This document provides an introduction to creating and configuring Azure web applications. It discusses the model for single-tenant and multi-tenant applications. It covers security concepts like authentication, authorization, and permissions. It also demonstrates creating a sample application and configuring it for multi-tenancy. The document concludes with an overview of deploying applications and necessary considerations for resources, configuration, and distribution.
6. ACHTUNG!
Diese Sitzung entspricht nicht der DSGVO.
Bitte verlassen Sie jetzt, wenn Sie nicht
bemerkt werden möchten. Wir
versprechen zu vergessen, dass du jemals
hier warst.
11. Scope
• Single-tenant
• Bound to single AD domain
• Cannot be accessed by other
domains
• Simplified authorization model
• Multi-tenant
• Owned by single authorizing
domain
• Accessible by any Azure AD
domain
• Authorized by Azure admin for
individual domains
• App owner must manage tenant
registration
14. Authentication
• Authenticate via Azure sign-in page
• Developers cannot modify login experience
• User interface is suboptimal
• Single sign-on with O365 and other Azure resources
• Access to resources requires permission definition
• OAuth tokens for O365 and other resources
• POST to app with user/tenant details
• Context
• Explicit per endpoint
• App launcher in O365
• Users notified of app availability in alerts
15. Authorization Flows
Authorization
Exchange
authorization codes
for access tokens
Refresh tokens enable
long-lived sessions
Designed for native
clients and server-
side API’s
Client
Credential
Requires app
authorization consent
from administrator
Shared secrets or
certificates used to
request tokens
Designed for service
apps and server-to-
server scenarios
Implicit
Retrieve access
tokens directly from
single endpoint
No refresh tokens
(local session
management only)
Designed for SPA's
(requires manifest
modification)
17. Token Management
• Use authorization/request tokens to obtain short-lived
access tokens
• Include access tokens in resource calls
• Store refresh tokens to obtain new access tokens upon
expiration
• Track tokens by tenant (multi-tenant), app or user
• Force token expiration to prompt authentication
• Utilize client secret only in confidential client apps
18. Token Configuration
Property Policy String Affects Default Minimum Maximum
Access Token Lifetime AccessTokenLifetime Access tokens, ID
tokens, SAML 2
tokens
1 hour 10 minutes 1 day
Refresh Token Max
Inactive Time
MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days
Single-Factor Refresh
Token Max Age
MaxAgeSingleFactor Refresh tokens (for
any users)
Until revoked 10 minutes Until revoked
Multi-Factor Refresh
Token Max Age
MaxAgeMultiFactor Refresh tokens (for
any users)
Until revoked 10 minutes Until revoked
Single-Factor Session
Token Max Age
MaxAgeSessionSingle
Factor
Session tokens
(persistent and non-
persistent)
Until revoked 10 minutes Until revoked
Multi-Factor Session
Token Max Age
MaxAgeSessionMultiF
actor
Session tokens
(persistent and non-
persistent)
Until revoked 10 minutes Until revoked
Reference: http://bit.ly/2IUuJNo
19. Permissions
• Types
• Application
• Delegated
• Administrative Level
• Minimum: “Sign in and read user profile”
• Beware permission level restrictions
• Resources
• Exchange Yammer AzureAD
• SharePointOnline Power BIAzure Management
• O365 Management Skype
23. Configuration
• Name
• Sign-On URL
• Logo
• Multi-tenant
• Client ID
• User Assignment
• Keys
• App ID URI
• Reply URL
• Permissions
MANIFEST
24. Multi-Tenant Requirements
• Visual Studio templates are incomplete
• What you need to make multi-tenant work:
• Database
• Tenants, IssuingAuthorityKeys, SignupTokens
• Registration Module
• XML Response Parser
• Tenant and User Information
• AuthTokens
• Federation, Realm and Identity Configuration
• HTTPS Redirection
• Sign-In Page (optional)