Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure Identity Premier Fast Start

Published byAlan Nichols Modified over 5 years ago

Similar presentations

Presentation on theme: "Azure Identity Premier Fast Start"— Presentation transcript:

1 Azure Identity Premier Fast Start
Optional Module © 2015 Microsoft Corporation Microsoft Confidential

2 Using the Directory Graph API
Abbreviation What it stands for? AD Active Directory API application programming interface CRM customer relationship management GA General Availability GSM Global System for Mobile communications HTTP Hypertext Transfer Protocol JSON JavaScript Object Notation JWT JSON Web Token OAuth open standard for authorization OData Open Data Protocol URI Uniform Resource Identifier URL Uniform Resource Locator XML Extensible Markup Language © 2015 Microsoft Corporation Microsoft Confidential

3 Graph API Scenarios Reading from Microsoft Azure Active Directory
Implement People or Group Picker – List/search users/groups Design workflows that lookup Manager/Direct Report relationships Make Authorization Decisions – determine users' Group and Role Membership Check tenant and users' subscribed services such as Microsoft Exchange, Microsoft SharePoint, Skype, Microsoft Dynamics CRM, Intune, GSM Requesting changed data – "delta changes" Writing to Azure Active Directory Updating users and groups Setting users' password Adding users to Groups/Roles Provisioning/de-provisioning users © 2015 Microsoft Corporation Microsoft Confidential

4 What Is Graph RESTful interface for Azure Active Directory
Tenant-specific queries are scoped to individual tenant context Programmatic access to directory objects, such as Users, Groups, Roles Access relationships – members, memberOf, manager, directReports Requests use standard HTTP methods The goals of this interface is: Make it easy for applications to integrate with the Microsoft Azure Active Directory Lay the foundation for creation of higher-level capabilities: lookups, people pickers, security group membership, cross-company collaboration, etc. Provide high usability and interoperability GET, POST, DELETE to create, read, update, and delete Responses support JSON, XML, standard HTTP status codes Compatible with OData V3 OAuth 2.0 for authentication, role-based assignment © 2015 Microsoft Corporation Microsoft Confidential

5 What Is REST REST – Representational State Transfer
Originated from a Ph.D dissertation by Roy Fielding ◦ An architecture style, not a protocol ◦ Description of how HTTP should be used for accessing data RESTful web services expose resources through a URI Resource PUT GET POST DELETE © 2015 Microsoft Corporation Microsoft Confidential

6 Authentication and Authorization to Graph API
Service-to-Service OAuth 2.0 grant type client credentials 1. Request JWT token (pass input claims) Azure AD Authentication Endpoint (OAuth) Active Directory The Graph also supports OAuth 2.0 Grant type = Authorization Code that includes User Authentication and Delegation. After the User Authn and approves delegated access, the Client App receives an authorization code, which can be redeemed for a token (and refresh token). Graph uses Azure AD for authentication and Clients must authenticate before using the graph. This authentication method is determined when the application’s Service Principal is created. Two authentication methods: Shared symmetric key (default) X.509 Certificates (asymmetric) The symmetric key is basically a password that can be defined during the service principal creation via PS, or let AAD create one (Remember that cant be retrieved again after required, and has expiration date for monitoring) PS Example: New-MsolServicePrincipal - -displayname "myapp1" -serviceprincipalnames @("appClass/MyApp9.com") -Type symmetric -Usage Verify -StartDate 5/17/ EndDate 5/17/2014 The certificate based could be more complex to configure, Public Key Pair, App has private key and Azure AD has the public portion. Application 2. Return token REST Service Validates token, processes request, returns data Authorization Check 3. HTTP Request with JWT token The Notes section does not form complete sentences. Pls check for relevance and completeness. The text highlighted in red were hidden in the original file. Kindly vlaidate if it is required. 4. Return Response and Data © 2015 Microsoft Corporation Microsoft Confidential

7 Query Format Graph URL (static) Tenant of interest – can be tenant’s verified domain or objectId Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc. eq 'WA' API version – " " is the supported GA version Optional Odata query arguments: $filter, $top © 2015 Microsoft Corporation Microsoft Confidential

8 Other Examples of Read Operations
Request Description ​Returns tenant-level information including company name, tech contact, subscriptions ​Returns a group's members ​ eq 'Adam Barr'&api-version= Using odata filter to get a specific user ​ ge 'A' and displayName le 'F'&api-version= ​Filters for a range of users ​​ ​An example odata filter using startsWith ​An example odata filter using the any operator, search for users who have a proxy address starting with 'SMTP:ad' ​Gets a users' group membership ​Gets an individual user's manager ​Gets an individual user‘s direct reports ​Returns roles ​Returns all subscriptions that the tenant owns © 2015 Microsoft Corporation Microsoft Confidential

9 Graph API Write Operations
Create a New User POST HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY { "accountEnabled":true, "displayName":"New User", "passwordProfile":{ "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser" } RESPONSE: 201 Created Notes 1. The password must meet the tenant's Accepted password complexity requirements 2. The minimum set of properties to create a user is shown in the example above 3. Setting the user's usage location is not shown above Graph API Write Operations © 2015 Microsoft Corporation Microsoft Confidential

10 Implementation on the App
POST HEADERS Content-Type: application/x-www-form-urlencoded BODY grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=52752c8e-d73c-4f9a-a0f9-2d75607ecb8e&client_secret=qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm44uk1A%2BpIlM%3D RESPONSE 200 OK Notes Oauth 2.0 Client Credential grant type, client_id, and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications © 2015 Microsoft Corporation Microsoft Confidential

11 © 2015 Microsoft Corporation Microsoft Confidential

Download ppt "Azure Identity Premier Fast Start"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Server Access The REST of the Story David Cleary

Server Access The REST of the Story David Cleary
Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio

Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every day.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every day.
Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.

Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.

App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.
Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.

Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
Open Data Protocol * Han Wang 11/30/2012 *

Open Data Protocol * Han Wang 11/30/2012 *
Windows Azure Active Directory Graph API

Windows Azure Active Directory Graph API

Similar presentations

Ads by Google