5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers – Identity #MicrosoftGraph © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Intro and Terminology Configuration Runtime Management Microsoft Build 2017 5/29/2018 1:51 AM Intro and Terminology Configuration Agenda Runtime Management © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Intro - What is Application Consent? We use permissions and consent every day – think of apps on your cell phone The Azure AD Permissions and consent model is very similar Organizational data is accessed through resource (APIs) that expose permissions Applications need access to organizational data at different levels Those permissions can granted through application consent by an admin, or end user Those permissions can be managed over time by an end user, admin, or developer

Application Consent and Permissions Read items in all site collections (a conceptual overview) 1 Developer(s) [internal or external] 2 Register new App (Bad) Sharing Portal Access’s any user’s SharePoint, then attaches a file as an email sent by the signed in user, to share externally. Tenant Request Application Permissions Delegated Permissions Request SharePoint Data Read items in all site collections (E.g., do something as the app) Admin must consent End-User Sign in to new app, FAIL 3 Administrator 1 - Sign in to new app, or grant perms 2 - Prompt for admin consent, or grant perms 3 - Consent as an admin for all users 4 End-User Sign in to new app, SUCCEESS! 5 Exchange Data Send mail as a user (E.g, do something as the user) User Can Consent Administrator Manage consent policies and access over time 6

Agenda Intro and Terminology Configuration Runtime Management Microsoft Build 2017 5/29/2018 1:51 AM Intro and Terminology Configuration Agenda Runtime Management © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

App types and permission types Microsoft Build 2017 5/29/2018 1:51 AM App types and permission types App type Permission type Who can consent Effective Permissions Get access on behalf of users Get access as a service Mobile, Web and Single page app Service and Daemon Delegated permission (user permission) Application permission Users can consent for their data Admin can consent for them or for all users Only admin can consent App permissions User permissions App permissions © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Notes on V1 vs V2 Endpoint This presentation focuses on the AAD V1 endpoint and the associated application, consent, and permissions model There are some key differences to be aware of with consent on V2: Support for Dynamic/Incremental consent New URL paths including separate admin consent endpoint Applications registered at apps.dev.microsoft.com as opposed to portal.azure.com

Demo Developer Setup Microsoft Build 2017 5/29/2018 1:51 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Intro and Terminology Configuration Runtime Manageability Microsoft Build 2017 5/29/2018 1:51 AM Intro and Terminology Configuration Agenda Runtime Manageability © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Runtime – When is consent prompted for? The most common scenario: The first time using a application that requires access to personal or organizational resources Some scenarios that may not be expected: The set of permissions required by the application have changed Consent was revoked after being granted initially The application is using incremental and dynamic consent to request additional permissions after consent was initially granted. This is often used when optional features of an application additional require permissions beyond those required for baseline functionality.

Runtime – User experiences Administrator End user

Demo End User Consent Prompt Microsoft Build 2017 5/29/2018 1:51 AM Demo End User Consent Prompt © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Intro and Terminology Configuration Runtime Manageability Microsoft Build 2017 5/29/2018 1:51 AM Intro and Terminology Configuration Agenda Runtime Manageability © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Manageability – Common challenges Mystery applications! Where did this application come from? I don’t remember assigning anyone to this… Mystery assignments to an application! I know about this application, but I have no idea how Susie got assigned to it! Mystery permissions! I know about this application, but I have no idea what power it has over my organization GOOD NEWS: These need not be mysteries any longer! 

Manageability – Demo & How-to What happens in the admin view when someone consents to an application? How can you see what permissions an application has? How can you see what consented applications are assigned to a user or group? How can you revoke a consent grant? How can you request administrator-level consent using the portal? How can you control how consent works in your organization?

Please evaluate this session Tech Ready 15 5/29/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/29/2018 1:51 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.