TechEd 2013 12/7/2018 2:17 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Introduction to Windows Azure Active Directory 12/7/2018 2:17 PM WAD-B309 Introduction to Windows Azure Active Directory Girish Chander Principal Lead Program Manager © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Raise your hand if…..
Problem Statement App Cloud app App Cloud app Cloud app App Separate username/password sign-in Manual or semi-automated provisioning Separate username/password sign-in Manual or semi-automated provisioning No direct connection to directory Active Directory While enterprises working to consolidate directories on-premises, cloud apps are fragmenting directories… again
History of Azure Active Directory Exchange Online Office365 services needed access to customer directories to provide best-in-breed experiences Offer identity services to Organizations without on-premises directories Run at internet scale Offer multi-tenancy SharePoint Online Lync Online ? ? ? Customer Directories on-premises
Windows Azure Active Directory Exchange Online Active Directory revised to operate as Internet-scale multi-tenant directory service, built concurrently with Office 365 Extends Windows Server Active Directory into cloud Provides cloud-based directory and identity services for organizations without Windows Server AD SharePoint Online Lync Online Azure Active Directory Active Directory
Demo Cloud Directory Management
Directory and Identity as a Service ISV App Consolidate directory management across cloud apps Connect to the directory from any platform, any device Connect with people from web identity providers and other organizations Office 365 ISV App Other MSFT Apps Your Custom IT App Azure Active Directory Active Directory
How Does a Cloud App Connect to Directory? Contoso.com Directory ? ? Cloud Application ?
Anatomy of a Typical Cloud Application Web application Web Application Browser Web Application Account and profile store Mobile app Web service API Web Service API Server app Web Service API Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages
Azure Active Directory Design Principles The cloud design point demands capabilities that are not part of current-day Windows Server Active Directory Maximize device & platform reach http/web/REST based protocols Multi-tenancy Customer owns directory, not Microsoft Optimize for availability, consistent performance, scale Keep it simple
Directory access and authentication Adapting to the cloud paradigm Powershell AAD REST Applications OAuth Portals Powershell AD LDAP Applications Kerberos Consoles
Directory Graph API RESTful programmatic access to directory Objects such as users, groups, roles, licenses Relationships such as member, memberOf, manager, directReport Requests use standard HTTP methods POST, GET, PATCH, DELETE to create, read, update, and delete Response in XML or JSON; standard HTTP status codes Compatible with OData 3.0 OAuth 2.0 for authentication Role-based assignment for application and user authorization
Example Directory Graph Call Tech Ready 15 12/7/2018 Example Directory Graph Call Request: https://directory.windows.net/contoso.com/Users/Ed@contoso.com { "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('..')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('..')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "Ed@contoso.com", "Mail": "Ed@contoso.com", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007" } © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Protocols to connect with Azure AD Purpose Details REST/HTTP directory access Create, Read, Update, Delete directory objects and relationships Compatible with OData V3 Authenticate with OAuth 2.0 OAuth 2.0 Service to service authentication Delegated access JWT token format SAML 2.0 Web application authentication SAML 2.0 token format Used with Office 365 Services WS-Federation 1.3 SAML 1.1 token format
Demo Directory Graph Explorer
Contoso.com Directory Authorized user creates principal in directory for app, authorizes it to use directory by associating with role Service Principal Role (Read) Authorized User Cloud Application Profile Store End User
Contoso.com Directory End user authenticates to directory to get token to call cloud app Service Principal Role (Read) User AuthN t1 Cloud Application Profile Store t1 End User
t2 t2 Cloud app gets token Accesses Directory Graph using token Contoso.com Directory Cloud app gets token Accesses Directory Graph using token Uses user unique ID to find profile in local profile store Service Principal Role (Read) Directory Graph Delegated AuthN t2 t2 Cloud Application Profile Store End User
Demo AAD and your app
Relationship to Windows Server AD On-premises and cloud Active Directory managed as one Directory information synchronized to cloud, made available to cloud apps via roles-based access control Federated authentication enables single sign on to cloud applications with corporate credentials Azure Active Directory Sync and Federation Active Directory
Directory and Identity as a Service ISV App Consolidate directory management across cloud apps Connect to the directory from any platform, any device Connect with people from web identity providers and other organizations Users can use same identity to access on-prem and cloud apps Office 365 ISV App Other MSFT Apps Your Custom IT App Azure Active Directory Your On-prem App Sync & Federation Your On-prem App Active Directory
Directory Synchronization Directory synchronization between on-premises and online Objects are created and managed on-premises and synchronized to the cloud Optionally password hashes can be sync’d to the cloud providing a single identity and credential, but not single Sign-On Reuse existing directory implementation on-premises, including Non-AD sources
Federation and single sign on Single identity and sign-on for on-premises and cloud services Identities mastered on-premises, single point of management Secure Token based authentication Client access control based on IP address with AD FS and Office 365 services Strong factor authentication options for additional security
Windows Azure Active Authentication Why multi factor Your data and applications are under attack Passwords are easily compromised Consumerization of IT has only increased the scope of vulnerability Strengthening regulatory requirements call for strongly authenticating access Proven Authentication Platform Powered by market-leading PhoneFactor platform Trusted by thousands of enterprise customers across a wide range of industries, including healthcare, financial services, manufacturing, and government Authenticating millions of logins and transactions each month
Enterprise authentication using any phone Build 2012 12/7/2018 Enterprise authentication using any phone Mobile Apps Phone Calls Text Messages Out-of-Band Push One-Time-Passcode Out-of-Band Text One-Time Passcode Out-of-Band Call © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Build 2012 12/7/2018 Architecture 1 Users sign in from any device using their existing username/password. Custom LOB Apps Microsoft Apps Windows Azure Active Directory Credentials are checked in Windows Azure AD. Then Active Authentication is triggered for additional verification. ISV/CSV Apps Active Authentication Custom LOB Apps Users must also authenticate using their phone or mobile device before access is granted. 2 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo Active Authentication
Embracing BYOD AD Workplace Join Single Sign On (SSO) Users join their device to their workplace, making the device known to the company’s Active Directory Single Sign On (SSO) Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices. Work From Anywhere Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management Multi-factor Authentication Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk Multi-factor Access Control Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user’s network location and use of additional auth factors AD Authentication Library ISVs build enterprise apps that delivery SSO and allow enterprises to set the access control policies based on user, device and network location, and MFA
Windows Azure AD Extension of Active Directory into the cloud ISV App Extension of Active Directory into the cloud The platform for Microsoft Cloud Apps Designed to meet the needs of cloud applications, scale an multi-tenancy Provides directory and identity services: an essential part of Platform as a Service Your cloud directory for your apps Office 365 ISV App Other MSFT Apps Your Custom IT App Azure Active Directory Active Directory
Over 3 million tenants
Over 7 Billion authentications Just last week
12/7/2018 2:17 PM Related content Break out: WAD-B308 (Fri 8:30)- Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and More Break out: WAD-B306 (Fri 8:30) - Securing Cloud Line-of-Business and SaaS Web Applications Using Windows Azure Active Directory Break out: OUC-B341 (Thur 3:15) - Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd 12/7/2018 2:17 PM Resources Learning Sessions on Demand http://channel9.msdn.com/Events/TechEd Microsoft Certification & Training Resources www.microsoft.com/learning TechNet msdn Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Evaluate this session Scan this QR code to evaluate this session. 12/7/2018 2:17 PM Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session Scan this QR code to evaluate this session. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12/7/2018 2:17 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.