE PKI Modernization Guide §4
8 New-UIAOOrgPathDesign Consumes OUHierarchy.json + SchemaExtensions.json; generates OrgPath dimension design AD Computer Object Conversion Guide §2
9 Invoke-UIAODriftDetection Scheduled task scripts for daily drift detection against canonical plans CLI and Operations Guide

13.3 Medium-Term Actions (Sprint 4–6 — Weeks 7–12)

# Deliverable Description Source Document
1 Intune policy templates Settings Catalog JSON exports generated from GPOMigrationPlan output AD Computer Object Conversion Guide
2 Conditional Access policy templates 15+ CA policy JSON templates for import via Graph API Identity Modernization Guide §8
3 Azure DNS Private Resolver deployment scripts ARM/Bicep templates for hub VNet, resolver, endpoints, and forwarding rulesets DNS Modernization Guide §6
4 Cloud PKI provisioning scripts Graph API scripts for Cloud PKI root/issuing CA creation and SCEP profile deployment PKI Modernization Guide §5
5 UIAO Governance Dashboard HTML/Quarto rendering pipeline producing drift, compliance, and SLA dashboards from Gitea data All guides

13.4 Module Architecture

D:\UIAO\Modules\ ├── UIAOADAssessment\ │ ├── UIAOADAssessment.psd1 │ └── UIAOADAssessment.psm1 ├── UIAOReadOnlyAssessment\ │ ├── UIAOReadOnlyAssessment.psd1 │ └── UIAOReadOnlyAssessment.psm1 ├── UIAOPKIAssessment\ │ ├── UIAOPKIAssessment.psd1 │ └── UIAOPKIAssessment.psm1 ├── UIAODNSAssessment\ │ ├── UIAODNSAssessment.psd1 │ └── UIAODNSAssessment.psm1 ├── UIAOIdentityAssessment\ │ ├── UIAOIdentityAssessment.psd1 │ └── UIAOIdentityAssessment.psm1 ├── UIAOImportAdapters\ │ ├── UIAOImportAdapters.psd1 │ └── UIAOImportAdapters.psm1 ├── UIAOPlanGenerators\ │ ├── UIAOPlanGenerators.psd1 │ └── UIAOPlanGenerators.psm1 └── UIAODriftDetection\ ├── UIAODriftDetection.psd1 └── UIAODriftDetection.psm1

14. Follow-On Document Roadmap

The following documents are identified as necessary to complete the UIAO corpus beyond the 12 existing companion documents. Priority reflects execution dependency.

Priority Document Title Purpose Dependency Target Phase
P1 UIAO Conditional Access Policy Library 15+ policy templates with JSON export, grant/session controls, named locations, and authentication strength definitions Identity Modernization Guide Phase 2
P1 UIAO Intune Policy Templates Settings Catalog configurations mapped from GPO analysis, with per-platform profiles and compliance policy pairings AD Computer Object Conversion Guide Phase 2
P1 UIAO PowerShell Module Reference Combined API reference for all UIAO modules — parameter documentation, examples, pipeline integration All assessment guides Phase 1
P2 UIAO Active-Passive Replication Guide Git server replication, backup strategy, and disaster recovery for Gitea on Windows Server Platform Server Build Guide Phase 0
P2 UIAO Quarto Pipeline Integration Guide Documentation build pipeline from Gitea webhooks to rendered HTML/PDF output Platform Server Build Guide Phase 0
P2 UIAO Azure Arc Policy Library Guest Configuration policies for Windows Server 2025 with compliance baselines AD Computer Object Conversion Guide Phase 3
P2 UIAO Governance Dashboard Design HTML/Quarto dashboard specification for drift detection, compliance, and SLA visualization All guides Phase 6
P3 UIAO Disaster Recovery Playbook Full DR procedures for all modernized services including Gitea, Entra Connect, Cloud PKI, DNS All guides Phase 5
P3 UIAO Training Guide — End Users Passwordless enrollment, self-service password reset, new authentication workflows, device enrollment Identity Modernization Guide Phase 4
P3 UIAO Runbook — Operations Day-to-day operational procedures for steady-state governance including incident response All guides Phase 6

15. Companion Document Cross-Reference Matrix

This matrix shows which existing UIAO companion documents are referenced in each project phase. indicates the document contains procedures or specifications executed during that phase.

