2-738.pptx

Azure Active Directory: Identity Management as a Service for Modern Applications

1.0x

2-738.pptx

Created 2 years ago

Duration 0:00:00
lesson view count 416
Azure Active Directory: Identity Management as a Service for Modern Applications
Select the file type you wish to download
Slide Content
  1. Azure Active Directory: Identity Management as a Service for Modern Applications

    Slide 1 - Azure Active Directory: Identity Management as a Service for Modern Applications

    • Stuart Kwan
    • 2-738
    • //build/ content is being presented by Microsoft Office Mix The video for this session will be available shortly
  2. “If you are successful, enterprise customers will require you to integrate your application with their enterprise identity management system.”

    Slide 2 - “If you are successful, enterprise customers will require you to integrate your application with their enterprise identity management system.”

    • Active Directory
    • - Stuart Kwan
  3. 2-738

    Slide 3 - 2-738

    • Azure Active Directory:Identity Management as a Service for Modern Applications
    • Stuart Kwan @stuartkwan
    • Principal Program Manager
    • Microsoft Corporation
  4. Azure AD and IDMaaS

    Slide 4 - Azure AD and IDMaaS

    • Benefits of integrating
    • How to integrate
    • Futures
    • Next steps
    • Agenda
  5. Slide 5

    • Enterprise customerwith Active Directory
    • Before Azure AD and IDMaaS
    • Your application
    • federation
    • Complex per-customer stepsto set up federation
    • user provisioning
    • Per-customer custom codeand manual stepsfor user provisioning
  6. Slide 6

    • With Azure AD
    • YourApplication
    • Enterprise customerwith Active Directory
    • Office 365 and more
    • Azure AD
    • Use Azure AD for sign up, sign in, provisioning, and directory services
    • 1
    • Sync and federation between on-premises andcloud identity systems
    • 2
    • Manage as single logical directory
    • On-premises identitymanagement functions from cloud
    • 3
    • Integrating with Azure AD == Integrating with AD
  7. 1 Trillion

    Slide 7 - 1 Trillion

    • Azure AD authentications since the release of the service
    • 50 MOffice 365 users active every month
    • >1 Billion authentications every day on Azure AD
    • More than
    • 500 M objects hosted on Azure Active Directory
    • Azure AD manages identity data for
    • >5 M organizations
    • 86%
    • of Fortune 500 companies on Microsoft Cloud (Azure, O365, CRM Online and PowerBI)
    • Azure AD by the Numbers
    • Every Office 365 and Microsoft Azure customeruses Azure Active directory
  8. Azure AD Can Help Promote Your App

    Slide 8 - Azure AD Can Help Promote Your App

  9. Promote Your App in Azure AD App Gallery

    Slide 9 - Promote Your App in Azure AD App Gallery

    • Register your app to appear in Azure AD App Gallery
    • Your app here
    • Your logo
    • Your details
    • Your description
    • Your app
  10. Promote Your App in Office 365 Store

    Slide 10 - Promote Your App in Office 365 Store

    • Your app here
    • Register your app toappear in Office 365Store – coming soon
  11. Appear in Office 365 My Apps Listing

    Slide 11 - Appear in Office 365 My Apps Listing

    • Your app
    • Your app will appear in user’s My Apps listing
    • User can pin your app to their App Launcher
  12. Pin To App Launcher – Drive User Engagement

    Slide 12 - Pin To App Launcher – Drive User Engagement

    • Your app here
    • Pinned app will appear in user’s App Launcher
  13. Advanced Security Monitoring Benefits

    Slide 13 - Advanced Security Monitoring Benefits

  14. Detect:  Brute Force Attack

    Slide 14 - Detect: Brute Force Attack

    • 1: <qwrsd!@@#> Nah! Didn’t work
    • 2: <sdsaswer> Nah! Didn’t work
    • 3: <34sdfs> Nah! Didn’t work
    • 4: <sdsaswer> Nah! Didn’t work
    • 5: <asas> Nah! Didn’t work
    • 6: <qwrsd!@@#> Nah! Didn’t work
    • 7: <sdsaswer> Nah! Didn’t work
    • 8: <34sdfs> Nah! Didn’t work
    • 9: <sdsaswer> Nah! Didn’t work
    • 10: <asas> Nah! Didn’t work
    • ……………………………………
    • ……………………………………….
    • ………………………………………….
    • ……………………………………..
    • …………………………………..
    • 78: <Password>Aha!!!!! That worked! Duh!
    • Signal if appears attacker has brute forced user’s password
  15. Detect:  Sign In From Anonymizer Network

