Using Windows Azure for Solving Identity Management Challenges discusses various Windows Azure identity management solutions including Mobile Services, Access Control Service (ACS), and Windows Azure Active Directory. Mobile Services allows adding identity providers via portal configuration and code. ACS provides federated identity authentication and claims-based authorization. Windows Azure Active Directory extends an on-premises Active Directory to the cloud and allows querying user objects via a REST API.

1. Using Windows Azure for Solving
Identity Management Challenges
Michael S. Collier

2. Michael S. Collier
• Principal Cloud Architect, Aditi
• michaelc@aditi.com
• @MichaelCollier
• www.MichaelSCollier.com

3. Platinum Sponsors
Gold Sponsors

5. What We’re Talking About
• Identity - Current State and in The Cloud
• Windows Azure solutions
• Mobile Services
• Access Control Service (ACS)
• Windows Azure Active Directory
6

6. Who Are You?
• Personalization
• Business Rules
• Functionality / Features
7

7. Traditional Identity Management
• IT Pro – controls the known world
• Developers – blissfully ignorant?
8
AD
SQL
My Enterprise
LOB App

8. Cloud . . . A New Challenge
• Move the application & data
• Islands of identity
• Outside of “traditional” IT world
• External users / partners
• BYOD
• Developers ignorant no more
• Developers + IT Pros
9

9. 10
Windows Azure Options
Mobile Services
Active Directory
Access Control Service
(ACS)
Server Active Directory
AD w/ DirSync

10. Mobile Services
• Goal – easily build cloud-powered mobile apps
• Built-in support for multiple social identity providers
11
private async System.Threading.Tasks.Task Authenticate()
{
while (user == null)
{
string message;
try
{
user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.Twitter);
message = string.Format("You are now logged in - {0}", user.UserId);
CurrentUser.Text = "Welcome, " + App.MobileService.CurrentUser.UserId;
}
catch (InvalidOperationException)
{
message = "You must log in. Login Required";
}
var dialog = new MessageDialog(message);
dialog.Commands.Add(new UICommand("OK"));
await dialog.ShowAsync();
}
}
Facebook
Google
MicrosoftAccount
Twitter

11. Mobile Services
12

12. Authentication
• Microsoft Account, Facebook, Twitter, and Google
• OAuth
• Does not use Windows Azure ACS

13. Authentication
• Microsoft Account – Use the Live SDK
• Tight integration with Windows Live services

14. More Mobile Services?
• Programming Windows Azure Mobile Services
• Jason Farrell
• Wednesday at 10:30am
• Portia
15

15. Access Control Service (ACS)
• Federated identity/authentication service
• Google, Microsoft Account, Yahoo!, ADFS v2
• Bring your own membership
• Claims-based authorization
• Browser based (302 redirect)
• Focus on your app
16

16. DEMO TIME!!!
Access Control Service (ACS)

17. ACS Tips
• Enrich claims w/ a ClaimsAuthenticationManager
• Update WIF settings in web.config in OnStart()
• Web Farm Ready Cookies
• Web Sites and Cloud Services
• DPAPI not supported in Windows Azure
• Provide sign-out link for identity providers
• Azure co-admin can’t admin ACS namespace
31

18. Windows Azure Active Directory
• Internet scale, multi-tenant
directory service
• Directory store for Office 365
• Extend Windows Server AD to
the cloud
• Directory & identity services
w/o need for Windows Server
AD
32
Active Directory
O365 Account
Portal
Intune Account
Portal
Windows Azure
Mgmt Portal
Azure AD PowerShell
cmdlets

19. Windows Azure Active Directory
• Multi-tenant “directory-as-a-service”
• NOT a cloud version of Windows Server AD
33
Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx

20. Windows Azure Active Directory
34
Windows Azure
Management Portal
REST API
SAML-P
O-Auth
WS-Federation
Integration / Management Endpoints
Windows Azure Active Directory

21. Windows Azure Active Directory
35
Integration / Management Endpoints

22. Windows Azure Active Directory
• What’s in the directory?
• Everything is an object
• Types: User, Group, Role, Application, Device, etc.
36

23. WAAD Graph Response
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://graph.windows.net/collierdemo.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom"
xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"
xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id>
<title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title>
<updated>2013-03-21T00:58:34Z</updated>
<link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" />
<entry>
<id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id>
<category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager"
href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports"
href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members"
href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf"
href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions"
href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" />
37

24. WAAD Graph Response
38
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec-
4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" />
<m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense"
target="https://graph.windows.net/collierdemo.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03-
4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" />
<content type="application/xml">
<m:properties>
<d:objectType>User</d:objectType>
<d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId>
<d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled>
<d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" />
<d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" />
<d:city m:null="true" />
<d:displayName>Michael Collier</d:displayName>
<d:givenName>Michael</d:givenName>
<d:mailNickname>michael</d:mailNickname>
<d:mobile>+1 6142883146</d:mobile>
<d:otherMails m:type="Collection(Edm.String)">
<d:element>michaelscollier@gmail.com</d:element>
</d:otherMails>
<d:userPrincipalName>michael@collierdemo.onmicrosoft.com</d:userPrincipalName>
</m:properties>
</content>
</entry>
</feed> * Some elements removed for readability.

25. Graph API Helpers
• REST interface for WAAD
• Graph Explorer: https://graphexplorer.cloudapp.net/
• AAD Helper: http://code.msdn.microsoft.com/Windows-
Azure-AD-Graph-API-a8c72e18
• Active Directory Authentication Library (ADAL)
• https://www.nuget.org/packages/System.IdentityModel.Client
s.ActiveDirectory/
• http://www.cloudidentity.com/blog/2013/08/02/aal-becomes-
adal-active-directory-authentication-library/
• Formerly Azure Authentication Library (AAL)
39

26. WAAD Authentication
• Authentication for cloud-based & native apps
• Permissions
• SSO, Read Data, Read & Write Data
• Applies to the APPLICATION, not the user
40

27. DEMO TIME!!!
Windows Azure AD – Single Sign-On, Web API, and Windows Store

28. WAAD and the Enterprise
59
AD
SQL
My Enterprise
LOB App

29. WAAD and the Enterprise
60
• Passwords sync every 2 minutes
• Users sync every 3 hours
My Enterprise
DirSync
LOB App
SQL

30. Where Does the Authentication Happen?
61
Portal PowerShell/
Directory GRAPH
DirSync w/Cloud
identities
DirSync
w/Password Sync
DirSync w/SSO
Target customer
segment
• Small • Small to Medium • Small/Medium • Small/Medium • Medium/Large
Scenario supported • Least • Least • Some limitation • Some limitations • Most
Directory Source of
Authority
• Cloud • Cloud • On-premises • On-premises • On-premises
Hardware
requirements
• No additional
hardware required
• No additional
hardware required
• Windows Server
OS for DirSync
appliance
• Windows Server
OS for DirSync
appliance
• DirSync appliance
• ADFS (or other
STS) deployment
IDP • Cloud • Cloud • Cloud • Cloud • On-premises
User login
experience
• Disjoint username
and password
• Enter credentials
twice
• Disjoint username
and password
• Enter credentials
twice
• Same username,
disjoint password
• Enter credentials
twice
• Same username
and password for
on-prem and cloud
• Enter credentials
twice
• Same username
and password for
on-prem and cloud
• Login once if on-
premises
Complexity • Low • Medium • Low • Low • High
Table Source: Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory, Ross Adams & Jono Luk – TechEd NA 2013

31. DEMO TIME!!!
Windows Azure Active Directory w/ DirSync

32. Going Further with Windows Azure AD
• Multitenant applications
• Leverage identity from other WAAD tenants
• http://www.windowsazure.com/en-
us/develop/net/tutorials/multitenant-apps-for-active-
directory/
• Phone 2FA (Multi-Factor Authentication)
• Additional administrative users
• Username/pwd + text message code
63

33. Summary
• Developers, Architects, & IT Pros work together
• Mobile Services
• Quickly add Identity Providers via portal config and code
• ACS
• Federated identity authentication
• Claims-based authorization
• Windows Azure AD
• “Extends” Windows Server AD to the cloud
• Query via REST graph API
64

34. Helpful Resources
• Mobile Services
• Handling Expired Tokens -
http://www.thejoyofcode.com/Handling_expired_tokens_in_your_application_Day_11_.aspx
• Carlos Figueira’s Blog - http://blogs.msdn.com/b/carlosfigueira/
• ACS
• Cheat Sheet – http://bit.ly/ACSCheatSheet
• How To’s – http://bit.ly/ACSHowTo
• Tips – http://bit.ly/HYhxjY
• Azure Active Directory
• “Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory”,
Ross Adams & Jono Luk – TechEd NA 2013
• “Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query,
and More”, Edward Wu – TechEd NA 2013
• Securing a Windows Store App and REST API using Windows Azure AD -
http://msdn.microsoft.com/en-us/library/windowsazure/dn169448.aspx
• Vittorio Bertocci’s Blog - http://www.cloudidentity.com/blog/
65

35. Ask your questions

36. Thank You!
• Michael S. Collier
• Principal Cloud Architect, Aditi
• michaelc@aditi.com
• @MichaelCollier
• www.MichaelSCollier.com

38. August 11th – 13th 2014
Same Place, Same Time