a lap around windows azure active directory stuart kwan lead principal program manager microsoft...
TRANSCRIPT
A Lap Around Windows Azure Active Directory
Stuart KwanLead Principal Program ManagerMicrosoft Corporation
SIA209
What is Windows Azure Active Directory?
Extension of Active Directory into the cloud
Designed primarily to meet the needs of cloud applications
Identity as a service: an essential part of Platform as a Service
AzureAD
AD
Cloudapp
Cloudapp
Cloudapp
Problem Statement
While enterprises working to consolidate identity system on-premises, cloud apps are fragmenting identity… again
AD
Cloudapp
Cloudapp
Cloudapp
Separate username/password sign-inManual or semi-automated
provisioningNo direct connection to directory
History of Azure Active Directory
Active Directory revised to operate as Internet-scale multi-tenant identity service, built concurrently with Office 365
Extends Windows Server Active Directory into cloud
Provides cloud-based identity services for organizations without Windows Server AD
AzureAD
AD
ExchangeOnline
SharePointOnline
LyncOnline
Identity Management as a Service
Consolidate identity management across cloud apps
Connect to directory from any platform, any device
Connect with people from web identity providers and other organizations
AzureAD
AD
ISVApp
OtherMSFTApps
YourCustom IT
App
Office365
ISVApp
Relationship to Windows Server AD
On-premises and cloud Active Directory managed as one
Directory information synchronized to cloud, made available to cloud apps via roles-based access control
Federated authentication enables single sign on to cloud applications
AzureAD
AD
Sync and Federation
How Does a Cloud App Connect to Directory?
Cloud Application
Contoso.comDirectory
? ?
?
Browser
Mobile app
Server app Web Service API
Web Service API
Web Application
Web Application
Anatomy of a Typical Cloud Application
Web application
Web service API
Account and
profile store
Clients using wide variety of devices/languages/platforms
Server applications using wide variety of
platforms/languages
Azure Active Directory Design Principles
The cloud design point demands capabilities that are not part of current-day Windows Server Active Directory
Maximize device & platform reachhttp/web/REST based protocols
Multi-tenancyCustomer owns directory, not Microsoft
Optimize for availability, consistent performance, and scale
Keep it simple
Directory Graph API
RESTful programmatic access to directoryObjects such as users, groups, roles, licensesRelationships such as member, memberOf, manager, directReport
Requests use standard HTTP methodsPOST, GET, PATCH, DELETE to create, read, update, and deleteResponse in XML or JSON; standard HTTP status codesCompatible with OData 3.0
OAuth 2.0 for authenticationRole-based assignment for application and user authorization
Example Directory Graph CallRequest: https://directory.windows.net/contoso.com/Users('[email protected]')
{ “d”: { "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "[email protected]", "Mail": "[email protected]", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007"} } (Elements of response have been edited to fit
on slide)
demo
Sample Expense Reporting Application in the Cloud
Cloud Application
Profile Store
Contoso.com Directory
ServicePrincipal
Role(Read)
Authorized user creates principal in directory for app, authorizes it to use directory by associating with roleAuthorized
User
End User
Cloud Application
Profile Store
Contoso.com Directory
User AuthN
End User
ServicePrincipal
Role(Read)
End user authenticates to directory to get token to call cloud app
t1
t1
Cloud Application
Profile Store
Contoso.com Directory
Delegated AuthN
Directory Graph
End User
ServicePrincipal
Role(Read)
Cloud app gets tokenAccesses Directory Graph using tokenUses user unique ID to find profile in local profile store
t2
t2
Protocols to Connect with Azure ADProtocol Purpose Details
REST/HTTP directory access
Create, Read, Update, Delete directory objects and relationships
Compatible with OData V3Authenticate with OAuth 2.0
OAuth 2.0 Service to service authenticationDelegated access
JWT token format
Open ID Connect
Web application authenticationRich client authentication
Under investigationJWT token format
SAML 2.0 Web application authentication SAML 2.0 token format
WS-Federation 1.3
Web application authentication SAML 1.1 token formatSAML 2.0 token formatJWT token format
Enterprise Scenarios
An enterprise extends AD to cloud to support cloud apps
Manage users, groups in AD, changes synchronized to Azure ADOn-premises applications use ADCloud applications use Azure AD
A small business uses Azure AD as primary identity system
No on-premises applications or ADUse Azure AD to manage users, groupsCloud application use Azure AD
Developer Scenarios
A developer of an established cloud application enables sign up of customers who have Azure AD
Single sign on instead of separate username/password for appQuery Directory Graph for user information, provisioning
A developer of a new cloud application uses Azure AD as off-the-shelf identity system for their app
Use Azure AD as local account storeEnable sign up of customers using popular web IDsEnable sign up of customers who have Azure AD
Azure Active Directory Developer Preview
Preview functionalityDirectory Graph with admin level read accessWeb SSO via WS-Federation, samples for .Net, Java, PHP
Not production SLAInterfaces subject to changeSeparate from production supported Access Control Service
Available soonWatch this space: http://blogs.msdn.com/windowsazure
What is Windows Azure Active Directory?
Extension of Active Directory into the cloud
Designed primarily to meet the needs of cloud applications
Identity as a service: an essential part of Platform as a Service
Developer preview coming soon
AzureAD
AD
Cloudapp
Cloudapp
Cloudapp
Related Content
SIA322 Directory Graph API: Drill Down, Thursday, 4:30pm, S310E
Find Me Later Today in the TLC Security and Identity Area, 5:30-7:30pm
OSP321 AD Integration with MS Office 365, Tuesday, 10:15am, S330E
SIA321 What’s New in WIF in .Net 4.5, Wednesday, 8:30am, S230A
SIA205 Running AD on Windows Azure VM, Monday, 3:00pm, N320A
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC
#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserverHands-On Labs
DOWNLOAD Windows Azure
Windowsazure.com/teched
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.