4. Opening Keynote
Scott Guthrie
October 21st, 2014
8:00am – 5:00pm PST
http://azureconf.net
5. Assume you know what Microsoft Azure is
and likely have an Azure subscription.
This is not a Active Directory design session.
Review common scenarios . . . Yours may be
different.
We’re not going to cover it all today . . .
large, complicated topics with many
options/scenarios.
7. Multi-tenant “directory-as-a-service”
Identity & access for on-premises and
cloud applications
NOT a cloud version of
Windows Server AD
Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
8. Extend Windows Server AD
to the cloud
Directory & identity services
w/o need for Windows
Server AD
Each O365 tenant has
instance of AAD
Your App
AAD
Authentication
platform
Directory
store
Active Directory
9. Register an application with Azure AD
Permissions
Open source Azure AD authentication libraries
10.
11. Visual Studio 2013 wizard makes it easy
Register the application in Azure AD
Set a database
Set Sign-On URL, App ID and Reply URL
Basic set of claims available from AAD
25. My
Application
Service-to-Service
OAuth 2.0 Grant Type Client Credentials
Azure AD Authentication Endpoint
(OAuth)
(https://graph.windows.net)
REST Service
(validates token,
process, returns data)
Authorization
Check
Azure Active Directory
1) Request JWT token (provide
clienID and secret)
2) Return
JWT token
3) HTTP Request w/ JWT token
4) Return response
26. OAuth 2.0 Grant Type = Client Credentials
// get OAuth token using Client Credentials
string tenantName = "GraphDir1.onMicrosoft.com";
string issuingAuthority = "https://login.windows.net/" + tenantName;
AuthenticationContext authenticationContext = new AuthenticationContext(issuingAuthority,false);
// Config for OAuth client credentials
string clientId = "118473c2-7619-46e3-a8e4-6da8d5f56e12";
string clientSecret = "hOrJ0r0TZ4GQ3obp+vk3FZ7JBVP+TX353kNo6QwNq7Q=";
ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
string resource = "https://graph.windows.net";
string token;
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource, clientCred);
token = authenticationResult.AccessToken;
* Some values removed for readability
OAuth 2.0 grant type, client_id, and client_secret configured in Azure portal
27. OAuth 2.0 Grant Type = Client Credentials
POST https://login.windows.net/GraphDir1.onMicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c
return-client-request-id: true
resource=https%3A%2F%2Fgraph.windows.net&
client_id=118473c2-7619-46e3-a8e4-6da8d5f56e12&
client_secret=hOrJ0r0TZ4GQ3obp%2Bvk3FZ7JBVP%2BTX353kNo6QwNq7Q%3D&
grant_type=client_credentials
* Some values removed for readability
28. OAuth 2.0 Grant Type = Client Credentials
Content-Type: application/json; charset=utf-8
client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c
Content-Length: 1160
{"token_type":"Bearer","expires_in":"3599","expires_on":"1407640794","not_before":"1407636894","resource":"https:
//graph.windows.net","access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cdng2OHNrV
DgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0IiwiaXNzIjoiaHR0cHM6Ly9zdHMud
2luZG93cy5uZXQvNGZkMmIyZjItZWEyNy00ZmU1LWE4ZjMtN2IxYTdjOTc1ZjM0LyIsImlhdCI6MTQwNzYzNjg5NCwib
mJmIjoxNDA3NjM2ODk0LCJleHAiOjE0MDc2NDA3OTQsInZlciI6IjEuMCIsInRpZCI6IjRmZDJiMmYyLWVhMjctNGZlNS1
hOGYzLTdiMWE3Yzk3NWYzNCIsIm9pZCI6ImIwZGVhNTFlLWJkMDQtNGI5OS05NmEyLTE0ZDk5YjE5YmM2YSI…………
………….."}
* Some values removed for readability
29.
30. 1. Leverage ADAL and Graph Library
2. Obtain authentication token
3. Set GraphSetting with API version of choice
4. Set filter properties (if desired)
5. Get, Create, or Delete User, Group,
Application, etc.
31. Provide means to bring on-premises / custom
schema extensions to Azure AD.
32.
33. 1. Obtain authentication token
2. Write against REST API directly
3. Ability to set custom properties on directory
objects
34. Azure AD extends directory authentication to the cloud
Enables single sign-on for web applications
CRUD objects in the directory
35. Azure AD Graph API
Azure AD Samples
Azure AD Graph Team Blog
Graph Explorer
Building Web Apps and Mobile Apps Using Microsoft Azure Active
Directory for Identity Management
Show via Azure management portal
Sign up for Azure AD
Delete a tenant
Register a new application in Azure AD
Set for single sign-on
mcadmin@collierdemo.onmicrosoft.com / test!123
The Check Group Membership operation is performed by invoking the IsMemberOf function on the directory service. This function returns a Boolean value that indicates whether a specified user, group, or contact is a member of a specified group. The operation is transitive, that is, if User A is a member of Group B and Group B is a member of Group C and the function is invoked with User A and Group C as parameters, it will return true. You can contrast this with the memberOf navigation property for User A, which is intransitive and would therefore not return Group C in its result set because User A is a member of Group C only through its membership in Group B.
http://msdn.microsoft.com/en-us/library/azure/dn151601.aspx
DirectoryObject is the base type for the following entity types: Application, Device,DirectoryLinkChange, Contact, Group, Role, ServicePrincipal, TenantDetail, and User.
http://msdn.microsoft.com/en-us/library/windowsazure/jj134105.aspx
ADAL
Use snippets in Postman
These are the four primary application scenarios supported by Azure AD:
• Web Browser to Web Application: A user needs to sign in to a web application that is secured by Azure AD.
• Native Application to Web API: A native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD.
• Web Application to Web API: A web application needs to get resources from a web API secured by Azure AD.
• Daemon or Server Application to Web API: A daemon application or a server application with no web user interface needs to get resources from a web API secured by Azure AD.
http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx