Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300 Peter Selch Dahl - Sr. IT Architect, Cloud and.

Published byChristal Grant Modified over 6 years ago

Similar presentations

Presentation on theme: "Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300 Peter Selch Dahl - Sr. IT Architect, Cloud and."— Presentation transcript:

1 Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300
Peter Selch Dahl - Sr. IT Architect, Cloud and IT Infrastructure

2

3 Empowering users User Devices Apps Data IT Enable your users
People-centric approach Protect your data User Devices Apps Data IT Unify your environment

4 Identity as the control plane
Build 2012 11/10/2018 Identity as the control plane Simple connection Self-service Single sign on ••••••••••• Username Other Directories Windows Server Active Directory On-premises Cloud SaaS Azure Office 365 Public cloud Microsoft Azure Active Directory

5 What is Azure Active Directory?
A comprehensive identity and access management cloud solution. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers It is available in 3 editions: free, Basic and Premium

6 What is Azure Active Directory?
Windows Server Management Marketing 11/10/2018 What is Azure Active Directory? Your Directory on the cloud Centrally managed identities and access. Monitor and protect access to cloud applications. Empower Users © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Your Directory on the cloud
Windows Server Management Marketing 11/10/2018 Your Directory on the cloud Connect and Sync on-premises directories with Azure. Microsoft Azure Active Directory Azure Active Directory Connect * * Other Directories PowerShell LDAP v3 SQL (ODBC) Web Services ( SOAP, JAVA, REST) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Your Directory on the cloud
Windows Server Management Marketing 11/10/2018 Your Directory on the cloud Connect and Sync on-premises directories with Azure. 2400+ Preintegrated popular SaaS apps. Microsoft Azure Active Directory SaaS apps Other Directories © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Your Directory on the cloud
Windows Server Management Marketing 11/10/2018 Your Directory on the cloud Microsoft Azure Other Directories Connect and Sync on-premises directories with Azure. 2500+ Preintegrated popular SaaS apps. SaaS apps Web Apps (Azure Active Directory Application Proxy) Integrated custom apps Easily publish on-prem web apps via Application Proxy + Custom apps through a rich standards-based platform. Identities and applications in one place. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Centrally managed identities and access
Windows Server Management Marketing 11/10/2018 Centrally managed identities and access SaaS apps Comprehensive identity and access management console. Centralized access administration for preintegrated SaaS apps and other Cloud-based apps. Secure business processes with advanced access management capabilities. IT professional Your cloud apps ready when you are. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Rich standards-based platform for developers
11/10/2018 9:20 PM Rich standards-based platform for developers Custom LOB applications can integrate with Azure Active Directory Sign in to Active Directory-integrated applications with cloud identities Active Directory-integrated applications can access Office 365 and other web APIs Applications can extend Azure Active Directory schema Cross-platform support (iOS, Android, and Windows) Open Standards (SAML, OAuth 2.0, OpenID Connect, Odata 3.0) OAuth2 & OpenID Connect Microsoft Azure Active Directory SAML WS-Federation REST based Graph API SCIM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Now the stage is set  - Let’s get started
November 10, 2018 @EWUGDK

13 Agenda Identity needs of today’s apps Azure Active Directory
Build 2014 11/10/2018 Agenda Identity needs of today’s apps Azure Active Directory Scenarios and how they work Special guest Protocols, libraries, and resources © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 What I will be talking about….
November 10, 2018 @EWUGDK

15 Azure AD Authentication Library
November 10, 2018 @EWUGDK

16 Azure AD Authentication Library
November 10, 2018 @EWUGDK

17 Introducing MSAL (Microsoft Authentication Library)
November 10, 2018 @EWUGDK

18 We expose hard choices to developers
BOTH Azure MSA AAD Office

19 We expose hard choices to end-users
outlook.office.com outlook.com ??? ???

20 MSAL: Putting it together with the applications
November 10, 2018 @EWUGDK

21 Registering an Application
An organization (e.g. Contoso) has Azure AD tenant Azure AD will only issue tokens to an application registered in the tenant How does an application get registered in a tenant?

22 Two Cases… Single tenant application
App for users in a single organization Admin or user registers app in directory tenant Sign in at: Multi-tenant application App for users in multiple organizations Admin or user registers app in developer’s directory tenant Admin configures application to be multi-tenant Sign in at: User prompted to consent based on permissions required by application Consent registers application in user’s tenant

23 Consent Users can consent to apps that access personal information only Admins must consent to apps that require broader permissions Admins can consent on behalf of all users in an organization

24 Microsoft Graph API: Azure AD behind the scenes
November 10, 2018 @EWUGDK

25 Microsoft Graph API: Azure AD behind the scenes
November 10, 2018 @EWUGDK

26 Microsoft Graph API: Azure AD behind the scenes
Getting Azure AD devices using Graph: Getting Azure AD information  - Behind the scenes… November 10, 2018 @EWUGDK

