SlideShare a Scribd company logo
PROGRAMMING WITH AZURE AD
JOONAS WESTLIN
STANDARD SPEAKER INTRO
• Joonas Westlin
• Azure Developer at Kompozure
• Azure MVP, MCSD, MCSE
• Active on Stack Overflow
o Currently #4 All-time for Azure AD
@JoonasWestlin joonasw.net
STANDARD AGENDA SLIDE
• Intro to Azure Active Directory
o How we can manage a directory
• Registering apps
o Important settings
• Authentication flows
o Different ways to authenticate users and get tokens to call secured APIs
• Demo, back-end Web app calling MS Graph API
AZURE ACTIVE DIRECTORY
• “Azure Active Directory (Azure AD) is a cloud identity service
that allows developers to securely sign in users with a Microsoft
work or school account.”
• The login system underneath Office 365 and Azure
• Global, multi-tenant, identity and access management service
• Single Sign-On for cloud services
• If you have ever signed in to O365 or Azure, you have used
Azure AD
• Quite different from on-premises Windows Server AD
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-developers-guide
MANAGING AAD
• Can use portal.azure.com
• Find Azure Active Directory from the left
or from under All services
• Pro-tip: Use https://aad.portal.azure.com
• PowerShell:
https://docs.microsoft.com/en-
us/powershell/azure/active-
directory/install-adv2?view=azureadps-
2.0
• AAD Graph Explorer:
https://graphexplorer.azurewebsites.net/
AZURE AD “TENANTS”
• Tenant = One Azure AD “instance”
• Container for users, their passwords, groups etc.
• An organization typically has one tenant
• You already have one if you use Azure or Office 365
• You can create more tenants from the Azure Portal
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant
REGISTERING APPS
• Registering an app you are developing can be
done from App registrations
• Name: display name for the app
• Sign-on URL: the URL given to users in
https://myapps.microsoft.com
• Name and Sign-on URL can be changed later
• Application type: next slide
https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-integrating-applications
APPLICATION TYPES
• The Portal options are a bit confusing
• Web app / API = App which can keep a secret
o Runs on device you control
o APIs, back-end Web apps, Azure Web Jobs
• Native = App which cannot keep a secret
o Runs on user’s device
o SPA, Mobile, any app installed on user’s device
• Correspond to publicClient property on Application
o Public client = Native
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-
authentication-scenarios#application-types-and-scenarios
APPLICATIONS & SERVICE PRINCIPALS
• An Application object is created when you
register an app
• It then gets an identity in the directory in the form
of a Service Principal
• Multi-tenant apps get a Service Principal in every
directory they are integrated in
o Application stays in original tenant
• Enterprise Applications = Service Principals in
portal
https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-application-objects
SINGLE-TENANT VS MULTI-TENANT
• Set in application’s Properties
• A single-tenant app can only be used by one organization
o Line-of-business apps
• A multi-tenant app can be used by any organization
o SaaS apps
Overview for MT: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-
directory-devhowto-multi-tenant-overview
MT sample: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-
webapp-multitenant-openidconnect/
REPLY URLS
• Set of URLs to which Azure AD can redirect the user back to after logging
in
• The redirect can contain user’s personal info in a token, reason why this
exists
APPLICATION KEYS
• Non-Native apps can have keys
• Either client secrets or public keys from key pairs
• Used by the app to authenticate itself
• NEVER PUT CLIENT SECRETS IN CODE THAT RUNS ON USER DEVICE
PERMISSIONS & GRANTING THEM
• An Application can require permission on APIs
• Two types
o Application: Org-wide access for the app
o Delegated: Access as a single user
• Required permissions must also be granted
o User can consent when logging in
o Grant Permissions grants for whole org
o One of the biggest causes for problems
people have is permissions are not granted
https://joonasw.net/view/the-grant-requires-admin-permission
THE APP MANIFEST
• Found via the Manifest button
• JSON representation of the Application
object
• Can edit in Portal
• Advanced scenarios
o Scopes for APIs and roles for users in
apps
https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-application-
manifest
https://joonasw.net/view/defining-permissions-and-
roles-in-aad
AUTHENTICATION FLOWS
• An app usually needs to do one or both of:
o Authenticate user
o Call Azure AD protected API(s)
• Various flows exist for this purpose for different scenarios and application
types
• The examples I give here apply to OpenID Connect and OAuth
o Protocols commonly used by modern apps
• Libraries are available for major platforms that help with implementation
o ADAL (.NET, Java, JavaScript, iOS, macOS, Android, Node.JS, Python)
• Azure AD supports WS-Federation and SAML too
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
TOKENS
• Tokens in OIDC and OAuth are JSON Web Tokens (JWTs)
• Id token contains info about a user
o Can be gotten after user signs in
• Access token is used by an app to call a protected API
o Can contain user info if acquired with user context
• When getting access token, the resource parameter specifies which API
you want to use
o MS Graph API: https://graph.microsoft.com
o Your APIs: Properties -> App ID URI
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-
claims
INSPECTING TOKENS
• JSON Web Tokens are base 64-encoded (use e.g. https://jwt.ms)
• Contain a set of claims
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/",
"iat": 1519065056,
"nbf": 1519065056,
"exp": 1519068956,
"acr": "1",
"aio": "Y2NgYGC+ti31U9grU6mW",
"amr": [
"pwd"
],
"app_displayname": "AspNetCoreAadDemo",
"appid": "6f934905-6567-44c4-a599-b780a555a98f",
"appidacr": "1",
"e_exp": 262800,
"family_name": "Westlin",
"given_name": "Joonas",
"ipaddr": "XXX.XXX.XXX.XXX",
"name": "Joonas Westlin",
"oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19",
"platf": "3",
"puid": "1003000098",
"scp": "User.Read",
"sub": "xLaF0g0DPYcmtpPN1bt9xQ7NdBjNuF",
"tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751",
"unique_name": "joonas@joonasw.net",
"upn": "joonas@joonasw.net",
"uti": "w6-48cSPn0imual9sNkxAA",
"ver": "1.0"
}
{
"aud": "6f934905-6567-44c4-a599-b780a555a98f",
"iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/",
"iat": 1519065056,
"nbf": 1519065056,
"exp": 1519068956,
"aio": "Y2NgYHjk9XOd1TGlgF1ZlZsVGc",
"amr": [
"pwd"
],
"family_name": "Westlin",
"given_name": "Joonas",
"ipaddr": "XXX.XXX.XXX.XXX",
"name": "Joonas Westlin",
"nonce": "636546621256195592.OWV",
"oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19",
"sub": "mHgciVvkOrE6YD-LgHul4oGZuWV5owJ4",
"tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751",
"unique_name": "joonas@joonasw.net",
"upn": "joonas@joonasw.net",
"uti": "w6-48cSPn0imual9sNkxAA",
"ver": "1.0"
}
AUTHORIZATION CODE FLOW
• Used mainly by back-end Web apps
• App redirects user to Azure AD login page
• After user logs in, your app gets back an authorization code
• The app back-end can exchange the code + its client id and secret for an
Id token, access token, and a refresh token
o Refresh token used to get new access tokens
• So it requires a little OpenID Connect dance ☺
• App will use delegated permissions in this case
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-
connect-code
AUTHORIZATION CODE FLOW PT.1
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-
connect-code
User + browser App back-end /oauth2/authorize
Clicks Sign In
302 redirect
Client id + reply URL
Navigate
Client id + reply URL
Login
Form POST to reply URL
Authorization code
AUTHORIZATION CODE FLOW PT.2
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-
connect-code
User + browser App back-end /oauth2/token
Establish session
Session cookie
HTTP POST
Authorization code, client id, client
secret, resource
Access token, refresh
token, id token
IMPLICIT GRANT
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-
scenarios#single-page-application-spa
CLIENT CREDENTIALS
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-
service-to-service
App /oauth2/token
HTTP POST
Client id, client secret, resource
Access token
CLIENT CREDENTIALS
• Authentication for scripts, Azure Web Jobs etc.
• App sends client id and client secret to token endpoint
• Receives access token
• Application Permissions used
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-
service-to-service
OTHERS
• Implicit
o Single Page Apps: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-authentication-scenarios#single-page-
application-spa
• Device code
o For text-only clients: https://joonasw.net/view/device-code-flow
• On-behalf-of
o Calling an API from another API as the user:
https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core
• Resource Owner Password Credentials Grant
o Don’t. https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-
Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-
Modern-Applications
o There are use cases for it, but you should avoid it if possible
DEMO TIME
https://westl.in/aaddemo
https://westl.in/aadrepo
AZURE AD V2?
• New ”converged” endpoint for authentication
• Some new capabilities
• Azure AD or personal MS accounts can be used
• MS Graph API allows calling with either for some endpoints (e.g. Mail and
Calendar)
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-
overview
V2: MAIN DIFFERENCES FROM V1
• New portal! https://apps.dev.microsoft.com/
o Login with MSA -> Apps created *somewhere*
o Login with AAD -> Apps created in user home tenant
• Personal MS accounts allowed
• Native + Web App + Web API under same application identity
• All apps are multi-tenant
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare
V2: SCOPES
• In v1, you would ask for a token with:
o resource=https://graph.microsoft.com
o Requires you to specify which permissions you need ahead of time
o User has to accept all of them
• Now you can ask for a token with:
o scope=https://graph.microsoft.com/User.Read
o This is actually standards-compliant now
V2: INCREMENTAL CONSENT
• Your app can, at any time ask for another scope
• Don’t have to mention needed scopes at all when defining app
• Users can opt-in to features of the app
• No need to ask for consent for everything
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-
compare#incremental-and-dynamic-consent
V2: MSAL
• With v1, you would use Azure AD Authentication Library (ADAL)
• Microsoft Authentication Library replaces ADAL in v2
• API is a bit different
• .NET, JS, and Android versions are in ”production-ready preview”
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
SUMMARY
• Azure AD and identity in general are hard topics
• My suggestion: Practice, practice, and digging through examples
• Loads of sample apps on GitHub
• The apps that Visual Studio generates are pretty good samples too
• If you have trouble, ask on Stack Overflow ;)
SOME THINGS NOT COVERED
• Azure AD B2C: https://docs.microsoft.com/en-us/azure/active-directory-
b2c/
• New v2 endpoint: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-appmodel-v2-overview
• IT Pro topics
o Multi-Factor Authentication: https://docs.microsoft.com/en-
us/azure/multi-factor-authentication/multi-factor-authentication
o On-prem sync with AAD Connect: https://docs.microsoft.com/en-
us/azure/active-directory/connect/active-directory-aadconnect
• Pricing: https://azure.microsoft.com/en-us/pricing/details/active-directory/
o Spoiler: basic stuff can be done for free
LINKS
• Documentation: https://docs.microsoft.com/en-us/azure/active-
directory/active-directory-whatis
• Developer guide: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-developers-guide
• Samples: https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-code-samples
• MS Graph API: https://developer.microsoft.com/en-
us/graph/docs/concepts/overview
• My posts on AAD: https://joonasw.net/tag/azure-ad
@JoonasWestlin joonasw.net

More Related Content

What's hot

O365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa Toroman
O365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa ToromanO365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa Toroman
O365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Krunal Trivedi
 
Building a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsBuilding a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable Functions
Joonas Westlin
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
Eng Teong Cheah
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
Kumton Suttiraksiri
 
Durable Azure Functions
Durable Azure FunctionsDurable Azure Functions
Durable Azure Functions
Pushkar Saraf
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
Krunal Trivedi
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slides
Andre Debilloez
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active Directory
Thurupathan Vijayakumar
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
Raju Kumar
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directory
Krunal Trivedi
 
Azure signalr service
Azure signalr serviceAzure signalr service
Azure signalr service
Udaiappa Ramachandran
 
Active Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchActive Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for Elasticsearch
Jochen Kressin
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
Alberto Diaz Martin
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for Developers
John Garland
 

What's hot (20)

O365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa Toroman
O365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa ToromanO365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa Toroman
O365Con18 - Azure Active Directory - Sasha Kranjac & Mustafa Toroman
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
Building a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable FunctionsBuilding a document e-signing workflow with Azure Durable Functions
Building a document e-signing workflow with Azure Durable Functions
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
 
Durable Azure Functions
Durable Azure FunctionsDurable Azure Functions
Durable Azure Functions
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slides
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active Directory
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directory
 
Azure signalr service
Azure signalr serviceAzure signalr service
Azure signalr service
 
Active Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchActive Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for Elasticsearch
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
 
Global Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key VaultGlobal Azure Bootcamp 2017 - Azure Key Vault
Global Azure Bootcamp 2017 - Azure Key Vault
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for Developers
 

Similar to Programming with Azure Active Directory

Made for Mobile - Let Office 365 Power Your Mobile Apps
Made for Mobile - Let Office 365 Power Your Mobile AppsMade for Mobile - Let Office 365 Power Your Mobile Apps
Made for Mobile - Let Office 365 Power Your Mobile Apps
SPC Adriatics
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced Security
Udaiappa Ramachandran
 
First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)
Daniel Toomey
 
Developing Apps for SharePoint 2013
Developing Apps for SharePoint 2013Developing Apps for SharePoint 2013
Developing Apps for SharePoint 2013
SPC Adriatics
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure AD
SharePointRadi
 
2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides
DuraSpace
 
Navigating the AWS Compliance Framework | AWS Security Roadshow Dublin
Navigating the AWS Compliance Framework | AWS Security Roadshow DublinNavigating the AWS Compliance Framework | AWS Security Roadshow Dublin
Navigating the AWS Compliance Framework | AWS Security Roadshow Dublin
Amazon Web Services
 
ORCID Collect & Connect: understanding integrations and the API (M. Buys)
ORCID Collect & Connect: understanding integrations and the API (M. Buys)ORCID Collect & Connect: understanding integrations and the API (M. Buys)
ORCID Collect & Connect: understanding integrations and the API (M. Buys)
ORCID, Inc
 
Extending drupal authentication
Extending drupal authenticationExtending drupal authentication
Extending drupal authentication
Charles Russell
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache Usergrid
David M. Johnson
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
Antonio Peric-Mazar
 
2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile Services2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile Services
Marco Parenzan
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
Stormpath
 
Building Mobile Apps with Apache UserGrid, the Open Source Baas
Building Mobile Apps with Apache UserGrid, the Open Source BaasBuilding Mobile Apps with Apache UserGrid, the Open Source Baas
Building Mobile Apps with Apache UserGrid, the Open Source Baas
All Things Open
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
Joonas Westlin
 
Azure Active Directory, Practical Guide
Azure Active Directory, Practical GuideAzure Active Directory, Practical Guide
Azure Active Directory, Practical Guide
Sasha Rosenbaum
 
Presentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van DijkPresentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van Dijk
kirstenveelo
 
Dnug2012 yellow and blue stream
Dnug2012 yellow and blue streamDnug2012 yellow and blue stream
Dnug2012 yellow and blue stream
Frank van der Linden
 
Building Your First App with MongoDB
Building Your First App with MongoDBBuilding Your First App with MongoDB
Building Your First App with MongoDB
MongoDB
 
T3 - Deploy, manage, and scale your apps
T3 - Deploy, manage, and scale your appsT3 - Deploy, manage, and scale your apps
T3 - Deploy, manage, and scale your apps
Amazon Web Services
 

Similar to Programming with Azure Active Directory (20)

Made for Mobile - Let Office 365 Power Your Mobile Apps
Made for Mobile - Let Office 365 Power Your Mobile AppsMade for Mobile - Let Office 365 Power Your Mobile Apps
Made for Mobile - Let Office 365 Power Your Mobile Apps
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced Security
 
First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)
 
Developing Apps for SharePoint 2013
Developing Apps for SharePoint 2013Developing Apps for SharePoint 2013
Developing Apps for SharePoint 2013
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure AD
 
2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides2.28.17 Introducing DSpace 7 Webinar Slides
2.28.17 Introducing DSpace 7 Webinar Slides
 
Navigating the AWS Compliance Framework | AWS Security Roadshow Dublin
Navigating the AWS Compliance Framework | AWS Security Roadshow DublinNavigating the AWS Compliance Framework | AWS Security Roadshow Dublin
Navigating the AWS Compliance Framework | AWS Security Roadshow Dublin
 
ORCID Collect & Connect: understanding integrations and the API (M. Buys)
ORCID Collect & Connect: understanding integrations and the API (M. Buys)ORCID Collect & Connect: understanding integrations and the API (M. Buys)
ORCID Collect & Connect: understanding integrations and the API (M. Buys)
 
Extending drupal authentication
Extending drupal authenticationExtending drupal authentication
Extending drupal authentication
 
How to Contribute to Apache Usergrid
How to Contribute to Apache UsergridHow to Contribute to Apache Usergrid
How to Contribute to Apache Usergrid
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
 
2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile Services2015.04.23 Azure Mobile Services
2015.04.23 Azure Mobile Services
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 
Building Mobile Apps with Apache UserGrid, the Open Source Baas
Building Mobile Apps with Apache UserGrid, the Open Source BaasBuilding Mobile Apps with Apache UserGrid, the Open Source Baas
Building Mobile Apps with Apache UserGrid, the Open Source Baas
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
 
Azure Active Directory, Practical Guide
Azure Active Directory, Practical GuideAzure Active Directory, Practical Guide
Azure Active Directory, Practical Guide
 
Presentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van DijkPresentatie Code Jam Niels van Dijk
Presentatie Code Jam Niels van Dijk
 
Dnug2012 yellow and blue stream
Dnug2012 yellow and blue streamDnug2012 yellow and blue stream
Dnug2012 yellow and blue stream
 
Building Your First App with MongoDB
Building Your First App with MongoDBBuilding Your First App with MongoDB
Building Your First App with MongoDB
 
T3 - Deploy, manage, and scale your apps
T3 - Deploy, manage, and scale your appsT3 - Deploy, manage, and scale your apps
T3 - Deploy, manage, and scale your apps
 

More from Joonas Westlin

Using feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on AzureUsing feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on Azure
Joonas Westlin
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
Joonas Westlin
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
Joonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
Joonas Westlin
 
Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...
Joonas Westlin
 

More from Joonas Westlin (7)

Using feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on AzureUsing feature flags in an ASP.NET Core app on Azure
Using feature flags in an ASP.NET Core app on Azure
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
 
Deep Dive into Durable Functions
Deep Dive into Durable FunctionsDeep Dive into Durable Functions
Deep Dive into Durable Functions
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
 
Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...Get rid of credentials from your code: Using Managed identities for Azure res...
Get rid of credentials from your code: Using Managed identities for Azure res...
 

Recently uploaded

WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio, Inc.
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
alowpalsadig
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 

Recently uploaded (20)

WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 

Programming with Azure Active Directory

  • 1. PROGRAMMING WITH AZURE AD JOONAS WESTLIN
  • 2. STANDARD SPEAKER INTRO • Joonas Westlin • Azure Developer at Kompozure • Azure MVP, MCSD, MCSE • Active on Stack Overflow o Currently #4 All-time for Azure AD @JoonasWestlin joonasw.net
  • 3. STANDARD AGENDA SLIDE • Intro to Azure Active Directory o How we can manage a directory • Registering apps o Important settings • Authentication flows o Different ways to authenticate users and get tokens to call secured APIs • Demo, back-end Web app calling MS Graph API
  • 4. AZURE ACTIVE DIRECTORY • “Azure Active Directory (Azure AD) is a cloud identity service that allows developers to securely sign in users with a Microsoft work or school account.” • The login system underneath Office 365 and Azure • Global, multi-tenant, identity and access management service • Single Sign-On for cloud services • If you have ever signed in to O365 or Azure, you have used Azure AD • Quite different from on-premises Windows Server AD https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-developers-guide
  • 5. MANAGING AAD • Can use portal.azure.com • Find Azure Active Directory from the left or from under All services • Pro-tip: Use https://aad.portal.azure.com • PowerShell: https://docs.microsoft.com/en- us/powershell/azure/active- directory/install-adv2?view=azureadps- 2.0 • AAD Graph Explorer: https://graphexplorer.azurewebsites.net/
  • 6. AZURE AD “TENANTS” • Tenant = One Azure AD “instance” • Container for users, their passwords, groups etc. • An organization typically has one tenant • You already have one if you use Azure or Office 365 • You can create more tenants from the Azure Portal https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant
  • 7. REGISTERING APPS • Registering an app you are developing can be done from App registrations • Name: display name for the app • Sign-on URL: the URL given to users in https://myapps.microsoft.com • Name and Sign-on URL can be changed later • Application type: next slide https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-integrating-applications
  • 8. APPLICATION TYPES • The Portal options are a bit confusing • Web app / API = App which can keep a secret o Runs on device you control o APIs, back-end Web apps, Azure Web Jobs • Native = App which cannot keep a secret o Runs on user’s device o SPA, Mobile, any app installed on user’s device • Correspond to publicClient property on Application o Public client = Native https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory- authentication-scenarios#application-types-and-scenarios
  • 9. APPLICATIONS & SERVICE PRINCIPALS • An Application object is created when you register an app • It then gets an identity in the directory in the form of a Service Principal • Multi-tenant apps get a Service Principal in every directory they are integrated in o Application stays in original tenant • Enterprise Applications = Service Principals in portal https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-application-objects
  • 10. SINGLE-TENANT VS MULTI-TENANT • Set in application’s Properties • A single-tenant app can only be used by one organization o Line-of-business apps • A multi-tenant app can be used by any organization o SaaS apps Overview for MT: https://docs.microsoft.com/en-us/azure/active-directory/develop/active- directory-devhowto-multi-tenant-overview MT sample: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet- webapp-multitenant-openidconnect/
  • 11. REPLY URLS • Set of URLs to which Azure AD can redirect the user back to after logging in • The redirect can contain user’s personal info in a token, reason why this exists
  • 12. APPLICATION KEYS • Non-Native apps can have keys • Either client secrets or public keys from key pairs • Used by the app to authenticate itself • NEVER PUT CLIENT SECRETS IN CODE THAT RUNS ON USER DEVICE
  • 13. PERMISSIONS & GRANTING THEM • An Application can require permission on APIs • Two types o Application: Org-wide access for the app o Delegated: Access as a single user • Required permissions must also be granted o User can consent when logging in o Grant Permissions grants for whole org o One of the biggest causes for problems people have is permissions are not granted https://joonasw.net/view/the-grant-requires-admin-permission
  • 14. THE APP MANIFEST • Found via the Manifest button • JSON representation of the Application object • Can edit in Portal • Advanced scenarios o Scopes for APIs and roles for users in apps https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-application- manifest https://joonasw.net/view/defining-permissions-and- roles-in-aad
  • 15. AUTHENTICATION FLOWS • An app usually needs to do one or both of: o Authenticate user o Call Azure AD protected API(s) • Various flows exist for this purpose for different scenarios and application types • The examples I give here apply to OpenID Connect and OAuth o Protocols commonly used by modern apps • Libraries are available for major platforms that help with implementation o ADAL (.NET, Java, JavaScript, iOS, macOS, Android, Node.JS, Python) • Azure AD supports WS-Federation and SAML too https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
  • 16. TOKENS • Tokens in OIDC and OAuth are JSON Web Tokens (JWTs) • Id token contains info about a user o Can be gotten after user signs in • Access token is used by an app to call a protected API o Can contain user info if acquired with user context • When getting access token, the resource parameter specifies which API you want to use o MS Graph API: https://graph.microsoft.com o Your APIs: Properties -> App ID URI https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and- claims
