Spark the future.

May 4 – 8, 2015Chicago, IL

“If you are successful, enterprise IT will require you to integrate your application with their enterprise identity management system.”

- Stuart KwanActive Directory

Microsoft Identity Platformfor Developers: Overview and RoadmapStuart Kwan @stuartkwanPrincipal Program ManagerMicrosoft Corporation

BRK3867

Azure AD and Identity Management as a Service

Benefits of integrating with Azure AD How to integrate Futures Next steps

Agenda

Before Azure AD and IdMaaS

Enterprise customerwith Active Directory

Your applicatio

nfederatio

n

Complex per-customer stepsto set up federation

user p

rovisioning

Per-customer custom code

and manual stepsfor user provisioning

Manage a

s single lo

gical d

irect

ory

With Azure AD

YourApplication

Enterprise customerwith Active Directory

Office 365 and

more

Azure AD

Use Azure AD for sign up, sign in, provisioning, and directory

services: one consistent interface

1

Sync and federation between on-premises and

cloud identity systems

2

On-premises identity

management functions from

cloud

3

Integrating with Azure AD == Integrating with AD

1 Trillionauthentications since release of service

50 MOffice 365 users active every month

>1 Billion authentications every day on Azure AD

More than

500 M

objects hosted on Azure Active Directory

Azure AD manages identity data for

>5 M organizations

86% of Fortune 500 companies on Microsoft Cloud (Azure, O365, CRM Online and PowerBI)

Azure AD by the numbers

Every Office 365 and Microsoft Azure customeruses Azure Active Directory

Azure AD can help promote your application

Promote your app in the Azure AD App Gallery

Register your app to appear in Azure AD App Gallery

Your app here

Your logo

Your details

Your description

Your app

Promote your app in Office 365 Store

Your app here

Register your app toappear in Office 365Store – coming soon

Appear in Office 365 My Apps listing

Your app

If installed from store or gallery or assigned

by IT, your app will appear in user’s

Office 365 My Apps listing and

myapps.microsoft.com Access Panel

User can pin your app to their App Launcher

Pin to App Launcher – drive user engagement

Your app here

Pinned app will appear in user’s App Launcher

Advanced securitymonitoring benefits

Detect:brute force attack

1: <qwrsd!@@#> Nah! Didn’t work

2: <sdsaswer> Nah! Didn’t work

3: <34sdfs> Nah! Didn’t work

4: <sdsaswer> Nah! Didn’t work

5: <asas> Nah! Didn’t work

6: <qwrsd!@@#> Nah! Didn’t work

7: <sdsaswer> Nah! Didn’t work

8: <34sdfs> Nah! Didn’t work

9: <sdsaswer> Nah! Didn’t work

10: <asas> Nah! Didn’t work…………………………………………………………………………….………………………………………….……………………………………..…………………………………..

78: <Password>Aha!!!!! That worked! Duh!

Signal if appears attacker has brute forced user’s password

Detect: sign in from anonymizer network

IP address: 199.34.28.10

IP Address:

31.172.30.4

TOR Network

Signal if requests originate from anonymizer network

Detect: unlikely travel

Joe@Contoso.comLocation: Seattle, WATime: 8:29 AM, PST (3:29 PM, UTC)

Joe@Contoso.comLocation: Somewhere in AsiaTime: 7:54 AM, local time(3:54 PM, UTC)

Signal if user signs in from locations distant from each other in short time period

Detect: anomalous activity spanning tenants

IP Address: 199.34.28.10

X Bad username

X Bad password

X Bad password

X Bad password

X Bad usernameX Bad username

X Bad username

X Bad password

Signal if multiple failed requests from single IP to many tenants

Detect: sign in from known infected device

Botnet control center

IP = 199.34.28.10IP = 199.34.28.10

Signal if requests from known infected devices

And, it’s free!

