Presentation is loading. Please wait.

Presentation is loading. Please wait.

(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.

Published byMarjory Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "(Azure+O365) Identity Presenter Name Position or role Microsoft Azure."— Presentation transcript:

1 (Azure+O365) Identity Presenter Name Position or role Microsoft Azure

2 Abstract: This presentation highlights the basic concepts of Azure Active Directory from a developer’s perspective. It covers integrating O365 and Azure AD from Web and Mobile apps. The demo code can go all the way from a simple File, New ASP.Net MVC web app, a more complex mobile app calling a Mobile Services authenticating via AAD and you can take it all the way to building a Xamarin cross app iOS/Win 8 authenticating via AAD and calling a web service that generates a Word Document on SharePoint online using the O365 APIs.

3 Speaker note: Please remember to download the video (slides 5/6) so you don’t depend on network bandwidth during the presentation

4 Agenda Why our cloud Authentication 101, getting things done How to use Office 365 and Azure on your app (+ with access control)

5 A story about two organizations...

6 Speaker note: Video - High quality: http://video.ch9.ms/ch9/79da/bec2e49e-ce8c-49d0-bc63- fc3cdb3079da/AzureO365Identity_high.mp4 Video - Mid quality: http://video.ch9.ms/ch9/79da/bec2e49e- ce8c-49d0-bc63-fc3cdb3079da/AzureO365Identity_mid.mp4 (optionally you can un-hide the next few slides and walk the story without the video) http://video.ch9.ms/ch9/79da/bec2e49e-ce8c-49d0-bc63- fc3cdb3079da/AzureO365Identity_high.mp4http://video.ch9.ms/ch9/79da/bec2e49e- ce8c-49d0-bc63-fc3cdb3079da/AzureO365Identity_mid.mp4

7 Video

8

9

10

11

12

13

14

15

16

17 A better cloud From private or hybrid and IaaS to full PaaS/SaaS

18 Azure + o365 Fully flexible: Private, on premises, hybrid or cloud The power of o365: Leverage Office, SharePoint and Exchange Online as your application building blocks Identity is the glue that makes all of that possible

19 Your identity goes with you 3rd party clouds/hosting Azure AD Yo u

20 How do we make all of that work? Enabling modern authentication protocols Using great building blocks on your apps

21 Enabling modern authentication protocols

22 Modern Authentication Protocols Browser Native app Server app Web application Web service API OAuth 2.0 WS-Fed, SAML 2.0, OpenID Connect OAuth 2.0 Standard, http-based protocols for maximum platform reach

23 Web Application Browser WS-Fed SAML 2.0 OpenID Connect Modern Authentication Protocols

24 Web API Web API Native App OAuth 2.0 OpenID Connect OAuth 2.0 OnBehalfOf Modern Authentication Protocols

25 Web APP Web API OAuth 2.0 client_credentials Modern Authentication Protocols

26 Claims about the user Object ID b3809430-6c28-4e43-870d-fa7d38636dcd Tenant ID 81aabdd2-3682-48fd-9efa-2cb2fcea8557 Security Display Subject Name First Name Last Name frank@contoso.com Frank Miller m70fSk8OdeYYyCYY6C3922lmZMz9JKCGR0 P1

27 Good news: You don’t need to know these things in details Libraries such as Azure Active Directory Authentication Library do all the plumbing for you Authentication libraries

28 Enabling great building blocks

29 Provides identity and access management for the cloud Users, groups, applications and permissions Building blocks: Azure Active Directory

30 REST API for Azure Active Directory Allows programmatic access to users, groups, applications and permissions Example: Nick creates a PowerShell script that provisions the required permissions for his application to an Azure tenant Building blocks: Graph API

31 The best Office productivity tools, available online Includes REST APIs you can use from your applications Seamless integration with Azure Active Directory Example: An application can automatically scan e-mails from Exchange online and generate a Word document with a summary, saving it on SharePoint online Building blocks: Office 365

32 So how do we build it?

33 For a typical Web Application

34 Step 1: Visual Studio, file new project

35 Step 2: Click “Change Authentication”

36 Step 3: Configure organizational account

37 What happens then: Visual Studio configures the application permission settings for you on Azure Active Directory! Visual Studio App permissions Azure AD

38 More complex scenario: Mobile app -> mobile service -> O365

39 Nick (the developer) registers two applications: A mobile web service A mobile client Step 1: Register your apps on Azure AD

40 AD needs to know which web service the “MobileServices” app is actually referring to. Step 2: Map the AD app to the actual web service

41 The client app must be allowed to call the web service. It is also allowed to logon to Azure Active Directory (by default) Step 3: Set permissions

42 And the web service is allowed to call SharePoint online and Graph API Step 3: Set permissions

43 Nick can make his app multi tenant, so James from Contoso Inc. could use it in his organization if the permissions were set correctly Step 4 (optional): Making an app multi tenant Woodgrove Contoso

44 Step 5: User logs on to the app A user logs on to the app for the first time. Consent is presented. This is basically saying: “This is what the app will do, are you ok with it?”

45 Step 5: User logs on to the app If the user is the global admin for the Azure tenant, the consent asks if the admin wants to grant permissions for the app across all users of that organization. admin

46 Go to app access panel: http://myapps.microsoft.com/ Where users see apps they have access to Includes apps they’ve consented to Users can revoke consented apps Step 6 (optional): What if I change my mind later?

