Programming Azure Active Directory (DevLink 2014)
- 5. Assume you know what Microsoft Azure is
and likely have an Azure subscription.
This is not a Active Directory design session.
Review common scenarios . . . Yours may be
different.
We’re not going to cover it all today . . .
large, complicated topics with many
options/scenarios.
- 8. Extend Windows Server AD
to the cloud
Directory & identity services
w/o need for Windows
Server AD
Each O365 tenant has
instance of AAD
Your App
AAD
Authentication
platform
Directory
store
Active Directory
- 11. Visual Studio 2013 wizard makes it easy
Register the application in Azure AD
Set a database
Set Sign-On URL, App ID and Reply URL
Basic set of claims available from AAD
- 18. REST API Endpoints
Authentication with Azure AD
Role Based Access Control (RBAC)
Differential Queries
- 19. REST API Endpoints
Authentication with Azure AD
Role Based Access Control (RBAC)
Differential Queries
Directory Extensions
- 21. Graph URL
Tenant
(domain or objectID)
https://graph.windows.net/
Entity
(user, group, role, etc)
?$filter=givenName eq 'Jon'&api-version=2013-11-08
OData query
($filter, $top)
collierdemo.onmicrosoft.com/
API Version
users
- 25. My
Application
Service-to-Service
OAuth 2.0 Grant Type Client Credentials
Azure AD Authentication Endpoint
(OAuth)
(https://graph.windows.net)
REST Service
(validates token,
process, returns data)
Authorization
Check
Azure Active Directory
1) Request JWT token (provide
clienID and secret)
2) Return
JWT token
3) HTTP Request w/ JWT token
4) Return response
- 26. OAuth 2.0 Grant Type = Client Credentials
// get OAuth token using Client Credentials
string tenantName = "GraphDir1.onMicrosoft.com";
string issuingAuthority = "https://login.windows.net/" + tenantName;
AuthenticationContext authenticationContext = new AuthenticationContext(issuingAuthority,false);
// Config for OAuth client credentials
string clientId = "118473c2-7619-46e3-a8e4-6da8d5f56e12";
string clientSecret = "hOrJ0r0TZ4GQ3obp+vk3FZ7JBVP+TX353kNo6QwNq7Q=";
ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
string resource = "https://graph.windows.net";
string token;
AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource, clientCred);
token = authenticationResult.AccessToken;
* Some values removed for readability
OAuth 2.0 grant type, client_id, and client_secret configured in Azure portal
- 27. OAuth 2.0 Grant Type = Client Credentials
POST https://login.windows.net/GraphDir1.onMicrosoft.com/oauth2/token
Content-Type: application/x-www-form-urlencoded
client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c
return-client-request-id: true
resource=https%3A%2F%2Fgraph.windows.net&
client_id=118473c2-7619-46e3-a8e4-6da8d5f56e12&
client_secret=hOrJ0r0TZ4GQ3obp%2Bvk3FZ7JBVP%2BTX353kNo6QwNq7Q%3D&
grant_type=client_credentials
* Some values removed for readability
- 28. OAuth 2.0 Grant Type = Client Credentials
Content-Type: application/json; charset=utf-8
client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c
Content-Length: 1160
{"token_type":"Bearer","expires_in":"3599","expires_on":"1407640794","not_before":"1407636894","resource":"https:
//graph.windows.net","access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cdng2OHNrV
DgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0IiwiaXNzIjoiaHR0cHM6Ly9zdHMud
2luZG93cy5uZXQvNGZkMmIyZjItZWEyNy00ZmU1LWE4ZjMtN2IxYTdjOTc1ZjM0LyIsImlhdCI6MTQwNzYzNjg5NCwib
mJmIjoxNDA3NjM2ODk0LCJleHAiOjE0MDc2NDA3OTQsInZlciI6IjEuMCIsInRpZCI6IjRmZDJiMmYyLWVhMjctNGZlNS1
hOGYzLTdiMWE3Yzk3NWYzNCIsIm9pZCI6ImIwZGVhNTFlLWJkMDQtNGI5OS05NmEyLTE0ZDk5YjE5YmM2YSI…………
………….."}
* Some values removed for readability
- 30. 1. Leverage ADAL and Graph Library
2. Obtain authentication token
3. Set GraphSetting with API version of choice
4. Set filter properties (if desired)
5. Get, Create, or Delete User, Group,
Application, etc.
- 33. 1. Obtain authentication token
2. Write against REST API directly
3. Ability to set custom properties on directory
objects
- 34. Azure AD extends directory authentication to the cloud
Enables single sign-on for web applications
CRUD objects in the directory
- 35. Azure AD Graph API
Azure AD Samples
Azure AD Graph Team Blog
Graph Explorer
Building Web Apps and Mobile Apps Using Microsoft Azure Active
Directory for Identity Management
Editor's Notes
- Show via Azure management portal
Sign up for Azure AD
Delete a tenant
Register a new application in Azure AD
Set for single sign-on
mcadmin@collierdemo.onmicrosoft.com / test!123
- The Check Group Membership operation is performed by invoking the IsMemberOf function on the directory service. This function returns a Boolean value that indicates whether a specified user, group, or contact is a member of a specified group. The operation is transitive, that is, if User A is a member of Group B and Group B is a member of Group C and the function is invoked with User A and Group C as parameters, it will return true. You can contrast this with the memberOf navigation property for User A, which is intransitive and would therefore not return Group C in its result set because User A is a member of Group C only through its membership in Group B.
http://msdn.microsoft.com/en-us/library/azure/dn151601.aspx
- DirectoryObject is the base type for the following entity types: Application, Device,DirectoryLinkChange, Contact, Group, Role, ServicePrincipal, TenantDetail, and User.
http://msdn.microsoft.com/en-us/library/windowsazure/jj134105.aspx
- ADAL
- Use snippets in Postman
- These are the four primary application scenarios supported by Azure AD:
• Web Browser to Web Application: A user needs to sign in to a web application that is secured by Azure AD.
• Native Application to Web API: A native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD.
• Web Application to Web API: A web application needs to get resources from a web API secured by Azure AD.
• Daemon or Server Application to Web API: A daemon application or a server application with no web user interface needs to get resources from a web API secured by Azure AD.
http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx