A Lap Around Windows Azure Active Directory

Stuart KwanLead Principal Program ManagerMicrosoft Corporation

SIA209

What is Windows Azure Active Directory?

Extension of Active Directory into the cloud

Designed primarily to meet the needs of cloud applications

Identity as a service: an essential part of Platform as a Service

AzureAD

AD

Cloudapp

Cloudapp

Cloudapp

Problem Statement

While enterprises working to consolidate identity system on-premises, cloud apps are fragmenting identity… again

AD

Cloudapp

Cloudapp

Cloudapp

Separate username/password sign-inManual or semi-automated

provisioningNo direct connection to directory

History of Azure Active Directory

Active Directory revised to operate as Internet-scale multi-tenant identity service, built concurrently with Office 365

Extends Windows Server Active Directory into cloud

Provides cloud-based identity services for organizations without Windows Server AD

AzureAD

AD

ExchangeOnline

SharePointOnline

LyncOnline

Identity Management as a Service

Consolidate identity management across cloud apps

Connect to directory from any platform, any device

Connect with people from web identity providers and other organizations

AzureAD

AD

ISVApp

OtherMSFTApps

YourCustom IT

App

Office365

ISVApp

Relationship to Windows Server AD

On-premises and cloud Active Directory managed as one

Directory information synchronized to cloud, made available to cloud apps via roles-based access control

Federated authentication enables single sign on to cloud applications

AzureAD

AD

Sync and Federation

How Does a Cloud App Connect to Directory?

Cloud Application

Contoso.comDirectory

? ?

?

Browser

Mobile app

Server app Web Service API

Web Service API

Web Application

Web Application

Anatomy of a Typical Cloud Application

Web application

Web service API

Account and

profile store

Clients using wide variety of devices/languages/platforms

Server applications using wide variety of

platforms/languages

Azure Active Directory Design Principles

The cloud design point demands capabilities that are not part of current-day Windows Server Active Directory

Maximize device & platform reachhttp/web/REST based protocols

Multi-tenancyCustomer owns directory, not Microsoft

Optimize for availability, consistent performance, and scale

Keep it simple

Directory Graph API

RESTful programmatic access to directoryObjects such as users, groups, roles, licensesRelationships such as member, memberOf, manager, directReport

Requests use standard HTTP methodsPOST, GET, PATCH, DELETE to create, read, update, and deleteResponse in XML or JSON; standard HTTP status codesCompatible with OData 3.0

OAuth 2.0 for authenticationRole-based assignment for application and user authorization

Example Directory Graph CallRequest: https://directory.windows.net/contoso.com/Users('Ed@contoso.com')

{ “d”: { "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "Ed@contoso.com", "Mail": "Ed@contoso.com", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007"} } (Elements of response have been edited to fit

on slide)

demo

Sample Expense Reporting Application in the Cloud

Cloud Application

Profile Store

Contoso.com Directory

ServicePrincipal

Role(Read)

Authorized user creates principal in directory for app, authorizes it to use directory by associating with roleAuthorized

User

End User

Cloud Application

Profile Store

Contoso.com Directory

User AuthN

End User

ServicePrincipal

Role(Read)

End user authenticates to directory to get token to call cloud app

t1

t1

Cloud Application

Profile Store

Contoso.com Directory

Delegated AuthN

Directory Graph

End User

ServicePrincipal

Role(Read)

Cloud app gets tokenAccesses Directory Graph using tokenUses user unique ID to find profile in local profile store

t2

t2

Protocols to Connect with Azure ADProtocol Purpose Details

REST/HTTP directory access

Create, Read, Update, Delete directory objects and relationships

Compatible with OData V3Authenticate with OAuth 2.0

OAuth 2.0 Service to service authenticationDelegated access

JWT token format

Open ID Connect

Web application authenticationRich client authentication

Under investigationJWT token format

SAML 2.0 Web application authentication SAML 2.0 token format

WS-Federation 1.3

Web application authentication SAML 1.1 token formatSAML 2.0 token formatJWT token format

Enterprise Scenarios

An enterprise extends AD to cloud to support cloud apps

Manage users, groups in AD, changes synchronized to Azure ADOn-premises applications use ADCloud applications use Azure AD

A small business uses Azure AD as primary identity system

No on-premises applications or ADUse Azure AD to manage users, groupsCloud application use Azure AD

Developer Scenarios

A developer of an established cloud application enables sign up of customers who have Azure AD

Single sign on instead of separate username/password for appQuery Directory Graph for user information, provisioning

A developer of a new cloud application uses Azure AD as off-the-shelf identity system for their app

Use Azure AD as local account storeEnable sign up of customers using popular web IDsEnable sign up of customers who have Azure AD

Azure Active Directory Developer Preview

Preview functionalityDirectory Graph with admin level read accessWeb SSO via WS-Federation, samples for .Net, Java, PHP

Not production SLAInterfaces subject to changeSeparate from production supported Access Control Service

Available soonWatch this space: http://blogs.msdn.com/windowsazure

What is Windows Azure Active Directory?

Extension of Active Directory into the cloud

Designed primarily to meet the needs of cloud applications

Identity as a service: an essential part of Platform as a Service

Developer preview coming soon

AzureAD

AD

Cloudapp

Cloudapp

Cloudapp

Related Content

SIA322 Directory Graph API: Drill Down, Thursday, 4:30pm, S310E

Find Me Later Today in the TLC Security and Identity Area, 5:30-7:30pm

OSP321 AD Integration with MS Office 365, Tuesday, 10:15am, S330E

SIA321 What’s New in WIF in .Net 4.5, Wednesday, 8:30am, S230A

SIA205 Running AD on Windows Azure VM, Monday, 3:00pm, N320A

SIA, WSV, and VIR Track Resources

Talk to our Experts at the TLC

#TE(sessioncode)

DOWNLOAD Windows Server 2012 Release Candidate

microsoft.com/windowsserverHands-On Labs

DOWNLOAD Windows Azure

Windowsazure.com/teched

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.