Understand Hybrid Identity with Azure and Azure Stack 7/18/2018 6:55 PM BRK4011 Understand Hybrid Identity with Azure and Azure Stack Shriram Natarajan © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Hi, I’m Shri Program Manager I work on Identity, Authentication and Authorization, Azure Resource Manager, Hybrid Tools and Developer Experiences on Azure Stack Tweet to me @shriramNat

Agenda Hybrid cloud use cases Identity Fundamentals Authenticating with different Azure Clouds Multi Tenancy and Directory-based authentication

First things first…

Hybrid use cases: Azure and Azure Stack Edge and disconnected solutions Cloud applications that meet every regulation Modern applications across cloud and on-premises

Hybrid App Development Sessions at Ignite Session Title Speaker BRK3084 Microsoft Azure Stack hybrid apps and developer overview Bradley Bartz BRK3115 IaaS on Microsoft Azure Stack David Armour Scott Napolitan BRK4011 Microsoft Azure Stack identity, multi-tenancy, and role-based access control Shriram Natarajan BRK3099 Developing hybrid apps on Microsoft Azure Stack Ricardo Mendes BRK4015 DevOps on Microsoft Azure Stack Matthew McGlynn Anjay Ajodha © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Have feedback on Azure Stack? 7/18/2018 6:55 PM Have feedback on Azure Stack? Want to provide your feedback direct to the engineering team? Join the Azure Stack customer research panel : https://aka.ms/azssession © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Identity Fundamentals

Identity Terminologies Active Directory + Active Directory Federation Services (ADFS) Azure Active Directory Organizations / Directories / Directory Tenants Users and Groups Applications Service Principals

Azure Stack Identity Fundamentals Works with AAD and AD FS OpenID Connect Protocol Authorization Code Flow Resource Owner flow Utilizes JSON Web Tokens (JWT) ADAL libraries for consistent hybrid Authentication Azure Tools for consistent hybrid resource management

Azure Stack with AAD – Single Tenanted Azure Active Directory Admin Portal Admin ARM admindir.onmicrosoft.com Public Portal Public ARM Resource Providers Use cases: Enterprises, Dedicated Hosting

Azure Stack with AAD – Multi Tenanted Azure Active Directory Admin Portal Admin ARM admindir.onmicrosoft.com Public Portal Public ARM Redmarker.onmicrosoft.com AD FS (on-prem) Resource Providers Fabrikam.com Use cases: CSP, Shared Hosting

Azure Stack with AD FS Use cases: Enterprises, Dedicated Hosting Portal ARM and RPs Applications Stamp AD adfs.azurestack.local AD Graph Stamp ADFS Customer ADFS Customer AD adfs.corp.contoso.com Use cases: Enterprises, Dedicated Hosting

DEMO Azure Stack with AAD and AD FS configurations

Types of Identities Users Service Principals Standard User Identities Authenticate through User ID/Password Example: shriram@Microsoft.com / Pass@word1234 Used for Application authentication Automation Authenticate through Id/Secret combination Secret can either be a key or a certificate Example: bfb84395-b5bb-4a0a-9d25-fbb9f8d3186f / 3gDcSnk5MAdefGxyDZAJks2xhohTie/vpAQ/2o=

Role Based Access Control

DEMO Service Principal Creation, Authorization and Authentication

Directory based Authentication

Inviting Guest Users fabrikamClient.com contosoConsulting.com Other Directories

Multi tenanted Applications fabrikamClient.com contosoConsulting.com Other Directories

Inviting Guest Users fabrikamClient.com contosoConsulting.com Other Directories

DEMO Authentication in a directory context

Cross-cloud Authentication

Information needed for Authentication Identity System ARM Identity System’s URL (Authority) Specific to the installation of the cloud ARM’s App Identifier URL Credentials Common Across clouds for hybrid ARM’s URL ARM App ID URI Authority URL ARM URL

Token Exchange Protocol Identity System ARM { iss: <Authority> aud: <ARM App ID URI> iat: <dateStamp> exp: <dateStamp>… } Signing Certificate Authority URL ARM URL ARM App ID URI + Credentials Token Token

One solution to rule them all !!! Endpoints API

https://<ARM_URL>/metadata/endpoints?api-version=2015-01-01 ARM Endpoints API https://<ARM_URL>/metadata/endpoints?api-version=2015-01-01 ARM URL https://management.azure.com/metadata/endpoints?api-version=2015-01-01 Authority URL ARM App ID URI

https://<ARM_URL>/metadata/endpoints?api-version=2015-01-01 ARM Endpoints API https://<ARM_URL>/metadata/endpoints?api-version=2015-01-01 ARM URL https://management.local.azurestack.external/metadata/endpoints?api-version=2015-01-01 Authority URL ARM App ID URI

ARM Endpoints API - Summary Unauthenticated Enumerates endpoints necessary for authentication Used by tools Azure PowerShell and Azure CLI SDKs and other tools to follow Works for both AAD and ADFS topologies Call the Endpoints API 1 2 Use data in the API to authenticate 3 Make an authenticated call to ARM

DEMO Endpoints API Setting Environment variables in PowerShell and CLI

Registration with Identity System

Azure Stack’s Registered Applications ~18 apps are registered with the Identity system Includes admin and tenant services Essential to allow these services to interact with directory ~9 propagated to new Directories during multi-tenancy setup MT setup cmdlet in tools repository uses this API https://github.com/Azure/AzureStack-Tools/blob/master/Identity/AzureStack.Identity.psm1#L333 If re-creating this functionality, exercise caution Custom implementations outside the context of tools repo are not supported

Application Registrations API https://<ARM_URL>/applicationRegistrations?api-version=2015-01-01 https://management.local.azurestack.external/applicationRegistrations?api-version=2015-01-01

Capability differences AAD and AD FS topology Scenario AAD Topology AD FS Topology Marketplace Syndication Yes ADAL support CLI, VS, PSH tools Create Service Principals with Certificates Applications can use Identity system for user sign-in Yes* * Apps must federate with Customer AD FS Create Service Principals through Portal No Create Service Principals with Secrets (Keys) Multi Tenancy Applications can interact with Graph Service

Summary Use Endpoints API to help with Authentication across clouds Create Service Principals for application authentication RBAC to users and Service Principals Remember to authenticate to a specific directory

Please evaluate this session Tech Ready 15 7/18/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7/18/2018 6:55 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.