1 / 27

A Lap Around Windows Azure Active Directory

SIA209. A Lap Around Windows Azure Active Directory. Stuart Kwan Lead Principal Program Manager Microsoft Corporation. What is Windows Azure Active Directory?. Cloud app. Extension of Active Directory into the cloud Designed primarily to meet the needs of cloud applications

morrisa
Download Presentation

A Lap Around Windows Azure Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIA209 A Lap Around Windows Azure Active Directory Stuart Kwan Lead Principal Program Manager Microsoft Corporation

  2. What is Windows Azure Active Directory? Cloud app • Extension of Active Directory into the cloud • Designed primarily to meet the needs of cloud applications • Identity as a service: an essential part of Platform as a Service Azure AD Cloud app Cloud app AD

  3. Problem Statement Cloud app • While enterprises working to consolidate identity system on-premises, cloud apps are fragmenting identity… again Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning No direct connection to directory AD

  4. History of Azure Active Directory Exchange Online • Active Directory revised to operate as Internet-scale multi-tenant identity service, built concurrently with Office 365 • Extends Windows Server Active Directory into cloud • Provides cloud-based identity services for organizations without Windows Server AD SharePoint Online Lync Online Azure AD AD

  5. Identity Management as a Service ISVApp Office365 ISVApp • Consolidate identity management across cloud apps • Connect to directory from any platform, any device • Connect with people from web identity providers and other organizations Azure AD Your Custom IT App Other MSFT Apps AD

  6. Relationship to Windows Server AD • On-premises and cloud Active Directory managed as one • Directory information synchronized to cloud, made available to cloud apps via roles-based access control • Federated authentication enables single sign on to cloud applications Azure AD Sync and Federation AD

  7. How Does a Cloud App Connect to Directory? Contoso.com Directory ? ? Cloud Application ?

  8. Anatomy of a Typical Cloud Application Web application Web Application Web Application Browser Account and profile store Mobile app Web service API Web Service API Web Service API Server app Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages

  9. Azure Active Directory Design Principles The cloud design point demands capabilities that are not part of current-day Windows Server Active Directory • Maximize device & platform reach • http/web/REST based protocols • Multi-tenancy • Customer owns directory, not Microsoft • Optimize for availability, consistent performance, and scale • Keep it simple

  10. Directory Graph API • RESTful programmatic access to directory • Objects such as users, groups, roles, licenses • Relationships such as member, memberOf, manager, directReport • Requests use standard HTTP methods • POST, GET, PATCH, DELETE to create, read, update, and delete • Response in XML or JSON; standard HTTP status codes • Compatible with OData 3.0 • OAuth2.0 for authentication • Role-based assignment for application and user authorization

  11. Example Directory Graph Call • Request: https://directory.windows.net/contoso.com/Users('Ed@contoso.com') • { “d”: { • "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/Manager" }, • "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('User...')/MemberOf" }, • "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", • "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", • "ObjectType": "User", "AccountEnabled": true, • "DisplayName": "Ed Blanton", • "GivenName": "Ed", "Surname": "Blanton", • "UserPrincipalName": "Ed@contoso.com", • "Mail": "Ed@contoso.com", • "JobTitle": "Vice President", "Department": "Operations", • "TelephoneNumber": "4258828080", "Mobile": "2069417891", • "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", • "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007" • } } (Elements of response have been edited to fit on slide)

  12. demo Sample Expense Reporting Application in the Cloud

  13. Authorized user creates principal in directory for app, authorizes it to use directory by associating with role Contoso.com Directory Service Principal Role (Read) Authorized User Cloud Application Profile Store End User

  14. End user authenticates to directory to get token to call cloud app Contoso.com Directory Service Principal Role (Read) User AuthN t1 Cloud Application Profile Store t1 End User

  15. Cloud app gets token Accesses Directory Graph using token Uses user unique ID to find profile in local profile store Contoso.com Directory Service Principal Role (Read) Directory Graph Delegated AuthN t2 Cloud Application Profile Store t2 End User

  16. Protocols to Connect with Azure AD

  17. Enterprise Scenarios • An enterprise extends AD to cloud to support cloud apps • Manage users, groups in AD, changes synchronized to Azure AD • On-premises applications use AD • Cloud applications use Azure AD • A small business uses Azure AD as primary identity system • No on-premises applications or AD • Use Azure AD to manage users, groups • Cloud application use Azure AD

  18. Developer Scenarios • A developer of an established cloud application enables sign up of customers who have Azure AD • Single sign on instead of separate username/password for app • Query Directory Graph for user information, provisioning • A developer of a new cloud application uses Azure AD as off-the-shelf identity system for their app • Use Azure AD as local account store • Enable sign up of customers using popular web IDs • Enable sign up of customers who have Azure AD

  19. Azure Active Directory Developer Preview • Preview functionality • Directory Graph with admin level read access • Web SSO via WS-Federation, samples for .Net, Java, PHP • Not production SLA • Interfaces subject to change • Separate from production supported Access Control Service • Available soon • Watch this space: http://blogs.msdn.com/windowsazure

  20. What is Windows Azure Active Directory? Cloud app • Extension of Active Directory into the cloud • Designed primarily to meet the needs of cloud applications • Identity as a service: an essential part of Platform as a Service • Developer preview coming soon Azure AD Cloud app Cloud app AD

  21. Related Content • SIA205 Running AD on Windows Azure VM, Monday, 3:00pm, N320A • OSP321 AD Integration with MS Office 365, Tuesday, 10:15am, S330E • SIA321 What’s New in WIF in .Net 4.5, Wednesday, 8:30am, S230A • SIA322 Directory Graph API: Drill Down, Thursday, 4:30pm, S310E Find Me Later Today in the TLC Security and Identity Area, 5:30-7:30pm

  22. SIA, WSV, and VIR Track Resources #TE(sessioncode) Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched

  23. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  24. Required Slide Complete an evaluation on CommNet and enter to win!

  25. MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

  26. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related