    Slide 15 - Detect: Sign In From Anonymizer Network

    • IP address: 199.34.28.10
    • IP Address:
    • 31.172.30.4
    • TOR Network
    • Signal if requests originate from anonymizer network
  16. Detect:  Unlikely Travel

    Slide 16 - Detect: Unlikely Travel

    • Joe@Contoso.com
    • Location: Seattle, WA
    • Time: 8:29 AM, PST
    • (3:29 PM, UTC)
    • Joe@Contoso.com
    • Location: Somewhere in Asia
    • Time: 7:54 AM, local time
    • (3:54 PM, UTC)
    • Signal if user signs in from locations distant from each other in short time period
  17. Detect:  Anomalous Activity Spanning Tenants

    Slide 17 - Detect: Anomalous Activity Spanning Tenants

    • IP Address: 199.34.28.10
    • X Bad username
    • X Bad password
    • X Bad password
    • X Bad password
    • X Bad username
    • X Bad username
    • X Bad username
    • X Bad password
    • Signal if multiple failed requests from single IP to many tenants
  18. Detect:  Sign In From Known Infected Device

    Slide 18 - Detect: Sign In From Known Infected Device

    • Botnet control center
    • IP = 199.34.28.10
    • IP = 199.34.28.10
    • Signal if requests from known infected devices
  19. How to Integrate With Azure AD

    Slide 19 - How to Integrate With Azure AD

  20. Integration Steps

    Slide 20 - Integration Steps

    • Register your app in AD section of Azure portal
    • Get a client ID, secret (if needed), register redirect URL, request API permissions
    • Add code for sign in
    • Send request, process response, validate token, extract claims, redeem auth code
    • Add code to query Azure AD Graph API (optional)
    • OData v3 compliant REST API
  21. Azure AD

    Slide 21 - Azure AD

    • Browser
    • Web App
    • authorize
    • token
    • graph
    • Navigate to your application
    • Post token and auth code to your application’s redirect URL
    • No session,send authNrequest
    • Verifytokensignature
    • 302 redirect for sign in
    • OpenID Connect request
    • (user signs in)
    • Set cookie and return user to page they started on
    • Redeem auth code
    • Return access token and refresh token
    • Call the Graph API
  22. Demo:Integrating with Azure AD for Sign In and Directory Serviceshttps://github.com/skwan/WebApp-GroupClaims-DotNet

    Slide 22 - Demo:Integrating with Azure AD for Sign In and Directory Serviceshttps://github.com/skwan/WebApp-GroupClaims-DotNet

  23. Authentication Scenarios

    Slide 23 - Authentication Scenarios

    • Clients using wide variety of devices/languages/platforms
    • Server applications using wide variety of platforms/languages
    • Browser
    • Native app
    • Server app
    • Web application
    • Web API
    • Web API
    • Web API
    • js
  24. Authentication Scenarios

    Slide 24 - Authentication Scenarios

    • Browser
    • Native app
    • Server app
    • Web application
    • Web API
    • Web API
    • Web API
    • Standard-based, http-based protocols for maximum platform reach
    • WS-Fed, SAML 2.0, OpenID Connect
    • OAuth 2.0
    • OAuth 2.0
    • OAuth 2.0
    • OAuth 2.0
    • OAuth 2.0
    • js
  25. RESTful access to directory

    Slide 25 - RESTful access to directory

    • Objects: users, groups, devices, licenses
    • Relationships: member/memberOf, manager/directReport
    • POST, GET, PATCH, DELETE to create, read, update, delete
    • Full text search (in preview)
    • Supports CORS
    • Response in JSON (optionally XML)
    • OData v3 compatible (v4 support coming soon)
    • .Net, Cordova, iOS, Android libraries available
    • Check out the API ref at: https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/api-catalog
    • Azure AD Graph API
    • Azure AD doesn’t support LDAP as a query protocol – REST is simpler and cloud and mobile friendlier
  26. Slide 26

    • Client: Active Directory Authentication Library (ADAL)
    • .Net, Windows Store, Windows Phone
    • JavaScript
    • iOS
    • Android
    • Server
    • .Net: ASP.Net OWIN middleware for OpenID Connect and OAuth 2.0
    • Node.js
    • In use today by Office apps, Visual Studio, and more
    • More languages to come!
    • OSS Libraries: http://github.com/AzureAD
    • Xamarin
    • Cordova
    • Node.js
    • Java
  27. Futures:There’s lots more coming!

    Slide 27 - Futures:There’s lots more coming!

