Azure Identity Premier Fast Start Optional Module © 2015 Microsoft Corporation Microsoft Confidential

Using the Directory Graph API Abbreviation What it stands for? AD Active Directory API application programming interface CRM customer relationship management GA General Availability GSM Global System for Mobile communications HTTP Hypertext Transfer Protocol JSON JavaScript Object Notation JWT JSON Web Token OAuth open standard for authorization OData Open Data Protocol URI Uniform Resource Identifier URL Uniform Resource Locator XML Extensible Markup Language © 2015 Microsoft Corporation Microsoft Confidential

Graph API Scenarios Reading from Microsoft Azure Active Directory Implement People or Group Picker – List/search users/groups Design workflows that lookup Manager/Direct Report relationships Make Authorization Decisions – determine users' Group and Role Membership Check tenant and users' subscribed services such as Microsoft Exchange, Microsoft SharePoint, Skype, Microsoft Dynamics CRM, Intune, GSM Requesting changed data – "delta changes" Writing to Azure Active Directory Updating users and groups Setting users' password Adding users to Groups/Roles Provisioning/de-provisioning users © 2015 Microsoft Corporation Microsoft Confidential

What Is Graph RESTful interface for Azure Active Directory Tenant-specific queries are scoped to individual tenant context Programmatic access to directory objects, such as Users, Groups, Roles Access relationships – members, memberOf, manager, directReports Requests use standard HTTP methods The goals of this interface is: Make it easy for applications to integrate with the Microsoft Azure Active Directory Lay the foundation for creation of higher-level capabilities: lookups, people pickers, security group membership, cross-company collaboration, etc. Provide high usability and interoperability GET, POST, DELETE to create, read, update, and delete Responses support JSON, XML, standard HTTP status codes Compatible with OData V3 OAuth 2.0 for authentication, role-based assignment © 2015 Microsoft Corporation Microsoft Confidential

What Is REST REST – Representational State Transfer Originated from a Ph.D dissertation by Roy Fielding ◦ An architecture style, not a protocol ◦ Description of how HTTP should be used for accessing data RESTful web services expose resources through a URI Resource PUT GET POST DELETE © 2015 Microsoft Corporation Microsoft Confidential

Authentication and Authorization to Graph API Service-to-Service OAuth 2.0 grant type client credentials 1. Request JWT token (pass input claims) Azure AD Authentication Endpoint (OAuth) Active Directory The Graph also supports OAuth 2.0 Grant type = Authorization Code that includes User Authentication and Delegation. After the User Authn and approves delegated access, the Client App receives an authorization code, which can be redeemed for a token (and refresh token). Graph uses Azure AD for authentication and Clients must authenticate before using the graph. This authentication method is determined when the application’s Service Principal is created. Two authentication methods: Shared symmetric key (default) X.509 Certificates (asymmetric) The symmetric key is basically a password that can be defined during the service principal creation via PS, or let AAD create one (Remember that cant be retrieved again after required, and has expiration date for monitoring) PS Example: New-MsolServicePrincipal - -displayname "myapp1" -serviceprincipalnames @("appClass/MyApp9.com") -Type symmetric -Usage Verify -StartDate 5/17/2012 - EndDate 5/17/2014 The certificate based could be more complex to configure, Public Key Pair, App has private key and Azure AD has the public portion. Application 2. Return token REST Service Validates token, processes request, returns data Authorization Check 3. HTTP Request with JWT token The Notes section does not form complete sentences. Pls check for relevance and completeness. The text highlighted in red were hidden in the original file. Kindly vlaidate if it is required. 4. Return Response and Data © 2015 Microsoft Corporation Microsoft Confidential

Query Format Graph URL (static) Tenant of interest – can be tenant’s verified domain or objectId Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc. https://graph.windows.net/contoso.com/users?api-version=2013-04-05&$filter=state eq 'WA' https://graph.windows.net/GraphDir1.OnMicrosoft.com/ API version – "2013-04-05" is the supported GA version Optional Odata query arguments: $filter, $top © 2015 Microsoft Corporation Microsoft Confidential

Other Examples of Read Operations Request Description https://graph.windows.net/graphDir1.OnMicrosoft.com/tenantDetails?api-version=2013-04-05 ​Returns tenant-level information including company name, tech contact, subscriptions ​https://graph.windows.net/graphDir1.OnMicrosoft.com/groups/7373b0af-d462-406e-ad26-f2bc96d823d9/members?api-version=2013-04-05 ​Returns a group's members ​https://graph.windows.net/GraphDir1.OnMicrosoft.com/users?$filter=displayName eq 'Adam Barr'&api-version=2013-04-05 Using odata filter to get a specific user ​https://graph.windows.net/GraphDir1.OnMicrosoft.com/users?$filter=displayName ge 'A' and displayName le 'F'&api-version=2013-04-05 ​Filters for a range of users ​​https://graph.windows.net/GraphDir1.OnMicrosoft.com/users?api-version=2013-04-05&$filter=startswith(displayName,'James') ​An example odata filter using startsWith ​https://graph.windows.net/GraphDir1.OnMicrosoft.com/users?api-version=2013-04-05&$filter=proxyAddresses/any(c:startswith(c,'SMTP:Ad')) ​An example odata filter using the any operator, search for users who have a proxy address starting with 'SMTP:ad' https://graph.windows.net/GraphDir1.OnMicrosoft.com/users/adam@graphdir1.onmicrosoft.com/memberOf?api-version=2013-04-05 ​Gets a users' group membership https://graph.windows.net/graphDir1.OnMicrosoft.com/users/Adam@graphDir1.OnMicrosoft.com/manager?api-version=2013-04-05 ​Gets an individual user's manager ​https://graph.windows.net/graphDir1.OnMicrosoft.com/users/Adam@graphDir1.onMicrosoft.com/directReports?api-version=2013-04-05 ​Gets an individual user‘s direct reports https://graph.windows.net/graphDir1.OnMicrosoft.com/roles?api-version=2013-04-05 ​Returns roles ​https://graph.windows.net/graphDir1.OnMicrosoft.com/subscribedSkus?api-version=2013-04-05 ​Returns all subscriptions that the tenant owns © 2015 Microsoft Corporation Microsoft Confidential

Graph API Write Operations Create a New User POST https://graph.windows.net/contoso.com/users?api-version=2013-04-05 HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY   { "accountEnabled":true, "userPrincipalName":"NewUser@contoso.com", "displayName":"New User", "passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser" } RESPONSE: 201 Created Notes 1. The password must meet the tenant's Accepted password complexity requirements 2. The minimum set of properties to create a user is shown in the example above 3. Setting the user's usage location is not shown above Graph API Write Operations © 2015 Microsoft Corporation Microsoft Confidential

Implementation on the App POST https://login.windows.net/contoso.com/oauth2/token?api-version=1.0 HEADERS Content-Type: application/x-www-form-urlencoded BODY grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=52752c8e-d73c-4f9a-a0f9-2d75607ecb8e&client_secret=qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm44uk1A%2BpIlM%3D RESPONSE 200 OK Notes Oauth 2.0 Client Credential grant type, client_id, and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications © 2015 Microsoft Corporation Microsoft Confidential

© 2015 Microsoft Corporation Microsoft Confidential