programming azure active directory (devlink 2014)
DESCRIPTION
Session fromTRANSCRIPT
ProgrammingAzure Active Directory
Michael S. CollierPrincipal Cloud Architect
[email protected]@MichaelCollierwww.MichaelSCollier.com
17
COLUMBUS, OH OCTOBER 17, 2014 CLOUDDEVELOP.ORG
Opening KeynoteScott Guthrie
October 21st, 20148:00am – 5:00pm PST
http://azureconf.net
DisclaimerAssume you know what Microsoft Azure is and likely have an Azure subscription.
This is not a Active Directory design session.
Review common scenarios . . . Yours may be different.
We’re not going to cover it all today . . . large, complicated topics with many options/scenarios.
https://commons.wikimedia.org/wiki/File:Macaca_nigra_self-portrait_(rotated_and_cropped).jpg
Azure Active Directory - What is it?
Azure Active DirectoryMulti-tenant “directory-as-a-service”
Identity & access for on-premises and cloud applications
NOT a cloud version ofWindows Server AD
Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
Using Azure Active DirectoryExtend Windows Server AD to the cloud
Directory & identity services w/o need for Windows Server AD
Each O365 tenant has instance of AAD
Sync process is the same
Your App
AAD
Directorystore
Authentication platform
Active Directory
The BasicsRegister an application with Azure ADPermissions• Application, not the user• Available permissions• SSO• SSO, Read data• SSO, Read data, Write data
Open source Azure AD authentication libraries• https://github.com/AzureAD
AAD Basics
Sign Up for a AAD TenantSingle Sign-On
Single Sign-On (Recap)Visual Studio 2013 wizard makes it easy
Project creation time. Otherwise manual.
Register the application in Azure ADMust be a Global Administrator
Set a databaseStores information related to Azure AD tenant
Set Sign-On URL, App ID and Reply URLWorks for localhost and public address
Basic set of claims available from AADMore? Need to read the AAD Graph.
Working with the Graph
ScenariosRead• People picker (list users or groups)• Lookup relationships (manager / direct report)• Authorization – user’s group and role membership• Subscriptions (i.e. Office365)• Changed data (deltas)• Roles & Subscriptions are Read Only objects
ScenariosReadWrite• Update a User or Group• Add a User to a Group• Create or Delete a User• Set a User password• Directory Extensions
Graph API FeaturesREST API Endpoints• POST, GET, PATCH, DELETE (create, read, update, &
delete)• XML or JSON• OData v3• OAuth 2.0• Client Credentials and Authorization Code flow
Graph API FeaturesREST API EndpointsAuthentication with Azure ADEvery request requires JSON Web Token (JWT) in Authorization header
Graph API FeaturesREST API EndpointsAuthentication with Azure ADRole Based Access Control (RBAC)Check group membership (transitive)
Graph API FeaturesREST API EndpointsAuthentication with Azure ADRole Based Access Control (RBAC)Differential QueriesCheck for changes between two time periods. Only changes returned.
Graph API FeaturesREST API EndpointsAuthentication with Azure ADRole Based Access Control (RBAC)Differential QueriesDirectory ExtensionsRead/write unique properties (e.g. Skype ID)
Graph API FeaturesWhat’s in the directory?Everything is an object (ObjectID)Types: User, Group, Role, Application, Device, etc.
REST Graph APIGraph LibraryActive Directory Authentication Library (ADAL)
Query Format
https://graph.windows.net/
Graph URLTenant
(domain or objectID)Entity
(user, group, role, etc)
OData query($filter, $top)
API Version
collierdemo.onmicrosoft.com/&api-version=2013-11-08
?$filter=givenName eq 'Jon'
users
ADALActive Directory Authentication Library (ADAL) for .NET• Get via NuGet• https://github.com/orgs/MSOpenTech• Handles token refresh automatically• .NET, Windows Store, iOS, Android, node.js, Java• Works on Windows Server AD and Azure AD
Graph LibraryMicrosoft.Azure.ActiveDirectory.GraphClient • NuGet• https://github.com/MSOpenTech/azuread-graphapi-
library-for-dotnet
GraphConnection• Uses token obtain from ADAL• Add<T>, Delete<T>, Update<T>, List<T>, etc.
