Windows Azure Active Directory Graph API 4/23/2017 2:37 PM SIA322 Windows Azure Active Directory Graph API Edward Wu Sr Program Manager Microsoft Corporation © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Azure Active Directory Graph API Introduction Goals Querying Directory Data Application Authentication/Authorization Demos Roadmap Summer/Fall Resources/Getting Started
Windows Azure Active Directory Graph API Is here now – it is integrated with Office 365 and Windows Azure, available to all apps. Integrated modern identity management service for Office 365, Azure & 3rd party web applications Single sign-on across Microsoft and 3rd party applications with increased security control Windows Azure Active Directory Access directory data with RESTful Graph API Integrates with consumer identity and social networks Graph API
Windows Azure Active Directory Graph API Goals Make it Easy for applications to integrate with the Azure Active Directory Lay the foundation for creation of higher-level capabilities: look ups, people pickers, security group membership, cross-company collaboration … Provide high usability and interoperability Solution: new RESTful interface for Windows Azure AD Support HTTP/REST-based protocol for accessing all directory information Support HTTP response codes and Return directory objects in JSON/XML Compatible with Odata V3 for more complex queries & metadata (www.odata.org) Leverage OAuth 2.0 for Authentication
Connecting to Windows Azure Active Directory Administration Scripting, PowerShell PowerShell Admin Portal Windows Azure Active Directory On Premises Active Directory Directory Synch REST Interface REST OAuth New Applications Applications LDAP Kerberos Multi Tenant Environment Divided into Tenants Typed objects Example: Users, Groups, Contacts, Roles, Licenses Relationships Member/Member of, Manager/Direct reports
Windows Azure Active Directory Resources https://directory. windows TenantDetails Users Groups Contacts Roles Subscribed Skus Extended Windows Azure AD for the cloud: Licensing, Provisioning, DirSynch status, Domain Status
REST interface for Directory Access Request URI structure <Service root>/<resource path>[? Query string options] https://directory.windows.net/contoso.com/Users?$filter=DisplayName eq ‘Adam Barr” Navigating the URI structure https://directory.windows.net/$metadata https://directory.windows.net/contoso.com/ https://directory.windows.net/contoso.com/TenantDetails https://directory.windows.net/contoso.com/Users https://directory.windows.net/contoso.com/Groups https://directory.windows.net/contoso.com/Roles https://directory.windows.net/contoso.com/Contacts https://directory.windows.net/contoso.com/SubscribedSkus Example of filters ?$filter=City eq ‘Redmond‘ ?$filter=GivenName eq ‘Adam' and Surname eq ‘Barr‘ ?$filter=Surname ge ‘Jackson' and Surname le ‘Jz' Response Response body JSON or XML HTTP Response Code
GET a User Object Returned JSON user object Request: https://directoryppe.windows.net/PharmSales.info/Users(‘Adam.Barrr@PharmaSales.info’) Returned JSON user object "d": {"__metadata": {"id": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')", "uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')", "type": "Microsoft.Online.DirectoryApi.User" },"Manager": {"__deferred": { "uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')/Manager"} },"DirectReports": {"__deferred": { "uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')/DirectReports"} },"MemberOf": { "__deferred": {"uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')/MemberOf"}}, "ObjectId": "d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c", "ObjectReference": "User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c", "ObjectType": "User","AccountEnabled": true, "AssignedLicenses": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.AssignedLicense)"},"results": [ ]}, "AssignedPlans": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.AssignedPlan)"},"results": [ ]}, "City": "Redmond","Country": "US","Department": null,"DirSyncEnabled": null,"DisplayName": "Adam Barr","FacsimileTelephoneNumber": null,"GivenName": "Adam","JobTitle": null,"LastDirSyncTime": null,"Mail": null,"Mobile": null,"OtherMails": {"__metadata": {"type": "Collection(Edm.String)"},"results": [ ]}"PasswordPolicies": "None","PhysicalDeliveryOfficeName": null,"PostalCode": "98052","PreferredLanguage": null, "ProvisionedPlans": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.ProvisionedPlan)"},"results": [ ]}, "ProvisioningErrors": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.ProvisioningError)"},"results": [ ]}, "ProxyAddresses": {"__metadata": {"type": "Collection(Edm.String)"},"results": [ ]},"State": "WA","StreetAddress": "One Microsoft Way", "Surname": "Barr","TelephoneNumber": "425-882-8080","UsageLocation": "US","UserPrincipalName": "Adam.Barr@PharmaSales.info"} }
Referenced Links Users https://Directory.windows.net/Contoso.com/Users(‘Bob@Contoso.com’)/Manager /Manager Bob Bob Adam /DirectReports https://Directory.windows.net/Contoso.com/Users(‘Adam@Contoso.com')/DirectReports Sue Jim /MemberOf Jill https://Directory.windows.net/contoso.com/Users(‘Jill@Contoso.com')/MemberOf US Sales Team
Referenced Links Groups Global Sales Team US Sales Europe https://directory.windows.net/contoso.com/Groups('Group_1a9f7ab7-4292-414e-ad33-11dc679f364c')/MemberOf US Sales Team Bob https://directory.windows.net/contoso.com/Groups('Group_1a9f7ab7-4292-414e-ad33-11dc679f364c')/Members Sue Jim Jill
Querying and Data management Users are sorted by DisplayName, other entities are un-sorted OData Query Options $filter Logical And operations, Eq, Ge, Le Paging - $top http://www.odata.org
Authentication and Authorization for LOB Application Windows Azure Active Directory Request JWT token (pass input claims) OAuth Endpoint Directory Return token Application REST Front End Validates ACStoken Authorization Check HTTP Request with JWT Token
Navigating the REST interface Sample Application
Application Authentication and Authorization Company Admin adds an Application Service Principal to his tenant and assigns a Role (Read and/or Write) 2. Developer configures the App to use Application Service Principal Id and App Secret (cert or symmetric key) Developer Runs the App - REST Front End validates ACS token and Authorizes the request
Titus Paul Reid
Data security and governance for unstructured information TITUS solutions protect information assets Prevent data leaks Raise user security awareness Comply with regulations Embeds classification metadata into unstructured information Emails Office documents Other file types
Over 300 Enterprise Customers Healthcare Government Energy & Utilities Transportation Over 300 Enterprise Customers Across All Industries 2 Million TITUS Users Retail Banking Military Insurance Chemical & Petroleum Telecom
What the Graph API means to TITUS TITUS believes Metadata is foundational to Information Protection. More importantly TITUS brings context to the application and understanding of metadata. The introduction of a REST based Graph API to Windows Azure AD provides; Access to AD from off Premises. Easier federated access to all hosted Tenants. The Social Graph Aspect allows for “context” of the user attributes in relation to others; This will facilitate stronger Information Protection through TITUS Products
TITUS Demonstration Scenario Marcus has been traveling outside of the office for the past several weeks sending emails from the road. He needs to send an email to his engineering team members about their current Project. Since he has been traveling, he has not heard that Anna has been transferred into sales. His company has a policy that non-engineering staff can not receive emails about engineering projects
TITUS solution using Graph API Windows Azure AD HTTP Request Get Group Members of Engineering With Token Engineering Engineering Group Derek Ed Anna Ed HTTP Response with Engineering Group Memberships Derek
Optimal IDM Michael Brengs
Michael Brengs Director of Sales Mike.Brengs@optimalidm.com Cell +1-813-376-6020 http://www.optimalidm.com
Overview of Optimal IdM Company Highlights Founded in 2005 100% organically grown Profitable every quarter since inception No debt or outside investment Headquartered in Tampa, Florida Global Presence (solutions on 5 continents) Core Microsoft Identity & Access Partner Independent Software Vendor (ISV) and Consulting Partner Member of the Security Partner Advisory Council (PAC) Meet under NDA with Microsoft on quarterly basis
What is the Virtual Identity Server (VIS)? LDAP Virtual Directory VIS is a proxy server to LDAP Provides a real-time proxy of multiple LDAP servers Applications can now support multi-forest with no changes to application. Data is not stored in VIS; it is proxied Additional security and control Additional functionality – data transformation Adapters (VISA’s) – to data sources
Office 365 & Cloud Directory Have an out-of-the-box Graph API VISA that can read/write to Office 365 (Standard LDAP to read cloud) Will be the mechanism VIS for Office 365 solution provisions/de-provisions to Office 365.
partner Orcas Consulting Name: Jeremy Palenchar Title: Partner 4/23/2017 2:37 PM partner Orcas Consulting Name: Jeremy Palenchar Title: Partner Company: Orcas Consulting jeremyp@orcasconsulting.com © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Graph API Management Agent for FIM 2010 from Orcas Consulting 4/23/2017 2:37 PM announcing Graph API Management Agent for FIM 2010 from Orcas Consulting Email: sales@orcasconsulting.com © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo Environment Azure AD Salesforce.com Import Export In Cloud pre-production tenant Salesforce.com orcas development tenant Import Export In Cloud On-Prem FIM 2010
Graph API Management Agent for FIM 2010 4/23/2017 2:37 PM demo Graph API Management Agent for FIM 2010 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Graph API Development – Thoughts & Lessons Learned Easy to consume data using OData for .Net Very little custom code for MA implementation Authentication tested using symmetric and PKI (asymmetric) tokens FIM MA Page Size & Graph API Continuation Tokens Reference Objects & Attributes
switch (currentObjectType) { case "User": if (importContinuationToken == null) requestUri = new Uri(connectionUri + "Users?$top=" + importPageSize); } else requestUri = new Uri(importContinuationToken+"&$top=" + importPageSize); QueryOperationResponse<User> response = dataService.Execute<User>(requestUri) as QueryOperationResponse<User>; importedUsers = response.ToList(); importContinuationToken = (QueryOperationResponse)response).GetContinuation(); ...
foreach (Group g in importedGroups) { CSEntryChange group = CSEntryChange.Create(); group.ObjectModificationType = ObjectModificationType.Add; group.ObjectType = "Group"; dataService.LoadProperty(g, "Members"); foreach (var p in g.GetType().GetProperties()) ...
Preview: POST – Creating a new user POST /Contoso.com/Users HTTP/1.1 Host: https://directory.Windows.net Content-Type: application/json;odata=verbose Authorization: Bearer ey1287Z……… X-ms-dirapi-contract-version: 0.5 { "AccountEnabled":true, "City":Seattle, "Country":US, "DisplayName":“Bob Jones", "GivenName": Bob, "PostalCode":98125, "PreferredLanguage":EN, "State":WA, "StreetAddress":123 Main Street, "Surname":Jones, "UsageLocation":US, "UserPrincipalName":Bob.Jones@contoso.com }
Azure AD Graph API Developer Preview - interface to change, no production SLA Summer: July Preview Read Aug Preview Write Future - Additional Directory properties - User Authentication/Delegation - ISV Commerce scenarios - Notifications and Provisioning Give Us Feedback – what do you need?
Getting Started Coming soon Watch this blog: http://blogs.msdn.com/windowsazure Review MSDN content http://msdn.microsoft.com/en-us/library/hh974476.aspx Download the Sample application Run it against a test tenant in Windows Azure AD Get your own Windows Azure Active Directory Test Company Office 365 Trial Sign-up www.office365.com Configure your Tenant, Service Principal and Application Use provided PowerShell Scripts to configure App and to add sample directory data F5 - Build and Run your app – extend it, play with it, integrate it Rate the App, ask Questions and give feedback AzureADGraphFeedback@microsoft.com
Connecting to Windows Azure Active Directory Admin Portal Windows Azure Active Directory PowerShell On Premises Active Directory Directory Synch REST Interface REST OAuth Your Applications Applications LDAP Kerberos Multi Tenant Environment Divided into Tenants Typed objects Example: Users, Groups, Contacts, Roles, Licenses Relationships Member/Member of, Manager/Direct reports
Related Content that was presented SIA209 A Lap Around Windows Azure Active Directory, Monday SIA205 Running AD on Windows Azure VM, Monday OSP321 Active Directory Integration with Microsoft Office 365, Tuesday Find Me Later : at the Party and Online
Resources Watch this Space: http://blogs.msdn.com/windowsazure MSDN Documentation: Windows Azure AD Graph API http://msdn.microsoft.com/en-us/library/hh974476.aspx Preview Sample Application download link http://go.microsoft.com/fwlink/?LinkID=95732&clcid=0x409
SIA, WSV, and VIR Track Resources #TE(sessioncode) Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched
Resources Learning TechNet http://northamerica.msteched.com Connect. Share. Discuss. http://northamerica.msteched.com Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win! Required Slide Complete an evaluation on CommNet and enter to win!
Please Complete an Evaluation Your feedback is important! Be eligible to win great daily prizes and the grand prize of a $5,000 Travel Voucher! Multiple ways to Evaluate Sessions Scan the Tag to evaluate this session now on myTechEd Mobile
4/23/2017 2:37 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Why REST for the Directory? Broad Industry Adoption Super Simple - Http - GET, PUT, POST, DELETE Lots of available client libraries http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm REST for the Directory Easy integration with any app on any platform
4/23/2017 2:37 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.