Slides backing the "Azure Active Directory - An Introduction for Developers" talk

1. Consulting/Training
Azure Active Directory
An Introduction for Developers

2. Consulting/Training
John Garland
Microsoft MVP Windows Platform Development
Member Microsoft Azure Insider
Azure Mobile Services Advisory Board
Author Windows Store Apps Succinctly
Co-Author Programming the Windows Runtime by Example
MCPD Azure, Windows Developer, Windows Phone
MCTS Silverlight
jgarland@wintellect.com
@dotnetgator
Wintellect Principal Consultant

3. Consulting/Training
consulting
Wintellect helps you build better software, faster,
tackling the tough projects and solving the software
and technology questions that help you transform
your business.
 Architecture, Analysis and Design
 Full lifecycle software development
 Debugging and Performance tuning
 Database design and development
training
Wintellect's courses are written and taught by some of
the biggest and most respected names in the Microsoft
programming industry.
 Learn from the best. Access the same training
Microsoft’s developers enjoy
 Real world knowledge and solutions on both current
and cutting edge technologies
 Flexibility in training options – onsite, virtual, on
demand
Wintellect is the only company that offers the combined value of world class consulting services along with
onsite, virtual and on-demand developer training. We help companies build better software, faster, helping you
maximize and protect your consulting and training investments through ongoing knowledge transfer.
who we are
About Wintellect

4. Consulting/Training
 A Simple Demo – Adding Authentication to an ASP.NET MVC Application
 An Overview of Azure Active Directory
 The Developer Story
 Background – Integrating an Application’s Authentication with Azure Active Directory
 Demo – Working with the Azure Active Directory Graph API
 Demo – Calling a Secured Web API from a Secured Web App
 Demo – Calling a Secured Web API from a Native Client Application
 Wrapup
Agenda

5. Consulting/Training
Securing MVC Web Application Content with Azure Active Directory

6. Consulting/Training
 Created an app entry in an Azure
Active Directory tenant (and
some users)
 Used the OWIN middleware to
add authentication support to
the MVC Web App
 Configured the OWIN
middleware to know about the
AD app
What Have We Seen?

7. Consulting/Training
 Identity & Access Management as a Service
 You decide who the users are, what information is stored, who can get at it, who
can manage it, and what apps can use it.
 Microsoft is responsible for keeping it all running.
 Standalone, but can be synced with on-premises AD
 3 Editions: Free, Basic, Premium
 Application integration via support for several standard authentication
protocols (SAML 2.0, WS-Federation, Open ID Connect)
Azure Active Directory – What Is It?

8. Consulting/Training
No Object Limit No Object Limit
No Limit
Adv Security Reports
Yes (Advanced)**
Premium
+ Basic
Features
Group-based access management/provisioning Yes Yes
Self-Service Password Reset for cloud users Yes Yes
Company Branding (Logon Pages/Access Panel customization) Yes Yes
SLA Yes (99.9%) Yes (99.9%)

9. Consulting/Training
 Designed for “The Cloud” (as opposed to being retrofitted/adapted)
 REST Graph API with OData syntax for queries (instead of LDAP)
 Synchronize OR Connect to on-prem AD (ADFS is optional) via AAD Connect
 Sync
 User attributes synced using Identity Sync Services (includes a password hash)
 Authentication completes against AAD
 Connect
 User attributes synced vis Identity Sync Services
 Authentication passed back to local AD via ADFS and is completed locally
 Synchronize OR Connect to external SaaS applications
Azure Active Directory != Windows Active Directory

10. Consulting/Training
 Company Branding for Sign-In Screen
 Active Directory Application Proxy
 Access Control Services 2.0
 Multi-Factor Authentication
 Security Reporting and Alerts
 License Management
 Leverage Single Sign On with 2400+ 3rd party apps in the Azure AD
App Gallery
 Etc…
But Wait, There’s More!

11. Consulting/Training
 Applications
 Entities that rely on AAD for
Authentication
 Configuration Values:
 ClientID – Unique ID (GUID) for an application
 Application ID URI - Sent to AAD to indicate
the what the caller wants a token for
 ReplyURL - For web API or web application,
the location to which Azure AD will send the
authentication response
 Redirect URI – For an OAuth 2.0 request, a
unique identifier to which Azure AD will
redirect the user-agent
 Domains
 Default <tenant>.onmicrosoft.com
 A default domain is created with
your Azure Subscription for
managing Azure Management
Access
 Can also provision custom domain
names, use tenant ID, or use the
“custom” tenant
 Users
 Create in portal, via AAD PowerShell
cmdlet, or via sync
Azure Active Directory Development Terminology