  28. Reduce exposure of keys to dev/ops

    Slide 28 - Reduce exposure of keys to dev/ops

    • Keys stored encrypted in Key Vault service
    • Store secrets e.g. Storage keys
    • Store and perform key operations e.g. encryption keys
    • Enable customer to bring own keys
    • Many customers need control for compliance purposes
    • Access to keys monitored and audited
    • Only Azure AD users/apps can be granted access to keys
    • If identity revoked from Azure AD, access to keys lost
    • Key Vault – Safeguarding Keys and Secrets
    • Key Vault is designed to promote good key hygiene and aid in meeting compliance requirements
    • - in preview now
    • Future capability - in development
  29. Reduce dev/ops exposure to Storage keys

    Slide 29 - Reduce dev/ops exposure to Storage keys

    • At setup time
    • Developer creates Key Vault, adds Storage keys
    • Developer registers new application in Azure AD
    • Developer creates cert as credential for app and uploads to Azure and Azure AD
    • Developer grants application identity access to Storage keys
    • At runtime
    • Application requests token to Key Vault from Azure AD
    • Application retrieves Storage secrets from Key Vault
    • Net – no secrets in source code
    • Key Vault Example: Protect Storage Keys
    • Future capability - in development
  30. Enable customer to bring own keys

    Slide 30 - Enable customer to bring own keys

    • At customer setup:
    • Customer creates Key Vault and uploads encryption key
    • Customer grants Exchange service access to encryption key
    • Exchange creates mailbox encryption keys
    • Exchange uses Key Vault to encrypt mailbox encryption keys, stores keys locally
    • At runtime:
    • Exchange loads encrypted mailbox encryption keys from storage
    • Exchange uses Key Vault to decrypt mailbox encryption keys
    • Exchange uses decrypted mailbox keys to encrypt and decrypt customer data
    • Key Vault Example: Office 365 Advanced Encryption
    • Future capability - in development
  31. Azure AD security, availability, and scalability for customer IDM

    Slide 31 - Azure AD security, availability, and scalability for customer IDM

    • Adds B2C features to Azure AD
    • Social IdPs and “application local accounts”
    • Self-service sign up, password reset, profile management
    • Customizable sign in and sign up UI
    • Same protocols, libraries, and programming model
    • Consumption based pricing
    • Meters for # of users and # of authentications
    • Azure AD B2C: “IDMaaS for Applications”
    • The goal of Azure AD B2C is to provide all IDM functions an app needs to handle a customer audience –
    • preview coming soon
    • Future capability - in development
  32. Azure AD B2C

    Slide 32 - Azure AD B2C

    • Future capability - in development
    • CustomizeUI
    • Social andlocal accounts
    • Define attributes to
    • gather during sign up
    • Handles sign up,password reset
  33. Many apps want to sign users in from both Microsoft account and Azure AD

    Slide 33 - Many apps want to sign users in from both Microsoft account and Azure AD

    • Working on unified dev experience
    • Single endpoint, OpenID Connect and OAuth 2.0
    • Single SDK
    • Single end user sign in experience
    • Single streamlined app registration experience, outside of Azure portal, no Azure subscription required
    • Works with unified Office business + consumer APIs
    • Microsoft account + Azure AD
    • Making it easier to support both Microsoft account and Azure AD sign-in in the same app -
    • preview coming soon
    • Future capability - in development
  34. First, sign in with an Azure AD account

    Slide 34 - First, sign in with an Azure AD account

  35. Microsoft Account + Azure AD

    Slide 35 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Fabrikam Calendar
    • Password
    • Microsoft account (personal or business)
    • Can’t access your account?
    • Other sign in options
    • Get a new account
    • Sign in
    • Back
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  36. Microsoft Account + Azure AD

    Slide 36 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Fabrikam Calendar
    • kelly@contoso.com
    • Password
    • Microsoft account (personal or business)
    • Can’t access your account?
    • Other sign in options
    • Get a new account
    • Sign in
    • Back
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  37. Microsoft Account + Azure AD

    Slide 37 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Fabrikam Calendar
    • kelly@contoso.com
    • Password
    • Microsoft account (personal or business)
    • ٠ ٠ ٠ ٠ ٠ ٠٠
    • Can’t access your account?
    • Other sign in options
    • Get a new account
    • Sign in
    • Back
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  38. Microsoft Account + Azure AD

