SlideShare a Scribd company logo

Programming Azure Active Directory (DevLink 2014)

Download as PPTX, PDF
Michael Collier
Michael Collier

This document provides an overview of Azure Active Directory (Azure AD) and how to use the Azure AD Graph API. It discusses how Azure AD extends an on-premises Active Directory to the cloud for authentication and identity management. It also summarizes how to register an application with Azure AD, obtain authentication tokens, and perform CRUD operations on directory objects like users and groups via the Graph API using libraries, REST calls, and samples.

Related slideshows

Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesUsing Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management Challenges
 
Automating Your Azure Environment
Automating Your Azure EnvironmentAutomating Your Azure Environment
Automating Your Azure Environment
 
10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail
 
1 of 37
Programming Azure Active Directory
Programming Azure Active Directory (DevLink 2014)
17 COLUMBUS, OH OCTOBER 17, 2014 CLOUDDEVELOP.ORG
Opening Keynote Scott Guthrie October 21st, 2014 8:00am – 5:00pm PST http://azureconf.net
Assume you know what Microsoft Azure is and likely have an Azure subscription. This is not a Active Directory design session. Review common scenarios . . . Yours may be different. We’re not going to cover it all today . . . large, complicated topics with many options/scenarios.
Azure Active Directory - What is it?
Multi-tenant “directory-as-a-service” Identity & access for on-premises and cloud applications NOT a cloud version of Windows Server AD Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
Extend Windows Server AD to the cloud Directory & identity services w/o need for Windows Server AD Each O365 tenant has instance of AAD Your App AAD Authentication platform Directory store Active Directory
Register an application with Azure AD Permissions Open source Azure AD authentication libraries
Programming Azure Active Directory (DevLink 2014)
Visual Studio 2013 wizard makes it easy Register the application in Azure AD Set a database Set Sign-On URL, App ID and Reply URL Basic set of claims available from AAD
Working with the Graph
Read
Read Write
REST API Endpoints
REST API Endpoints Authentication with Azure AD
REST API Endpoints Authentication with Azure AD Role Based Access Control (RBAC)
REST API Endpoints Authentication with Azure AD Role Based Access Control (RBAC) Differential Queries
REST API Endpoints Authentication with Azure AD Role Based Access Control (RBAC) Differential Queries Directory Extensions
What’s in the directory? REST Graph API
Graph URL Tenant (domain or objectID) https://graph.windows.net/ Entity (user, group, role, etc) ?$filter=givenName eq 'Jon'&api-version=2013-11-08 OData query ($filter, $top) collierdemo.onmicrosoft.com/ API Version users
Active Directory Authentication Library (ADAL) for .NET
Microsoft.Azure.ActiveDirectory.GraphClient GraphConnection
Graph Security
My Application Service-to-Service OAuth 2.0 Grant Type Client Credentials Azure AD Authentication Endpoint (OAuth) (https://graph.windows.net) REST Service (validates token, process, returns data) Authorization Check Azure Active Directory 1) Request JWT token (provide clienID and secret) 2) Return JWT token 3) HTTP Request w/ JWT token 4) Return response
OAuth 2.0 Grant Type = Client Credentials // get OAuth token using Client Credentials string tenantName = "GraphDir1.onMicrosoft.com"; string issuingAuthority = "https://login.windows.net/" + tenantName; AuthenticationContext authenticationContext = new AuthenticationContext(issuingAuthority,false); // Config for OAuth client credentials string clientId = "118473c2-7619-46e3-a8e4-6da8d5f56e12"; string clientSecret = "hOrJ0r0TZ4GQ3obp+vk3FZ7JBVP+TX353kNo6QwNq7Q="; ClientCredential clientCred = new ClientCredential(clientId, clientSecret); string resource = "https://graph.windows.net"; string token; AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource, clientCred); token = authenticationResult.AccessToken; * Some values removed for readability OAuth 2.0 grant type, client_id, and client_secret configured in Azure portal
OAuth 2.0 Grant Type = Client Credentials POST https://login.windows.net/GraphDir1.onMicrosoft.com/oauth2/token Content-Type: application/x-www-form-urlencoded client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c return-client-request-id: true resource=https%3A%2F%2Fgraph.windows.net& client_id=118473c2-7619-46e3-a8e4-6da8d5f56e12& client_secret=hOrJ0r0TZ4GQ3obp%2Bvk3FZ7JBVP%2BTX353kNo6QwNq7Q%3D& grant_type=client_credentials * Some values removed for readability
OAuth 2.0 Grant Type = Client Credentials Content-Type: application/json; charset=utf-8 client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c Content-Length: 1160 {"token_type":"Bearer","expires_in":"3599","expires_on":"1407640794","not_before":"1407636894","resource":"https: //graph.windows.net","access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cdng2OHNrV DgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0IiwiaXNzIjoiaHR0cHM6Ly9zdHMud 2luZG93cy5uZXQvNGZkMmIyZjItZWEyNy00ZmU1LWE4ZjMtN2IxYTdjOTc1ZjM0LyIsImlhdCI6MTQwNzYzNjg5NCwib mJmIjoxNDA3NjM2ODk0LCJleHAiOjE0MDc2NDA3OTQsInZlciI6IjEuMCIsInRpZCI6IjRmZDJiMmYyLWVhMjctNGZlNS1 hOGYzLTdiMWE3Yzk3NWYzNCIsIm9pZCI6ImIwZGVhNTFlLWJkMDQtNGI5OS05NmEyLTE0ZDk5YjE5YmM2YSI………… ………….."} * Some values removed for readability
Programming Azure Active Directory (DevLink 2014)
1. Leverage ADAL and Graph Library 2. Obtain authentication token 3. Set GraphSetting with API version of choice 4. Set filter properties (if desired) 5. Get, Create, or Delete User, Group, Application, etc.
Provide means to bring on-premises / custom schema extensions to Azure AD.
Programming Azure Active Directory (DevLink 2014)
1. Obtain authentication token 2. Write against REST API directly 3. Ability to set custom properties on directory objects
Azure AD extends directory authentication to the cloud Enables single sign-on for web applications CRUD objects in the directory
Azure AD Graph API Azure AD Samples Azure AD Graph Team Blog Graph Explorer Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management
Questions?
Programming Azure Active Directory (DevLink 2014)