27 Microsoft Identity: Bridging the GAP
November 10, 2018 @EWUGDK

28 Microsoft Identity: Bridging the GAP
November 10, 2018 @EWUGDK

29 Microsoft Identity: Bridging the GAP
Microsoft Azure Active Directory Office 365 Intune OneDrive Dynamics Primary Refresh Token Username Password PRT Windows Server Active Directory TGT Username Password Kerberos Ticket November 10, 2018 @EWUGDK

30 Microsoft Identity: Bridging the GAP
Microsoft Azure Active Directory Intune OneDrive Office 365 Dynamics SSO Token Kerberos Ticket PRT Windows Server Active Directory TGT November 10, 2018 @EWUGDK

31 AzureAD: Primary Refresh Tokens
November 10, 2018 @EWUGDK

32 AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory Dave authenticates to Azure AD as part of logon process 10 November 10, 2018 @EWUGDK

33 AzureAD: Primary Refresh Tokens
Microsoft Azure Active Directory Primary Refresh Token (PRT) Returned by Azure AD and cached by Windows 10 10 November 10, 2018 @EWUGDK

34 AzureAD: Primary Refresh Tokens
Office 365 Microsoft Azure Active Directory 10 November 10, 2018 @EWUGDK

35 AzureAD: Primary Refresh Tokens
Office 365 Microsoft Azure Active Directory Here is my PRT can I please have an SSO token for Office 365 10 November 10, 2018 @EWUGDK

36 AzureAD: Primary Refresh Tokens
Office 365 Microsoft Azure Active Directory Your PRT checks out so here is the SSO token you have asked for 10 November 10, 2018 @EWUGDK

37 AzureAD: Primary Refresh Tokens
Office 365 Microsoft Azure Active Directory Here is my Office 365 SSO token give me access please 10 November 10, 2018 @EWUGDK

38 What’s In A Token? (In Brief)
Claim Example Intended Purpose Tenant ID 81aabdd fd-9efa-2cb2fcea8557 Immutable tenant identifier Name Display only First Name Peter Last Name Dahl Object ID b c28-4e43-870d-fa7d38636dcd Immutable security identifier Token also contains Group information

39 Azure AD Token Signing Key
Tokens for all tenants are signed by same key Keys published via metadata Keys roll on periodic basis Your app must handle Periodically refreshing keys from metadata Handling multiple keys Our samples and libraries do this automatically

40 AzureAD: Tokens Kerberos Maximum lifetime for service ticket:
Kerberos Maximum lifetime for service ticket: 10 Timer før brugeren skal hente en ny ticket fra domain controlleren intern (Validering): Session timeouts for Office 365 Modern Authentication Vi skal på et tidspunkt også have talt ”Modern Authentication” med jer, men jeg ser ikke lige tiden er moden endnu til dette: Det hænger meget sammen med EMS (Conditional Access) ”Modern Authentication” : Basic Authentication ADFS Token: 8 timer (Det er standard fra Microsoft). November 10, 2018 @EWUGDK

41 Questions and Answers Thanks

42 AzureAD: Azure Association
November 10, 2018 @EWUGDK

Download ppt "Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300 Peter Selch Dahl - Sr. IT Architect, Cloud and."

Similar presentations

Session 1.

Session 1.
Identity & Access Control in the Cloud Name Title Organization.

Identity & Access Control in the Cloud Name Title Organization.
Secure Windows App Development. Authentication.

Secure Windows App Development. Authentication.
11 | Managing User Info Jeremy Foster Michael Palermo

11 | Managing User Info Jeremy Foster Michael Palermo
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Active Directory Modernization Technical data deck

Active Directory Modernization Technical data deck
Active Directory Modernization Technical competitive comparison

Active Directory Modernization Technical competitive comparison
A lap around Azure Active Directory Business to Consumer (B2C)

A lap around Azure Active Directory Business to Consumer (B2C)
Deployment Planning Services

Deployment Planning Services
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Introduction to Windows Azure AppFabric

Introduction to Windows Azure AppFabric
O365 & AZURE ADDS Mladen Baranek, Miadria

O365 & AZURE ADDS Mladen Baranek, Miadria
9/11/2018 12:51 AM Cloud Roadshow © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO.

9/11/ :51 AM Cloud Roadshow © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO.
SaaS Application Deep Dive

SaaS Application Deep Dive
Modern application lifecycle with DevOps

Modern application lifecycle with DevOps
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Microsoft Virtual Academy

Microsoft Virtual Academy
Manage mobile productivity with Enterprise Mobility + Security (EMS)

Manage mobile productivity with Enterprise Mobility + Security (EMS)
The power of common identity across any cloud

The power of common identity across any cloud
Directory Synchronization in Office 365

Directory Synchronization in Office 365

Similar presentations

Ads by Google