Document Ph 0 Ph 1 Ph 2 Ph 3 Ph 4 Ph 5 Ph 6 Primary Milestones
AD Computer Object Conversion Guide M-007, M-011, M-014–M-016, M-023–M-024
Git on Windows Server 2025 with IIS Guide M-002
UIAO Git Server Implementation Guide M-002, M-003
UIAO Git Infrastructure ADR M-002
Platform Server Build Guide M-001–M-006
UIAO CLI and Operations Guide M-005–M-006, M-008–M-009, M-045
UIAO AD Interaction Guide M-008–M-011, M-045
Identity Modernization Guide M-010–M-012, M-017–M-018, M-022, M-025–M-026, M-038, M-042
DNS Modernization Guide M-009, M-011, M-019, M-027, M-040, M-045
Read-Only AD Assessment Guide M-008
UIAO vs Microsoft Native Tools — Gap Analysis M-010, M-016
PKI Modernization Guide M-009–M-011, M-020, M-028–M-029, M-039, M-045

Appendix A — Complete Milestone Register

ID Milestone Name Phase Week Owner Dependencies Gate Criteria Status
M-001 Server provisioned 0 W1 Infra Lead Server online, domain-joined, hardened PLANNED
M-002 IIS + Gitea operational 0 W2 Infra Lead M-001 Clone/push/pull over HTTPS verified PLANNED
M-003 AD LDAP auth configured 0 W2 Identity Lead M-002 AD users can login, CanonStewards = admin PLANNED
M-004 Entra ID OAuth2 configured 0 W3 Identity Lead M-002 Entra SSO verified, MFA enforced PLANNED
M-005 UIAO repo mirrored 0 W3 Canon Steward M-002, M-003 All branches, tags, history verified PLANNED
M-006 Governance hooks deployed 0 W3 Canon Steward M-005, M-004 FOUO rejection and branch protection verified PLANNED
M-007 Azure Arc enrollment 0 W3 Infra Lead M-001 Arc agent heartbeat, policies assigned PLANNED
M-008 Read-only assessment committed 1 W4 Identity Lead M-006 Read-only assessment reviewed, delegation request submitted PLANNED
M-009 Full assessment committed 1 W5 Identity Lead M-008 All 12 domains assessed, no critical gaps PLANNED
M-010 Security assessment complete 1 W6 Security Lead M-009 Findings classified, remediation plan drafted PLANNED
M-011 Planning docs generated 1 W7 All Leads M-009, M-010 8 planning documents pass schema validation PLANNED
M-012 Planning docs approved 1 W8 Canon Steward M-011 Steering committee approval; all docs APPROVED PLANNED
M-013 Pre-pilot infrastructure ready 1 W9 All Leads M-012 Pilot scope defined, infrastructure provisioned, critical security remediated PLANNED
M-014 OrgPath taxonomy finalized 2 W10 Identity Lead M-012 Extension attribute mapping committed PLANNED
M-015 Dynamic group design complete 2 W10 Endpoint Lead M-014 All rules tested in non-production PLANNED
M-016 Intune policy design complete 2 W11 Endpoint Lead M-015 All GPO-to-Intune mappings documented PLANNED
M-017 Conditional Access design 2 W11 Security Lead M-012 15+ policies in report-only for 7+ days PLANNED
M-018 Entra Connect sync design 2 W12 Identity Lead M-014 Filtering, attribute flow, sync method documented PLANNED
M-019 DNS Private Resolver design 2 W12 DNS Lead M-012 Hub-spoke topology and forwarding rulesets documented PLANNED
M-020 Cloud PKI design complete 2 W13 PKI Lead M-012, M-010 Root/BYOCA decided, template matrix, SCEP designs PLANNED
M-021 Phase 2 design review approved 2 W13 Canon Steward M-014–M-020 All designs approved PLANNED
M-022 Entra Connect deployed 3 W14 Identity Lead M-018, M-021 Sync operational with PHS, staging mode validated PLANNED
M-023 Pilot devices joined 3 W15 Endpoint Lead M-015, M-022 50+ devices registered with OrgPath attributes PLANNED
M-024 Intune policies assigned to pilot 3 W16 Endpoint Lead M-016, M-023 GPO-equivalent policies via dynamic groups PLANNED
M-025 Conditional Access enforced 3 W17 Security Lead M-017, M-024 MFA, compliance, auth strength active PLANNED
M-026 PIM configured 3 W18 Identity Lead M-022 All admins PIM-eligible, zero permanent GA PLANNED
M-027 DNS hybrid resolution validated 3 W19 DNS Lead M-019 Bidirectional resolution confirmed PLANNED
M-028 Cloud PKI certs issued to pilot 3 W20 PKI Lead M-020 SCEP deployed, Wi-Fi/VPN auth verified PLANNED
M-029 Entra CBA validated 3 W20 PKI Lead M-028 Certificate-based SSO working PLANNED
M-030 Arc pilot servers compliant 3 W21 Infra Lead M-007 Guest Configuration compliant PLANNED
M-031 Pilot success criteria met 3 W21 PM M-024–M-030 >95% compliance, zero auth failures PLANNED
M-032 Wave 1 complete 4 W24 All Leads M-031 ~25% migrated, validation passed PLANNED
M-033 Wave 2 complete 4 W27 All Leads M-032 ~50% cumulative PLANNED
M-034 Wave 3 complete 4 W30 All Leads M-033 ~75% cumulative PLANNED
M-035 Wave 4 complete 4 W33 All Leads M-034 100% migrated PLANNED
M-036 Legacy GPO disabled 4 W33 Endpoint Lead M-035 No GPO links to migrated OUs PLANNED
M-037 Dynamic groups 100% 4 W33 Identity Lead M-035 OrgPath coverage = 100% PLANNED
M-038 ADFS decommissioned 5 W35 Identity Lead M-035 Federated domains converted to managed PLANNED
M-039 ADCS issuance stopped 5 W36 PKI Lead M-035 Auto-enrollment disabled, templates locked PLANNED
M-040 DNS forwarders migrated 5 W37 DNS Lead M-035 All forwarding via Private Resolver PLANNED
M-041 GPO links removed 5 W38 Endpoint Lead M-036 All GPOs unlinked PLANNED
M-042 Trusts reduced 5 W39 Identity Lead M-035 Non-essential trusts removed PLANNED
M-043 Legacy servers decommissioned 5 W40 Infra Lead M-039–M-041 NDES, Issuing CA, secondary DNS offline PLANNED
M-044 Cutover validation complete 5 W41 Canon Steward M-037–M-043 All plans show 100% completion PLANNED
M-045 Weekly drift assessment 6 W42+ Automation M-044 Weekly diff committed to Gitea PLANNED
M-046 Monthly compliance report 6 W42+ Security Lead M-044 Report committed monthly PLANNED
M-047 Quarterly access review 6 W42+ Identity Lead M-044 PIM + group attestation complete PLANNED
M-048 Annual architecture review 6 W42+ Canon Steward M-044 Architecture review report committed PLANNED