More Related Content

Programming Azure Active Directory (DevLink 2014)

  • 3. 17 COLUMBUS, OH OCTOBER 17, 2014 CLOUDDEVELOP.ORG
  • 4. Opening Keynote Scott Guthrie October 21st, 2014 8:00am – 5:00pm PST http://azureconf.net
  • 5. Assume you know what Microsoft Azure is and likely have an Azure subscription. This is not a Active Directory design session. Review common scenarios . . . Yours may be different. We’re not going to cover it all today . . . large, complicated topics with many options/scenarios.
  • 6. Azure Active Directory - What is it?
  • 7. Multi-tenant “directory-as-a-service” Identity & access for on-premises and cloud applications NOT a cloud version of Windows Server AD Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
  • 8. Extend Windows Server AD to the cloud Directory & identity services w/o need for Windows Server AD Each O365 tenant has instance of AAD Your App AAD Authentication platform Directory store Active Directory
  • 9. Register an application with Azure AD Permissions Open source Azure AD authentication libraries
  • 11. Visual Studio 2013 wizard makes it easy Register the application in Azure AD Set a database Set Sign-On URL, App ID and Reply URL Basic set of claims available from AAD
  • 13. Read
  • 16. REST API Endpoints Authentication with Azure AD
  • 17. REST API Endpoints Authentication with Azure AD Role Based Access Control (RBAC)
  • 18. REST API Endpoints Authentication with Azure AD Role Based Access Control (RBAC) Differential Queries
  • 19. REST API Endpoints Authentication with Azure AD Role Based Access Control (RBAC) Differential Queries Directory Extensions
  • 20. What’s in the directory? REST Graph API
  • 21. Graph URL Tenant (domain or objectID) https://graph.windows.net/ Entity (user, group, role, etc) ?$filter=givenName eq 'Jon'&api-version=2013-11-08 OData query ($filter, $top) collierdemo.onmicrosoft.com/ API Version users
  • 22. Active Directory Authentication Library (ADAL) for .NET
  • 25. My Application Service-to-Service OAuth 2.0 Grant Type Client Credentials Azure AD Authentication Endpoint (OAuth) (https://graph.windows.net) REST Service (validates token, process, returns data) Authorization Check Azure Active Directory 1) Request JWT token (provide clienID and secret) 2) Return JWT token 3) HTTP Request w/ JWT token 4) Return response
  • 26. OAuth 2.0 Grant Type = Client Credentials // get OAuth token using Client Credentials string tenantName = "GraphDir1.onMicrosoft.com"; string issuingAuthority = "https://login.windows.net/" + tenantName; AuthenticationContext authenticationContext = new AuthenticationContext(issuingAuthority,false); // Config for OAuth client credentials string clientId = "118473c2-7619-46e3-a8e4-6da8d5f56e12"; string clientSecret = "hOrJ0r0TZ4GQ3obp+vk3FZ7JBVP+TX353kNo6QwNq7Q="; ClientCredential clientCred = new ClientCredential(clientId, clientSecret); string resource = "https://graph.windows.net"; string token; AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource, clientCred); token = authenticationResult.AccessToken; * Some values removed for readability OAuth 2.0 grant type, client_id, and client_secret configured in Azure portal
  • 27. OAuth 2.0 Grant Type = Client Credentials POST https://login.windows.net/GraphDir1.onMicrosoft.com/oauth2/token Content-Type: application/x-www-form-urlencoded client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c return-client-request-id: true resource=https%3A%2F%2Fgraph.windows.net& client_id=118473c2-7619-46e3-a8e4-6da8d5f56e12& client_secret=hOrJ0r0TZ4GQ3obp%2Bvk3FZ7JBVP%2BTX353kNo6QwNq7Q%3D& grant_type=client_credentials * Some values removed for readability