See pricing section of azure.com for more details

How to integrate

1. Register your app in AD section of Azure portal

Get a client ID, secret (if needed), register redirect URL, request API permissions

2. Add code for sign in Send request, process response, validate token, extract claims, redeem

auth code

3. Add code to query Azure AD Graph API (optional)

OData v3 compliant REST API

Integration steps

Azure ADBrowser Web App

authorize token graph

Navigate to your application

Post token and auth code to your application’s redirect URL

No session,send authNrequest

Verifytokensignature

302 redirect for sign in

OpenID Connect request

(user signs in)

Set cookie and return user to page they started on

Redeem auth code

Return access token and refresh token

Call the Graph API

Integrating with Azure AD for sign in and directoryhttps://github.com/skwan/WebApp-GroupClaims-DotNet

Authentication scenarios

Clients using wide variety of devices/languages/platforms

Server applications using wide variety of platforms/languages

Browser

Native app

Server app

Web applicatio

n

Web API

Web API

Web API

js

Authentication scenarios

Browser

Native app

Server app

Web applicatio

n

Web API

Web API

Web API

Standard-based, http-based protocols for maximum platform reach

WS-Fed, SAML 2.0, OpenID

Connect

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

OAuth 2.0

js

Sign-in UI is web-based For both web apps and native client apps Web UI allows arbitrary interrupt Consent to use application Multi-factor authentication Account compromise detection … stuff we haven’t dreamed up yet

Also non-interactive methods Name/password Kerberos Will return error if user interaction

required

OAuth 2.0 and OpenID Connect

RESTful access to directory Objects: users, groups, devices, licenses Relationships: member/memberOf, manager/directReport POST, GET, PATCH, DELETE to create, read, update, delete Full text search (in preview) Supports CORS Response in JSON (optionally XML) OData v3 compatible (v4 support coming soon) .Net, Cordova, iOS, Android libraries available Check out the API ref at: https://

msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/api-catalog

Azure AD Graph API

Client: Active Directory Authentication Library (ADAL) .Net, Windows Store, Windows Phone JavaScript iOS Android

Server .Net: ASP.Net OWIN middleware for OpenID Connect and OAuth 2.0 Node.js

In use today by Office apps, Visual Studio, and more

More languages to come

OSS libraries: http://github.com/AzureAD

Xamarin Cordova Node.js Java

Futures

(It’s bright!)

Reduce exposure of keys to dev/ops Keys and secrets stored encrypted in Key Vault service, e.g. Storage

keys

Store & perform key operations e.g. encryption keys Enable customer to bring own keys, usually for compliance reasons

Access to keys monitored and audited Only Azure AD users/apps can be granted access to keys

In preview now

Key Vault – safeguarding keys and secrets

Future capability - in development

At setup time1. Developer creates Key Vault, adds Storage keys2. Developer registers new application in Azure AD3. Developer creates cert as credential for app and uploads to Azure and

Azure AD4. Developer grants application identity access to Storage keys

At runtime1. Application requests token to Key Vault from Azure AD2. Application retrieves Storage secrets from Key Vault

Net – no secrets in source code

Key Vault example: protect storage keys

Future capability - in development

At customer setup1. Customer creates Key Vault and uploads encryption key2. Customer grants App access to encryption key3. App creates local encryption keys to encrypt data at rest4. App uses Key Vault to encrypt local encryption keys, stores keys

locally

At runtime1. App loads encrypted local keys from storage2. App uses Key Vault to decrypt local encryption keys3. App uses decrypted local keys to encrypt and decrypt customer data

Net – customer controls encryption keys

Key Vault example: encrypt to customer key

Future capability - in development

AD FS and Azure AD Parity

Scenario Protocol Release

Native client

OAuth 2.0 auth code grant, public client GA

Web sign in

WS-Federation GA

SAML 2.0 GA

Web to Web API

OpenID Connect Server 2016

OAuth 2.0 implicit grant Server 2016

OAuth 2.0 auth code grant, confidential client

Server 2016

Server to Web API

OAuth 2.0 client credential grant Server 2016

OAuth 2.0 on behalf of Server 2016

Goal to maintain developer experience parity between AD FS and Azure AD

Future capability - in development

Take advantage of Azure AD security, availability, scalability for customer IdM, plus B2C features Social IdPs and “application local accounts” Self-service sign up, password reset, profile management Customizable sign in and sign up UI Same protocols, libraries, and programming model

Consumption based pricing Meters for # of users and # of authentications

Preview coming soon

Azure AD B2C: “IdMaaS for applications”

Future capability - in development

Azure AD B2C

CustomizeUI

Social andlocal accounts

Define attributes to gather during sign up

Handles sign up,password reset

Future capability - in development

Working on unified dev experience for apps that support both Microsoft account and Azure AD Single endpoint, OpenID Connect and OAuth 2.0 Single SDK Single end user sign in experience Single streamlined app registration experience, outside of Azure portal,

no Azure subscription required

Works with unified Office business + consumer APIs

Preview coming soon

Microsoft account + Azure ADFuture capability - in development

Sign in with Azure AD account

https://login.microsoft.com/xxxxx Sign in to your account

Fabrikam Calendar

Password

Microsoft account (personal or business)

Can’t access your account?