Appendix B — Assessment Phase Week-by-Week Calendar

This Gantt-style table shows every task across Weeks 4–9 with parallel tracks for each assessment domain. = Active task, = Dependency wait.

Track / Task W4 Mon–Tue W4 Wed–Fri W5 W6 W7 W8 W9
Setup T-4.1, T-4.2
Read-Only Assessment T-4.3, T-4.4
Commit & Delegation Request T-4.5, T-4.6
DNS Assessment T-5.2
PKI Assessment T-5.3
GPO Assessment T-5.4
Deleted Objects T-5.5
ESC Vulnerability Analysis T-6.1
Privileged Access Audit T-6.2
Third-Party Imports T-6.3, T-6.4
Security Findings Report T-6.5–T-6.7
Computer Modernization Plan T-7.1
Identity Modernization Plan T-7.2
GPO Migration Plan T-7.3
DNS / PKI / OrgPath Plans T-7.4–T-7.6
Trust / Security Plans T-7.7–T-7.8
Canon Steward Review T-8.1
Pillar Lead Reviews T-8.2–T-8.3
Steering Committee Approval T-8.4–T-8.5
Pilot Group Selection T-9.1–T-9.2
Security Remediation T-9.3
Pre-Pilot Provisioning T-9.4–T-9.7

Appendix C — RACI Matrix

R = Responsible (does the work), A = Accountable (owns the outcome), C = Consulted, I = Informed.