  • 17. INSPECTING TOKENS • JSON Web Tokens are base 64-encoded (use e.g. https://jwt.ms) • Contain a set of claims { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/", "iat": 1519065056, "nbf": 1519065056, "exp": 1519068956, "acr": "1", "aio": "Y2NgYGC+ti31U9grU6mW", "amr": [ "pwd" ], "app_displayname": "AspNetCoreAadDemo", "appid": "6f934905-6567-44c4-a599-b780a555a98f", "appidacr": "1", "e_exp": 262800, "family_name": "Westlin", "given_name": "Joonas", "ipaddr": "XXX.XXX.XXX.XXX", "name": "Joonas Westlin", "oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19", "platf": "3", "puid": "1003000098", "scp": "User.Read", "sub": "xLaF0g0DPYcmtpPN1bt9xQ7NdBjNuF", "tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751", "unique_name": "joonas@joonasw.net", "upn": "joonas@joonasw.net", "uti": "w6-48cSPn0imual9sNkxAA", "ver": "1.0" } { "aud": "6f934905-6567-44c4-a599-b780a555a98f", "iss": "https://sts.windows.net/c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751/", "iat": 1519065056, "nbf": 1519065056, "exp": 1519068956, "aio": "Y2NgYHjk9XOd1TGlgF1ZlZsVGc", "amr": [ "pwd" ], "family_name": "Westlin", "given_name": "Joonas", "ipaddr": "XXX.XXX.XXX.XXX", "name": "Joonas Westlin", "nonce": "636546621256195592.OWV", "oid": "73c38a25-23eb-44eb-bf63-4aa987b2ef19", "sub": "mHgciVvkOrE6YD-LgHul4oGZuWV5owJ4", "tid": "c5e5d73b-e74c-48b3-a1ad-b0af0cf7f751", "unique_name": "joonas@joonasw.net", "upn": "joonas@joonasw.net", "uti": "w6-48cSPn0imual9sNkxAA", "ver": "1.0" }
  • 18. AUTHORIZATION CODE FLOW • Used mainly by back-end Web apps • App redirects user to Azure AD login page • After user logs in, your app gets back an authorization code • The app back-end can exchange the code + its client id and secret for an Id token, access token, and a refresh token o Refresh token used to get new access tokens • So it requires a little OpenID Connect dance ☺ • App will use delegated permissions in this case https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid- connect-code
  • 19. AUTHORIZATION CODE FLOW PT.1 https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid- connect-code User + browser App back-end /oauth2/authorize Clicks Sign In 302 redirect Client id + reply URL Navigate Client id + reply URL Login Form POST to reply URL Authorization code
  • 20. AUTHORIZATION CODE FLOW PT.2 https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid- connect-code User + browser App back-end /oauth2/token Establish session Session cookie HTTP POST Authorization code, client id, client secret, resource Access token, refresh token, id token
  • 23. CLIENT CREDENTIALS • Authentication for scripts, Azure Web Jobs etc. • App sends client id and client secret to token endpoint • Receives access token • Application Permissions used https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth- service-to-service
  • 24. OTHERS • Implicit o Single Page Apps: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-authentication-scenarios#single-page- application-spa • Device code o For text-only clients: https://joonasw.net/view/device-code-flow • On-behalf-of o Calling an API from another API as the user: https://joonasw.net/view/azure-ad-on-behalf-of-aspnet-core • Resource Owner Password Credentials Grant o Don’t. https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner- Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for- Modern-Applications o There are use cases for it, but you should avoid it if possible
  • 26. AZURE AD V2? • New ”converged” endpoint for authentication • Some new capabilities • Azure AD or personal MS accounts can be used • MS Graph API allows calling with either for some endpoints (e.g. Mail and Calendar) https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2- overview
  • 27. V2: MAIN DIFFERENCES FROM V1 • New portal! https://apps.dev.microsoft.com/ o Login with MSA -> Apps created *somewhere* o Login with AAD -> Apps created in user home tenant • Personal MS accounts allowed • Native + Web App + Web API under same application identity • All apps are multi-tenant https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare
  • 28. V2: SCOPES • In v1, you would ask for a token with: o resource=https://graph.microsoft.com o Requires you to specify which permissions you need ahead of time o User has to accept all of them • Now you can ask for a token with: o scope=https://graph.microsoft.com/User.Read o This is actually standards-compliant now
  • 29. V2: INCREMENTAL CONSENT • Your app can, at any time ask for another scope • Don’t have to mention needed scopes at all when defining app • Users can opt-in to features of the app • No need to ask for consent for everything https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2- compare#incremental-and-dynamic-consent
  • 30. V2: MSAL • With v1, you would use Azure AD Authentication Library (ADAL) • Microsoft Authentication Library replaces ADAL in v2 • API is a bit different • .NET, JS, and Android versions are in ”production-ready preview” https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
  • 31. SUMMARY • Azure AD and identity in general are hard topics • My suggestion: Practice, practice, and digging through examples • Loads of sample apps on GitHub • The apps that Visual Studio generates are pretty good samples too • If you have trouble, ask on Stack Overflow ;)
  • 32. SOME THINGS NOT COVERED • Azure AD B2C: https://docs.microsoft.com/en-us/azure/active-directory- b2c/ • New v2 endpoint: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-appmodel-v2-overview • IT Pro topics o Multi-Factor Authentication: https://docs.microsoft.com/en- us/azure/multi-factor-authentication/multi-factor-authentication o On-prem sync with AAD Connect: https://docs.microsoft.com/en- us/azure/active-directory/connect/active-directory-aadconnect • Pricing: https://azure.microsoft.com/en-us/pricing/details/active-directory/ o Spoiler: basic stuff can be done for free
  • 33. LINKS • Documentation: https://docs.microsoft.com/en-us/azure/active- directory/active-directory-whatis • Developer guide: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-developers-guide • Samples: https://docs.microsoft.com/en-us/azure/active- directory/develop/active-directory-code-samples • MS Graph API: https://developer.microsoft.com/en- us/graph/docs/concepts/overview • My posts on AAD: https://joonasw.net/tag/azure-ad