  • 28. OAuth 2.0 Grant Type = Client Credentials Content-Type: application/json; charset=utf-8 client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488c Content-Length: 1160 {"token_type":"Bearer","expires_in":"3599","expires_on":"1407640794","not_before":"1407636894","resource":"https: //graph.windows.net","access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cdng2OHNrV DgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0IiwiaXNzIjoiaHR0cHM6Ly9zdHMud 2luZG93cy5uZXQvNGZkMmIyZjItZWEyNy00ZmU1LWE4ZjMtN2IxYTdjOTc1ZjM0LyIsImlhdCI6MTQwNzYzNjg5NCwib mJmIjoxNDA3NjM2ODk0LCJleHAiOjE0MDc2NDA3OTQsInZlciI6IjEuMCIsInRpZCI6IjRmZDJiMmYyLWVhMjctNGZlNS1 hOGYzLTdiMWE3Yzk3NWYzNCIsIm9pZCI6ImIwZGVhNTFlLWJkMDQtNGI5OS05NmEyLTE0ZDk5YjE5YmM2YSI………… ………….."} * Some values removed for readability
  • 30. 1. Leverage ADAL and Graph Library 2. Obtain authentication token 3. Set GraphSetting with API version of choice 4. Set filter properties (if desired) 5. Get, Create, or Delete User, Group, Application, etc.
  • 31. Provide means to bring on-premises / custom schema extensions to Azure AD.
  • 33. 1. Obtain authentication token 2. Write against REST API directly 3. Ability to set custom properties on directory objects
  • 34. Azure AD extends directory authentication to the cloud Enables single sign-on for web applications CRUD objects in the directory
  • 35. Azure AD Graph API Azure AD Samples Azure AD Graph Team Blog Graph Explorer Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management

Editor's Notes

  1. Show via Azure management portal Sign up for Azure AD Delete a tenant Register a new application in Azure AD Set for single sign-on mcadmin@collierdemo.onmicrosoft.com / test!123
  2. The Check Group Membership operation is performed by invoking the IsMemberOf function on the directory service. This function returns a Boolean value that indicates whether a specified user, group, or contact is a member of a specified group. The operation is transitive, that is, if User A is a member of Group B and Group B is a member of Group C and the function is invoked with User A and Group C as parameters, it will return true. You can contrast this with the memberOf navigation property for User A, which is intransitive and would therefore not return Group C in its result set because User A is a member of Group C only through its membership in Group B. http://msdn.microsoft.com/en-us/library/azure/dn151601.aspx
  3. DirectoryObject is the base type for the following entity types: Application, Device,DirectoryLinkChange, Contact, Group, Role, ServicePrincipal, TenantDetail, and User. http://msdn.microsoft.com/en-us/library/windowsazure/jj134105.aspx
  4. ADAL
  5. Use snippets in Postman
  6. These are the four primary application scenarios supported by Azure AD: • Web Browser to Web Application: A user needs to sign in to a web application that is secured by Azure AD. • Native Application to Web API: A native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD. • Web Application to Web API: A web application needs to get resources from a web API secured by Azure AD. • Daemon or Server Application to Web API: A daemon application or a server application with no web user interface needs to get resources from a web API secured by Azure AD. http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx