Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure Identity Premier Fast Start

Similar presentations


Presentation on theme: "Azure Identity Premier Fast Start"— Presentation transcript:

1 Azure Identity Premier Fast Start
Optional Module © 2015 Microsoft Corporation Microsoft Confidential

2 Using the Directory Graph API
Abbreviation What it stands for? AD Active Directory API application programming interface CRM customer relationship management GA General Availability GSM Global System for Mobile communications HTTP Hypertext Transfer Protocol JSON JavaScript Object Notation JWT JSON Web Token OAuth open standard for authorization OData Open Data Protocol URI Uniform Resource Identifier URL Uniform Resource Locator XML Extensible Markup Language © 2015 Microsoft Corporation Microsoft Confidential

3 Graph API Scenarios Reading from Microsoft Azure Active Directory
Implement People or Group Picker – List/search users/groups Design workflows that lookup Manager/Direct Report relationships Make Authorization Decisions – determine users' Group and Role Membership Check tenant and users' subscribed services such as Microsoft Exchange, Microsoft SharePoint, Skype, Microsoft Dynamics CRM, Intune, GSM Requesting changed data – "delta changes" Writing to Azure Active Directory Updating users and groups Setting users' password Adding users to Groups/Roles Provisioning/de-provisioning users © 2015 Microsoft Corporation Microsoft Confidential

4 What Is Graph RESTful interface for Azure Active Directory
Tenant-specific queries are scoped to individual tenant context Programmatic access to directory objects, such as Users, Groups, Roles Access relationships – members, memberOf, manager, directReports Requests use standard HTTP methods The goals of this interface is: Make it easy for applications to integrate with the Microsoft Azure Active Directory Lay the foundation for creation of higher-level capabilities: lookups, people pickers, security group membership, cross-company collaboration, etc. Provide high usability and interoperability GET, POST, DELETE to create, read, update, and delete Responses support JSON, XML, standard HTTP status codes Compatible with OData V3 OAuth 2.0 for authentication, role-based assignment © 2015 Microsoft Corporation Microsoft Confidential

5 What Is REST REST – Representational State Transfer
Originated from a Ph.D dissertation by Roy Fielding ◦ An architecture style, not a protocol ◦ Description of how HTTP should be used for accessing data RESTful web services expose resources through a URI Resource PUT GET POST DELETE © 2015 Microsoft Corporation Microsoft Confidential

6 Authentication and Authorization to Graph API
Service-to-Service OAuth 2.0 grant type client credentials 1. Request JWT token (pass input claims) Azure AD Authentication Endpoint (OAuth) Active Directory The Graph also supports OAuth 2.0 Grant type = Authorization Code that includes User Authentication and Delegation. After the User Authn and approves delegated access, the Client App receives an authorization code, which can be redeemed for a token (and refresh token). Graph uses Azure AD for authentication and Clients must authenticate before using the graph. This authentication method is determined when the application’s Service Principal is created. Two authentication methods: Shared symmetric key (default) X.509 Certificates (asymmetric) The symmetric key is basically a password that can be defined during the service principal creation via PS, or let AAD create one (Remember that cant be retrieved again after required, and has expiration date for monitoring) PS Example: New-MsolServicePrincipal - -displayname "myapp1" -serviceprincipalnames @("appClass/MyApp9.com") -Type symmetric -Usage Verify -StartDate 5/17/ EndDate 5/17/2014 The certificate based could be more complex to configure, Public Key Pair, App has private key and Azure AD has the public portion. Application 2. Return token REST Service Validates token, processes request, returns data Authorization Check 3. HTTP Request with JWT token The Notes section does not form complete sentences. Pls check for relevance and completeness. The text highlighted in red were hidden in the original file. Kindly vlaidate if it is required. 4. Return Response and Data © 2015 Microsoft Corporation Microsoft Confidential

7 Query Format Graph URL (static) Tenant of interest – can be tenant’s verified domain or objectId Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc. eq 'WA' API version – " " is the supported GA version Optional Odata query arguments: $filter, $top © 2015 Microsoft Corporation Microsoft Confidential

8 Other Examples of Read Operations
Request Description ​Returns tenant-level information including company name, tech contact, subscriptions ​Returns a group's members ​ eq 'Adam Barr'&api-version= Using odata filter to get a specific user ​ ge 'A' and displayName le 'F'&api-version= ​Filters for a range of users ​​ ​An example odata filter using startsWith ​An example odata filter using the any operator, search for users who have a proxy address starting with 'SMTP:ad' ​Gets a users' group membership ​Gets an individual user's manager ​Gets an individual user‘s direct reports ​Returns roles ​Returns all subscriptions that the tenant owns © 2015 Microsoft Corporation Microsoft Confidential

9 Graph API Write Operations
Create a New User POST HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY { "accountEnabled":true, "displayName":"New User", "passwordProfile":{ "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser" } RESPONSE: 201 Created Notes 1. The password must meet the tenant's Accepted password complexity requirements 2. The minimum set of properties to create a user is shown in the example above 3. Setting the user's usage location is not shown above Graph API Write Operations © 2015 Microsoft Corporation Microsoft Confidential

10 Implementation on the App
POST HEADERS Content-Type: application/x-www-form-urlencoded BODY grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=52752c8e-d73c-4f9a-a0f9-2d75607ecb8e&client_secret=qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm44uk1A%2BpIlM%3D RESPONSE 200 OK Notes Oauth 2.0 Client Credential grant type, client_id, and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications © 2015 Microsoft Corporation Microsoft Confidential

11 © 2015 Microsoft Corporation Microsoft Confidential


Download ppt "Azure Identity Premier Fast Start"

Similar presentations


Ads by Google