Other sign in options

Get a new account

Sign in Back

© 2015 Microsoft Terms of Use Privacy & Cookies

Microsoft account + Azure ADFuture capability - in development

Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your

account

Fabrikam Calendar

kelly@contoso.comPassword

Microsoft account (personal or business)

Can’t access your account?

Other sign in options

Get a new account

Sign in Back

© 2015 Microsoft Terms of Use Privacy & Cookies

Future capability - in development

Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your

account

Fabrikam Calendar

kelly@contoso.comPassword

Microsoft account (personal or business)

٠٠ ٠ ٠ ٠ ٠ ٠

Can’t access your account?

Other sign in options

Get a new account

Sign in Back

© 2015 Microsoft Terms of Use Privacy & Cookies

Future capability - in development

Microsoft account + Azure ADhttps://login.microsoftonline.com/xxxxx Sign in to your

account

Keep me signed in

Password

Sign in to Fabrikam Calendar

Can’t access your account?

Contact Help Desk at (206) 555-1234. This site is operated by Microsoft on behalf of Contoso Inc and is for the exclusive use of its employees and partners.

Sign in Back

kelly@contoso.com

© 2015 Microsoft Terms of Use Privacy & Cookies

Future capability - in development

Sign in with Microsoft account

Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your

account

Fabrikam Calendar

Password

Microsoft account (personal or business)

Can’t access your account?

Other sign in options

Get a new account

Sign in Back

© 2015 Microsoft Terms of Use Privacy & Cookies

Future capability - in development

Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your

account

Fabrikam Calendar

kelly@outlook.comPassword

Microsoft account (personal or business)

Can’t access your account?

Other sign in options

Get a new account

Sign in Back

© 2015 Microsoft Terms of Use Privacy & Cookies

Future capability - in development

Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your

account

Fabrikam Calendar

kelly@outlook.comPassword

Microsoft account (personal or business)

٠٠ ٠ ٠ ٠ ٠ ٠

Can’t access your account?

Other sign in options

Get a new account

Sign in Back

© 2015 Microsoft Terms of Use Privacy & Cookies

Future capability - in development

Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your

account

Taking you to the sign in page for Microsoft accounts. Cancel

kelly@outlook.comPassword

٠٠ ٠ ٠ ٠ ٠ ٠

Future capability - in development

Microsoft account + Azure ADhttps://login.live.com/xxxxx Sign in to your

Microsof…

kelly@outlook.com

Future capability - in development

Sign in with both Microsoft account and Azure AD, and return later…

Microsoft account and Azure ADhttps://login.microsoft.com/xxxxx Sign in to your

account

Fabrikam Calendar

Kelly Yangkelly@outlook.com

Kellykelly@contoso.com

Use another account

•••

•••

Which account do you want to use?

© 2015 Microsoft Terms of Use Privacy & Cookies

Future capability - in development

Windows 10 Azure AD Join Sign-in to desktop with Azure AD

account

Single sign on to: Kerberos-based on-premises

applications Native applications that use WebAccountManager

Web apps that support Azure AD sign-in

Enhanced device support – Windows 10

Future capability - in development

Updated iOS & Android authenticator apps Single sign on across

mobile apps using ADAL library

Device conditional access Multi-factor authentication Apps using ADAL

seamlessly take advantage of authenticator

Enhanced device support – iOS and Android

Future capability - in development

Sign up for Azure trial to get Azure AD You won’t be charged if you only use Azure AD free capabilities

Check out Azure AD Developer Guide Azure.comDocumentationID&A ManagementActive

DirectoryDevelop

Go deeper at Ignite BRK4850: Developing Web and Cross Platform Mobile Apps with Azure

AD

Subscribe to AD team blog http://blogs.technet.com/b/ad/ or search “active directory team blog”

Next steps

If you are successful, enterprise IT will require you to integrate with Active Directory Integrating with Azure AD == integrating with Active Directory

Benefits Reduce security surface area Reduce sign in friction and sign up drop off Promote your application in the Office 365 and Azure Marketplaces Increase using engagement by appearing in the Office 365 application

launcher

Development based on standard protocols and open source libraries

Summary

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.