look into azure active directory

idea. plan. deliver.


Enrique LimaPrincipal Consultant

Windows Azure Active Directory



Enrique LimaPrincipal Consultant

Windows Azure Active DirectoryMicrosoft

Bi Do, WAAD to MAAD??!!??


•Enrique Lima• [email protected]• Principal Consultant / Owner• Microsoft v-TSP BPIO / CoreIO / APPIO• Microsoft Community Contributor• Member of the Geekswithblogs.net Community - Influencer

▫ http://geekswithblogs.net/enriquelima• @enriquelima - twitter.com/enriquelima• Member of INETA

Who am I?

mailto:[email protected]



IdentityIntegrate with enterprise identityEnable single sign-on within your appsEnterprise Graph REST API93% of Fortune 1000 use Active Directory



What’s a TOKEN? I want Cookie!!!!!


Public

Commontechnologies Identity ▪ Virtualization ▪ Management ▪ Development

Private

Broad & deep array of solutions enables customers to use cloud in their own way, at their own pace

Microsoft approach: hybrid cloud



What if we could?

RESPONDING to the needs for interoperability, social networking, flexibility, and simplicity

REINVENTED for the cloud with modern protocols

PROVIDE the enterprise capabilities of Active Directory



Windows Azure Active Directory is a modern cloud service providing identity management and access control capabilities to cloud applications.



Identity Solution: Cloud Single Sign-on with Access Control

Windows Live ID

On-PremisesActive Directory

ADFS 2.0

Third Party Apps

Windows AzureActive Directory

Microsoft Apps

Your Apps



Active Directory in IaaS• Through Virtual Networking connectivity, on-premises

Active Directory allows domain join and single sign-on for applications in Azure

• Windows Server Active Directory can now be hosted in a Virtual Machine in Windows Azure to support SharePoint or SQL Server and for performance and redundancy

On-premise subnets

DC DNS

Active Directory

Persistent VM Role

DC DNS

Active Directory

Persistent VM Role

Persistent VM Role

SQL

SharePoint



Windows Azure Active Directory

Windows Azure Authentication

LibraryDeveloper library to make

authentication in Azure apps easy

Windows Azure AD Graph

Developer Restful API for the cloud directory

Windows Azure ADAccess Control

Centralized authentication and authorization hub

Windows Azure ADDirectory

Cloud-based identity store / provider


What is it?• Claims-based, • Federated authorization

management service

What does it do?• Simplify user access authorization

across organizations and ID providers

• Perform claims transformation to map identities with access levels

Use for …• Secure Service Bus

communications• Secure web services• Secure web applications

Access Control


Identity Challenges

UserDoesn’t want to use different identity for every app

DeveloperDoesn’t want to write code to support multiple identity providers

AdministratorWants to easily grant access to apps to Active Directory identities

Active Directory

Cloud App

Identity Challenges


Identity Solution: Cloud Single Sign-on with Access Control

UserCan use his preferred Identity Provider

DeveloperWrites one set of code to accommodate multiple Identity Providers

AdministratorGrants access to all AD users by establishing trust between AD and ACS

Access Control Active

Directory

ADFS 2.0

Identity Solution: Cloud Single Sign-on With Access Control


What is it?• A multi-tenant cloud directory

What does it do?• Stores identities, group and role

information that can be used for authentication and authorization

Use for …• Control access to Microsoft online

services such as Office 365, Dynamics CRM Online and Windows Intune, as well as Windows Azure applications for a true single sign-on experience

Directory



Directory• Cloud authentication, authorization multi-tenant directory for

Microsoft and 3rd party cloud services

• “Organization-owned” identity provider

• Easily federates and synchronizes with on-premises AD

• Central “hub” to provision/de-provision/manage users and their computers/devices

• Support for multi-factor authentication

SAML


What is it?• An enterprise social graph service

What does it do?• Provides a way for applications to

query the Directory and other sources for identity information and relationships, to provide a richer experience for users

Use for …• Build social enterprise apps

Graph


What is it?• A developer library

What does it do?• Provides a way for developers to

easily take advantage of Windows Azure AD from their rich client applications and services

Use for …• Add authentication capabilities

to your rich client applications• Authenticate incoming calls to

your services

Azure Authentication Library


Single sign-on across all your cloud applications

ScenariosWindows Azure Active Directory enables:

Build social enterprise apps in the cloud

Build Secure Applications that integrate with multiple web identity providers


For ISVs and organizations of all sizes

Enterprises

CSVs

• Centralized policy and access control• Single sign-on for users to Microsoft and 3rd

party applications running in the cloud• Easy administration – sync and federate to on-

prem AD• Deliver SaaS solutions in Azure with single-

sign-on from users in Windows Azure AD (Office 365)

• Write applications using a new enterprise social graph

Small Business• Provide access control with no on-prem identity

infrastructure required• Easy to use with little IT skills required



How it works

ACCESS CONTROL

HARVESTED ICE

WEASEL TOWN

1 Define access control rules

0 Establish trust via key exchange

2Request token(pass input claims)

4 Return token (receive output claims)

5 Send messagewith token

3 Map input claims to output claims based on access control rules

6 Process

token

How it WorksArendelle



Let it go, let it goCan't hold back anymoreLet it go, let it goTurn away and slam the door

I don't care what they're going to sayLet the storm rage onThe CLOUD never bothered me anyway


•Enrique Lima• [email protected]• Principal Consultant / Owner• Microsoft v-TSP BPIO / CoreIO / APPIO• Microsoft Community Contributor• Member of the Geekswithblogs.net Community - Influencer

▫ http://geekswithblogs.net/enriquelima• @enriquelima - twitter.com/enriquelima• Member of INETA

Who am I?

mailto:[email protected]


•Content from Windows Azure Training Kit

Acknowledgements

look into azure active directory

Technology