Activity Canon Steward Infra Lead Identity Lead Endpoint Lead DNS Lead PKI Lead Security Lead PM
Server provisioning (Phase 0) I R/A C I I I C I
IIS + Gitea deployment A R C I I I I I
AD LDAP / Entra OAuth2 auth A C R I I I C I
Governance hooks deployment R/A C I I I I C I
Read-only AD assessment A C R C C C C I
Full AD assessment (delegated) A C R C R R C I
Security assessment A I C I I C R I
Planning document generation A I R R R R R I
Planning review / approval R/A C C C C C C C
OrgPath taxonomy design A I R C I I I I
Intune policy design A I C R I I C I
Conditional Access design A I C C I I R I
Entra Connect deployment A C R I I I C I
DNS Private Resolver deployment A C I I R I I I
Cloud PKI deployment A C C C I R C I
Pilot execution A R R R R R R R
Wave-based scaling A R R R R R C R
Legacy decommission R/A R R R R R C I
Cutover validation R/A C C C C C C R
Drift detection (steady state) A C C C C C R I
Quarterly access reviews A I R I I I C I
Risk register maintenance C C C C C C C R/A
Milestone tracking / reporting I I I I I I I R/A

Appendix D — Phase Gate Review Template

This template is used for every phase gate review. Copy this template and complete it for each gate decision. Commit the completed review to Gitea at reports/phase-gates/phase-N-gate-review.md.

Field Value
Gate Review Title Phase [N] → Phase [N+1] Gate Review
Date [YYYY-MM-DD]
Attendees [List all attendees and roles]
Review Chair Canon Steward

Agenda

  1. Phase [N] objective review — 5 min

  2. Milestone completion status — 15 min

  3. Deliverable checklist walkthrough — 20 min

  4. Risk register updates — 10 min

  5. Open issues and blockers — 15 min

  6. Go/No-Go discussion — 15 min

  7. Decision and action items — 10 min

Deliverable Checklist

# Deliverable Status Gitea Path Verified By
1 [Deliverable name] [ ] Complete [ ] Partial [ ] Blocked [path] [name]
2 [Deliverable name] [ ] Complete [ ] Partial [ ] Blocked [path] [name]
3 [Deliverable name] [ ] Complete [ ] Partial [ ] Blocked [path] [name]

Go/No-Go Criteria

Criterion Required? Met? Evidence
All mandatory milestones complete Yes [ ] Yes [ ] No [Link to milestone evidence]
All critical/high risks mitigated or accepted Yes [ ] Yes [ ] No [Link to risk register]
All deliverables committed to Gitea with APPROVED status Yes [ ] Yes [ ] No [Gitea branch/commit hash]
No unresolved blockers Yes [ ] Yes [ ] No [Issue tracker]
Stakeholder sign-off obtained Yes [ ] Yes [ ] No [Sign-off record]

Decision Record

Field Value
Decision [ ] GO — Proceed to Phase [N+1] [ ] NO-GO — Remain in Phase [N] [ ] CONDITIONAL GO — Proceed with conditions
Conditions (if applicable) [List conditions that must be met within specified timeframe]
Decision Authority Canon Steward: [Name] — [Signature/Date]