12. Consulting/Training
 First Step – Stand up some middleware in front of the server
 Intercept requests and redirect if necessary to an Identity Provider (IdP).
 The IdP issues a token back to the client (browser, app), which is provided to the
server that is hosting the secured resource.
 The Server verifies the token with the IdP and – if valid – allows the request to
continue.
 Later
 Additional logic can request more information about the verified identity and
check to determine the resource in question can be accessed.
Fundamentals of Token-Based Web Authentication

13. Consulting/Training
OpenID Auth Code Authentication Flow
1 – Request Resource
2 – Redirect to IdP
3–RequestCode
4-Challenge/Response
5–ReturnanAccessCode
6 – Send Auth Code To Server
9:
Relying Party
(eg – Your Web App)
Client
(eg – Your Web Browser)
Identity Provider (IdP)
(eg – Azure Active Directory)
OAuth-A OAuth-T

14. Consulting/Training
 Then - Windows Identity Foundation (WIF)
 API for building claims-aware applications
 Configuration heavy, older tech, a product of a different era (WS-Fed)
 Authentication tooling in ASP.NET VS2013 Projects leverages WIF
 Now - “Katana” – Microsoft’s ASP.NET OWIN implementation.
 WS-Fed, OpenID Connect
 MUCH simpler to work with
 Hopefully VS Projects will get significant OWIN tooling “SOON”
ASP.NET Authentication Middleware

15. Consulting/Training
Azure AD Graph Client Library
 Wraps the REST API for Azure Active
Directory - Access objects such as
Users, Groups, Contacts, Tenant
Information, Roles, Applications,
Permissions
 OAuth 2.0 Support, supports both
Client Credentials and Authorization
Code flow
 Does not depend on ADAL, but
often used together
AD Authentication Library (ADAL)
 Authenticate users to AD and obtain
access tokens for securing API calls
 Manage token caching & lifetime
 Works with Azure AD, Windows
Server ADFS for Windows Server
2012 R2, and ACS
 Available for .NET, Windows Store
(WinRT), Node.js
 V3.0 (Pre) is a PCL with support for WinRT,
Xamarin iOS, Xamarin Android)
Tools for Working with Azure Active Directory

16. Consulting/Training
Calling the Graph API from an Authenticated MVC Web Site Endpoint

17. Consulting/Training
 The previous example looked at
 Securing one or more endpoints of an ASP.NET MVC app
 Using parts of the work done to authenticate the MVC App endpoint to also
access the Azure AD Graph
 Now What If
 The Web App needs to call a secured Web API? As the App? As the User?
 A Native Client App needs to call the same secured Web API?
Now What If…

18. Consulting/Training
Flowing authentication from a Web App to a Web Service
Calling the same Web Service from a Native Client Application

19. Consulting/Training
 Using OWIN Middleware to add
AAD-based authentication to an
MVC Web App endpoint
 Using Web App authentication
credentials to call the AAD Graph
API
 Using Web App authentication
credentials to call a Web API service
as both a user and an app
 Calling a Web API that requires
authentication from a Native App
What Have We Seen

20. Consulting/Training
 APIs and Sample Code
 Azure AD Authentication Library for
.NET - http://msdn.microsoft.com/en-
us/library/azure/jj573266.aspx
 Azure AD Graph API -
http://msdn.microsoft.com/en-
us/library/azure/hh974476.aspx
 Azure Active Directory Code Samples -
http://msdn.microsoft.com/en-
us/library/azure/dn646737.aspx
 Claims
 A Guide to Claims-Based Identity and
Access Control (2nd Edition) -
http://msdn.microsoft.com/en-
us/library/ff423674.aspx
 Azure Active Directory Videos
 Channel 9 AAD Series -
http://channel9.msdn.com/Series/Wind
ows-Azure-Active-Directory
 TechEd Europe 2014 -
http://channel9.msdn.com/Events/TechE
d/Europe/2014?tag=microsoft-azure-
active-directory
Resources

21. Consulting/Training
 Native Clients
 WPF calling Web API
 WinRT Calling WebAPI
 Call Web API, calling another WebAPI
 Xamarin – Multiple OS’s
 Headless calling Web API
 Daemons (Services)
 Calling WebAPI (Password & Certificate)
 .NET Web Apps
 Call via OpenID Connect & WS-Fed
 App calls Web API via OpenID Connect,
OAuth2 (App & User Identities)
 SPAs
 JavaScript client calling to .NET service
 Calling Azure AD Graph API
 RBAC via Groups and Roles
Azure AD Samples
And many more…

22. Consulting/Training
 Get to know the basic concepts of distributed application
authentication
 Get familiar with the lay-of-the-land of the AAD Samples
 See if your needs [align with || can be slightly pivoted to align with] the
concepts shown in the AAD Samples, and then use them as a roadmap
 If you’re a .NET developer, focus on leveraging the ASP.NET OWIN
(“Katana”) middleware components in your applications (unless you are
already moving forward to vNext)
$0.05 of Advice

23. Consulting/Training
Thank You