Graph Security
Graph API Authentication
Service-to-ServiceOAuth 2.0 Grant Type Client Credentials
My Application
Azure AD Authentication Endpoint (OAuth)
(https://graph.windows.net)
REST Service(validates token, process, returns
data)
Authorization Check
Azure Active Directory
1) Request JWT token (provide clienID and secret)
2) Return JWT token
3) HTTP Request w/ JWT token
4) Return response
Graph API AuthenticationOAuth 2.0 Grant Type = Client Credentials
* Some values removed for readability
// get OAuth token using Client Credentialsstring tenantName = "GraphDir1.onMicrosoft.com";string issuingAuthority = "https://login.windows.net/" + tenantName; AuthenticationContext authenticationContext = new AuthenticationContext(issuingAuthority,false);
// Config for OAuth client credentialsstring clientId = "118473c2-7619-46e3-a8e4-6da8d5f56e12";string clientSecret = "hOrJ0r0TZ4GQ3obp+vk3FZ7JBVP+TX353kNo6QwNq7Q=";ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
string resource = "https://graph.windows.net";string token; AuthenticationResult authenticationResult = authenticationContext.AcquireToken(resource, clientCred);token = authenticationResult.AccessToken;
OAuth 2.0 grant type, client_id, and client_secret configured in Azure portal
Graph API AuthenticationOAuth 2.0 Grant Type = Client Credentials
POST https://login.windows.net/GraphDir1.onMicrosoft.com/oauth2/tokenContent-Type: application/x-www-form-urlencodedclient-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488creturn-client-request-id: true
resource=https%3A%2F%2Fgraph.windows.net&client_id=118473c2-7619-46e3-a8e4-6da8d5f56e12&client_secret=hOrJ0r0TZ4GQ3obp%2Bvk3FZ7JBVP%2BTX353kNo6QwNq7Q%3D&grant_type=client_credentials
* Some values removed for readability
Graph API AuthenticationOAuth 2.0 Grant Type = Client Credentials
Content-Type: application/json; charset=utf-8client-request-id: 1e38c3d3-dca3-42ff-8149-5db607b3488cContent-Length: 1160
{"token_type":"Bearer","expires_in":"3599","expires_on":"1407640794","not_before":"1407636894","resource":"https://graph.windows.net","access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cdng2OHNrVDgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0IiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNGZkMmIyZjItZWEyNy00ZmU1LWE4ZjMtN2IxYTdjOTc1ZjM0LyIsImlhdCI6MTQwNzYzNjg5NCwibmJmIjoxNDA3NjM2ODk0LCJleHAiOjE0MDc2NDA3OTQsInZlciI6IjEuMCIsInRpZCI6IjRmZDJiMmYyLWVhMjctNGZlNS1hOGYzLTdiMWE3Yzk3NWYzNCIsIm9pZCI6ImIwZGVhNTFlLWJkMDQtNGI5OS05NmEyLTE0ZDk5YjE5YmM2YSI…………………….."}* Some values removed for readability
Read and Write Data
demo
Read and Write (Recap)1. Leverage ADAL and Graph Library2. Obtain authentication token3. Set GraphSetting with API version of
choice4. Set filter properties (if desired)5. Get, Create, or Delete User, Group,
Application, etc.
Directory Schema ExtensionsProvide means to bring on-premises / custom schema extensions to Azure AD.• Registered at Application level.• Max of 100 extensions per object for all applications• String or Binary• User, Group, TenantDetail, Device, Application,
ServicePrincipal
Directory Extension
demo
Directory Extension (Recap)1. Obtain authentication token2. Write against REST API directly
Managed client code coming soon (check preview branch in GitHub)
3. Ability to set custom properties on directory objects
SummaryAzure AD extends directory authentication to the cloudCloud and non-cloud applications
Enables single sign-on for web applicationsRetrieve claims to add additional authorization or personalizationQuery AAD graph
CRUD objects in the directoryObtain JWT token using client credential or OAuth code grantGraph Library and ADAL will be your friendsREST API if needed
Azure AD ResourcesAzure AD Graph APIhttp://msdn.microsoft.com/en-us/library/azure/hh974476.aspx
Azure AD Sampleshttps://github.com/AzureADSamples
Azure AD Graph Team Bloghttp://blogs.msdn.com/b/aadgraphteam/
Graph Explorerhttp://graphexplorer.cloudapp.net/
Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Managementhttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DEV-B344
Questions?
Thank You!Michael S. CollierPrincipal Cloud Architect
[email protected]@MichaelCollierwww.MichaelSCollier.com