Action Items

# Action Owner Due Date Status
1 [Action description] [Name] [Date] OPEN
2 [Action description] [Name] [Date] OPEN

Appendix E — Glossary

Term Definition
ADCS Active Directory Certificate Services — Microsoft's on-premises PKI platform for issuing and managing digital certificates.
ADFS Active Directory Federation Services — on-premises federation service for SSO; being replaced by Entra ID in cloud-modern architectures.
ADR Architecture Decision Record — a document capturing a significant architectural decision, its context, and consequences.
ADMX Ingestion The process of importing Group Policy ADMX templates into Intune for policy configuration on cloud-managed devices.
ARR Application Request Routing — an IIS module enabling reverse proxy and load balancing functionality.
AS-REP Roasting An attack technique exploiting accounts that do not require Kerberos pre-authentication to extract password hashes.
Azure Arc Microsoft service that extends Azure management and governance to on-premises and multi-cloud servers.
BYOCA Bring Your Own Certificate Authority — a Cloud PKI deployment model where an existing on-premises root CA signs the cloud issuing CA certificate.
Canon / Canonical In the UIAO context, the authoritative, approved version of a governance artifact committed to the main branch of Gitea.
Canon Steward The individual with final authority over UIAO governance artifacts, repository integrity, and phase gate approvals.
CBA Certificate-Based Authentication — Entra ID feature enabling passwordless authentication using X.509 certificates.
CIS L1 Center for Internet Security Level 1 benchmark — a security hardening baseline for Windows Server.
Cloud PKI Microsoft Intune Cloud PKI — a cloud-native certificate authority included in the Intune Suite for issuing SCEP/PKCS certificates.
Conditional Access Entra ID policy engine that enforces access controls based on user, device, location, risk, and application context.
CRL Certificate Revocation List — a list of certificates that have been revoked before their expiration date.
Drift Detection The automated process of comparing current infrastructure state against canonical governance artifacts to identify unauthorized or unplanned changes.
Entra Connect Microsoft identity synchronization service (formerly Azure AD Connect) that syncs on-premises AD identities to Entra ID.
Entra ID Microsoft Entra ID (formerly Azure Active Directory) — Microsoft's cloud identity and access management service.
ESC1–ESC8 Escalation vulnerability classes (ESC1 through ESC8) in Active Directory Certificate Services, as documented by SpecterOps. Each class represents a distinct misconfiguration pattern that could allow privilege escalation.
Gitea A lightweight, self-hosted Git service used as the UIAO governance repository platform.
gMSA Group Managed Service Account — an AD account type that provides automatic password management for service accounts.
GPO Group Policy Object — an AD mechanism for applying configuration settings to computers and users within an OU scope.
Guest Configuration An Azure Policy feature (via Azure Arc) that audits and enforces OS-level settings on servers.
Hybrid Join A device registration state where a device is joined to both on-premises AD and Entra ID simultaneously.
IIS Internet Information Services — Microsoft's web server platform used as the reverse proxy for Gitea in the UIAO architecture.
Intune Microsoft Intune — a cloud-based endpoint management service for device configuration, compliance, and application management.
Kerberoasting An attack technique that exploits Kerberos service tickets to extract service account password hashes.
LDAPS LDAP over SSL/TLS — the encrypted version of the Lightweight Directory Access Protocol used for AD authentication.
NDES Network Device Enrollment Service — an ADCS role service enabling SCEP certificate enrollment for network devices.
OIDC OpenID Connect — an authentication protocol built on OAuth 2.0, used for Entra ID SSO integration with Gitea.
OMA-URI Open Mobile Alliance Uniform Resource Identifier — a custom Intune policy format for settings not available in the Settings Catalog.
OrgPath The UIAO organizational taxonomy system that assigns canonical dimensions (Region, Site, Department, Role, Environment) to every managed object via extension attributes, enabling dynamic group membership and policy targeting.
PAW Privileged Access Workstation — a hardened workstation used for security-sensitive administrative tasks.
PHS Password Hash Synchronization — an Entra Connect feature that syncs a hash of the on-premises AD password hash to Entra ID.
PIM Privileged Identity Management — an Entra ID feature providing just-in-time, time-bound, and approval-based activation of privileged roles.
PKCS Public Key Cryptography Standards — a certificate enrollment protocol used by Intune for certificate deployment.
Private Resolver Azure DNS Private Resolver — a cloud-native DNS forwarding service enabling hybrid DNS resolution between on-premises and Azure networks.
PTA Pass-Through Authentication — an Entra Connect feature that validates passwords directly against on-premises AD without syncing hashes.
RSAT Remote Server Administration Tools — Windows management tools for administering AD, DNS, ADCS, and other server roles remotely.
SCEP Simple Certificate Enrollment Protocol — a protocol for automated certificate enrollment, used by Intune for device certificate deployment.
Settings Catalog The modern Intune policy configuration surface that provides granular, per-setting control equivalent to Group Policy.
SLA Service Level Agreement — a defined target for detection and remediation timeframes, used in the UIAO drift remediation framework.
SPN Service Principal Name — a Kerberos identifier for a service instance, relevant for Kerberoasting risk assessment.
SRV Record A DNS record type used by AD for service location (e.g., domain controller discovery via _ldap._tcp).
Strong Mapping A certificate-to-identity binding method required by Microsoft's KB5014754 enforcement for certificate-based authentication against AD.
UIAO Unified Infrastructure Administration and Operations — the governance framework and toolset for managing AD modernization as code.
Workload Identity Microsoft Entra Workload Identity — cloud-native identity for applications and services, replacing traditional service accounts.

UIAO_013_Master_Project_Plan_v1.0 | Classification: Controlled | Boundary: GCC-Moderate
Generated 21 April 2026 | Canon Steward: Michael | Repository: https://github.com/WhalerMike/uiao
Status: DRAFT — Pending Canon Steward review and steering committee approval

Back to top