    Slide 38 - Microsoft Account + Azure AD

    • https://login.microsoftonline.com/xxxxx
    • Sign in to your account
    • Keep me signed in
    • Password
    • Sign in to Fabrikam Calendar
    • Can’t access your account?
    • Contact Help Desk at (206) 555-1234. This site is operated by Microsoft on behalf of Contoso Inc and is for the exclusive use of its employees and partners.
    • Sign in
    • Back
    • kelly@contoso.com
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  39. Or, sign in with a Microsoft account

    Slide 39 - Or, sign in with a Microsoft account

  40. Microsoft Account + Azure AD

    Slide 40 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Fabrikam Calendar
    • Password
    • Microsoft account (personal or business)
    • Can’t access your account?
    • Other sign in options
    • Get a new account
    • Sign in
    • Back
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  41. Microsoft Account + Azure AD

    Slide 41 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Fabrikam Calendar
    • kelly@outlook.com
    • Password
    • Microsoft account (personal or business)
    • Can’t access your account?
    • Other sign in options
    • Get a new account
    • Sign in
    • Back
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  42. Microsoft Account + Azure AD

    Slide 42 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Fabrikam Calendar
    • kelly@outlook.com
    • Password
    • Microsoft account (personal or business)
    • ٠ ٠ ٠ ٠ ٠ ٠٠
    • Can’t access your account?
    • Other sign in options
    • Get a new account
    • Sign in
    • Back
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  43. Microsoft Account + Azure AD

    Slide 43 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Taking you to the sign in page for Microsoft accounts. Cancel
    • kelly@outlook.com
    • Password
    • ٠ ٠ ٠ ٠ ٠ ٠٠
    • Future capability - in development
  44. Microsoft Account + Azure AD

    Slide 44 - Microsoft Account + Azure AD

    • https://login.live.com/xxxxx
    • Sign in to your Microsof…
    • kelly@outlook.com
    • Future capability - in development
  45. If you sign in with both Azure AD and MSA and return to sign in again later…

    Slide 45 - If you sign in with both Azure AD and MSA and return to sign in again later…

  46. Microsoft Account + Azure AD

    Slide 46 - Microsoft Account + Azure AD

    • https://login.microsoft.com/xxxxx
    • Sign in to your account
    • Fabrikam Calendar
    • Kelly Yang
    • kelly@outlook.com
    • Kelly
    • kelly@contoso.com
    • Use another account
    • •••
    • •••
    • Which account do you want to use?
    • © 2015 Microsoft Terms of Use Privacy & Cookies
    • Future capability - in development
  47. Windows 10 Azure AD Join:  sign-in to desktop with Azure AD account

    Slide 47 - Windows 10 Azure AD Join: sign-in to desktop with Azure AD account

    • Single sign on to:
    • Kerberos-based on-premises applications
    • Native applications that use WebAccountManager
    • Web apps that support Azure AD sign-in
    • Enhanced Device Support – Windows 10
    • Future capability - in development
  48. Updated iOS & Android authenticator apps

    Slide 48 - Updated iOS & Android authenticator apps

    • Single sign on across mobile apps that use ADAL library
    • Device conditional access
    • Multi-factor authentication
    • Apps using ADAL seamlessly take advantage of authenticator
    • Enhanced Device Support – iOS & Android
    • Future capability - in development
  49. Sign up for an Azure trial to get Azure AD

    Slide 49 - Sign up for an Azure trial to get Azure AD

    • You won’t be charged if you only use Azure AD free capabilities
    • Check out the Azure AD Developer Guide
    • Azure.com  Documentation  ID&A Management  Active Directory  Develop
    • http://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
    • Go deeper at //build
    • Vittorio Bertocci: “Develop Modern Web Applications with Azure AD” (2-753)
    • Vittorio Bertocci: “Develop Modern Native Applications with Azure AD” (2-769)
    • Mat Velloso: “Cloud Auth Troubleshooting and Recipes for Developers” (2-740)
    • Subscribe to AD team blog
    • http://blogs.technet.com/b/ad/ or search for “active directory team blog”
    • Next Steps
  50. If you’re successful, enterprises will require you to integrate with Active Directory

    Slide 50 - If you’re successful, enterprises will require you to integrate with Active Directory

    • Integrating with Azure AD == integrating with AD
    • Benefits
    • Reduce security surface area
    • Reduce sign in friction and sign up drop off
    • Promote your application in the Office 365 and Azure Marketplaces
    • Increase using engagement by appearing in the Office 365 application launcher
    • Standard protocols and open source libraries
    • Summary
  51. Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy.

    Slide 51 - Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy.

    • Try Microsoft Azure for free and deploy your first cloud solution in under 5 minutes!
    • Easily build web and mobile apps for any platform with AzureAppService for free.
    • Resources