47 Implementation details Let’s dive deeper into the Rabbit’s hole

48 Active Directory Authentication Library (ADAL) string clientId = "[Enter client ID as obtained from Azure Portal]"; string authority = "https://login.windows.net/[your tenant name]"; string myURI = "[Enter App ID URI of your service]"; AuthenticationContext authContext = new AuthenticationContext(authority); AuthenticationResult result = await authContext.AcquireTokenAsync(myURI, clientId);

49 Graph API RESTful interface to Azure Active Directory Tenant Specific – queries are scoped to individual tenant context Programmatic access to directory objects such as Users, Groups, Contacts, Tenant Information, Roles, Applications and Permissions Access relationships: members, memberOf, manager, directReports Requests use standard HTTP methods GET, POST, PATCH, DELETE to create, read, update, and delete Response support JSON, XML, standard HTTP status codes Compatible with OData V3 OAuth 2.0 Support Both Client Credentials and Authorization Code flow

50 https://graph.windows.net/contoso.com/users?api- version=2013-04-05&$filter=state eq ‘WA’ Graph URL (static) Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc. Tenant of interest – can be tenant’s verified domain or objectId. Optional Odata query arguments: $filter, $top API version – “2013-04- 05” is the 1.0 version Graph API

51 Office 365 REST APIs RESTful interface to Office on the cloud File APIs for OneDrive for Business Mail, Calendar and Contacts APIs on Exchange online SharePoint online APIs Example: GET../_api/files( )/download Downloads a file stored on SharePoint online / OneDrive for Business OAuth 2.0 Support

52 Demo: Facilities app

53 Application Model Consent Contoso Azure AD Facilities App settings + Facilities Web Service settings (multi tenant) Azure AD Woodgrove Facilities App settings + Facilities Web Service settings

54 Authentication and Authorization to Graph API Application 2. Return token 1. Request JWT token (pass input claims) REST Service Validates token, processes request, returns data 3. HTTP Request with JWT Token Azure Active Directory Azure AD Authentication Endpoint (OAuth) 4. Return Response and Data Azure AD Authorization Check

55 Application Walkthrough’s https://github.com/AzureADSamples Some examples: WebApp-WebAPI-OAuth2-UserIdentity-DotNet WebApp-WebAPI-OpenIDConnect-DotNet WebApp-GraphAPI-PHP WebAPI-Nodejs NativeClient-Xamarin-iOS NativeClient-iOS

56 Labs on Graph API https://github.com/AzureADSamples?query=Graph WebApp-GraphAPI-DotNet WebApp-GraphAPI-PHP WebApp-GraphAPI-Java ConsoleApp-GraphAPI-DiffQuery-DotNet WindowsAzureAD-GraphAPI-Sample-PHP WindowsAzureAD-GraphAPI-Sample-OrgChart

57

58 SAML Sign-on Token Name ID Tenant ID Object Identifier Name Audience

59 { "typ": "JWT", "alg": "RS256", "x5t": "NGTFvdK-fythEuLwjpwAJOM9n-A" }. JWT Sign-on Token Name ID Tenant ID Object Identifier Name Audience { "typ": "JWT", "alg": "RS256", "x5t": "NGTFvdK-fythEuLwjpwAJOM9n-A" }. { "aud": "b795f2fa-0b01-4d4e-8973-58fc7782ccb7", "iss": "https://sts.windows.net/fb75b294-e941-4de6-9687-04596793d789/", "iat": 1396937949, "nbf": 1396937949, "exp": 1396941849, "ver": "1.0", "tid": "fb75b294-e941-4de6-9687-04596793d789", "oid": "29e3eb2c-a314-409c-adc0-8608bba8db99", "upn": "bob@myNewDirectory.onmicrosoft.com", "unique_name": "bob@myNewDirectory.onmicrosoft.com", "sub": "m70fSk8OdeYYyCYY6C3922lmZMz9JKCGR0P1x0Ilrok", "given_name": "bob" }

60 OpenID Connect SSO Protocol build on OAuth 2.0 Core and Discovery Specs finalized Lightweight, yet very powerful

61 Using OpenID Connect OWIN public void ConfigureAuth(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication( new CookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { Client_Id = clientId, Authority = authority }); }

62 GET https://graph.windows.net/contoso.com/users?api-version=2013-11-08 HEADERS Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. Content-type: Application/JSON;odata=minimalmetadata RESPONSE: 200 OK RETURN User Objects in JSON Getting User information GET https://graph.windows.net/contoso.com/users/adam@contso.com/thumbnailPhoto?api- version=2013-11-09 HEADERS Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. Content-type: Application/JSON;odata=minimalmetadata RESPONSE: 200 OK RETURN: data representing User’s thumb nail photo

63 Update Group or Role membership POST https://Graph.windows.net/contoso.com/groups/02a8a087-a371-43f9-94df- cf0f654de307/$links/members?api-version=2013-04-05 HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY: { "url":"https://graph.windows.net/contoso.com/directoryObjects/93d8feee-6365-4b3b-98c0- 14da134a2b1e" } RESPONSE: 204 Notes: replace /groups with /roles to support Role membership updates Add a User to a Group

Download ppt "(Azure+O365) Identity Presenter Name Position or role Microsoft Azure."

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
SYNC DEMO “We bought Grandma a new TV. This is what my Dad did to her remote.”

SYNC DEMO “We bought Grandma a new TV. This is what my Dad did to her remote.”
Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio

Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio
Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every day.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every day.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Vienna/Austria Authenticate as entitled user or app for the individual service Authenticate as entitled user for our web portal Decide what.

Vienna/Austria Authenticate as entitled user or app for the individual service Authenticate as entitled user for our web portal Decide what.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.

Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )

First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.

Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

Similar presentations

Ads by Google