Introducción a Azure Active Directory

Javier DominguezPremier Field Engineer (PFE)Microsoft

Problem Statement

• While enterprises working to consolidate directories on-premises, cloud apps are fragmenting directories… again

Cloudapp

Cloudapp

Cloudapp

Separate username/password sign-inManual or semi-automated provisioning

Active Directory

App

App

AppSeparate username/password sign-inManual or semi-automated provisioning

No direct connection to directory

History of Azure Active Directory• Office365 services needed

access to customer directories to provide best-in-breed experiences

• Offer identity services to Organizations without on-premises directories

• Run at internet scale

• Offer multi-tenancy

ExchangeOnline

SharePointOnline

LyncOnline

Customer Directories on-premises

? ??

Windows Azure Active Directory• Active Directory revised to

operate as Internet-scale multi-tenant directory service, built concurrently with Office 365

• Extends Windows Server Active Directory into cloud

• Provides cloud-based directory and identity services for organizations without Windows Server AD

ExchangeOnline

SharePointOnline

LyncOnline

Active Directory

Azure

Active Directory

Demo

Cloud Directory Management

Directory and Identity as a Service

• Consolidate directory management across cloud apps

• Connect to the directory from any platform, any device

• Connect with people from web identity providers and other organizations

ISVApp

OtherMSFTApps

YourCustom IT

App

Office365

ISVApp

Azure

Active Directory

Active Directory

How Does a Cloud App Connect to Directory?

Cloud Application

Contoso.comDirectory

? ?

?

Browser

Mobile app

Server app Web Service API

Web Service API

Web Application

Web Application

Anatomy of a Typical Cloud Application Web

application

Web service API

Account and

profile store

Clients using wide variety of devices/languages/platforms

Server applications using wide variety of

platforms/languages

Azure Active Directory Design PrinciplesThe cloud design point demands capabilities that are not part of current-day Windows Server Active Directory

• Maximize device & platform reach• http/web/REST based protocols

• Multi-tenancy• Customer owns directory, not Microsoft

• Optimize for availability, consistent performance, scale• Keep it simple

Directory access and authenticationAdapting to the cloud paradigm

AD

AAD

Consoles

Powershell

Applications

LDAP

Kerberos

Portals

Powershell

Applications

REST

OAuth

Directory Graph API• RESTful programmatic access to directory• Objects such as users, groups, roles, licenses• Relationships such as member, memberOf, manager, directReport

• Requests use standard HTTP methods• POST, GET, PATCH, DELETE to create, read, update, and delete• Response in XML or JSON; standard HTTP status codes• Compatible with OData 3.0

• OAuth 2.0 for authentication• Role-based assignment for application and user authorization

Example Directory Graph CallRequest: https://directory.windows.net/contoso.com/Users/Ed@contoso.com

{ "Manager": { "uri": "https://directory.windows.net/contoso.com/Users('..')/Manager" }, "MemberOf": { "uri": "https://directory.windows.net/contoso.com/Users('..')/MemberOf" }, "ObjectId": "90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectReference": "User_90ef7131-9d01-4177-b5c6-fa2eb873ef19", "ObjectType": "User", "AccountEnabled": true, "DisplayName": "Ed Blanton", "GivenName": "Ed", "Surname": "Blanton", "UserPrincipalName": "Ed@contoso.com", "Mail": "Ed@contoso.com", "JobTitle": "Vice President", "Department": "Operations", "TelephoneNumber": "4258828080", "Mobile": "2069417891", "StreetAddress": "One Main Street", "PhysicalDeliveryOfficeName": "Building 2", "City": "Redmond", "State": "WA", "Country": "US", "PostalCode": "98007"}

Protocols to connect with Azure AD

Protocol Purpose Details

REST/HTTP directory access

Create, Read, Update, Delete directory objects and relationships

Compatible with OData V3Authenticate with OAuth 2.0

OAuth 2.0 Service to service authenticationDelegated access

JWT token format

SAML 2.0 Web application authentication SAML 2.0 token formatUsed with Office 365 Services

WS-Federation 1.3 Web application authentication SAML 1.1 token formatUsed with Office 365 Services

Demo

Directory Graph Explorer

Cloud Application

Profile Store

Contoso.com Directory

ServicePrincipal

Role(Read)

Authorized user creates principal in directory for app, authorizes it to use directory by associating with role

AuthorizedUser

End User

Cloud Application

Profile Store

Contoso.com Directory

User AuthN

End User

ServicePrincipal

Role(Read)

End user authenticates to directory to get token to call cloud app

t1

t1

Cloud Application

Profile Store

Contoso.com Directory

Delegated AuthN

Directory Graph

End User

ServicePrincipal

Role(Read)

Cloud app gets tokenAccesses Directory Graph using tokenUses user unique ID to find profile in local profile store

t2

t2

Relationship to Windows Server AD• On-premises and cloud

Active Directory managed as one

• Directory information synchronized to cloud, made available to cloud apps via roles-based access control

• Federated authentication enables single sign on to cloud applications with corporate credentials

Active Directory

Azure

Active Directory

Sync and Federation

Directory and Identity as a Service

• Consolidate directory management across cloud apps

• Connect to the directory from any platform, any device

• Connect with people from web identity providers and other organizations

• Users can use same identity to access on-prem and cloud apps

ISVApp

OtherMSFTApps

YourCustom IT

App

Office365

ISVApp

Azure

Active Directory

Active Directory

YourOn-prem

App

YourOn-prem

App

Sync & Federation

Directory Synchronization

• Directory synchronization between on-premises and online

• Objects are created and managed on-premises and synchronized to the cloud

• Optionally password hashes can be sync’d to the cloud providing a single identity and credential, but not single Sign-On

• Reuse existing directory implementation on-premises, including Non-AD sources

Federation and single sign on

• Single identity and sign-on for on-premises and cloud services

• Identities mastered on-premises, single point of management

• Secure Token based authentication• Client access control based on IP address

with AD FS and Office 365 services • Strong factor authentication options

for additional security

Windows Azure Active Authentication• Why multi factor• Your data and applications are under attack• Passwords are easily compromised• Consumerization of IT has only increased the scope of vulnerability• Strengthening regulatory requirements call for strongly

authenticating access

• Proven Authentication Platform• Powered by market-leading PhoneFactor platform• Trusted by thousands of enterprise customers across a wide range

of industries, including healthcare, financial services, manufacturing, and government

• Authenticating millions of logins and transactions each month

Mobile Apps

Enterprise authentication using any phone

Text MessagesPhone Calls

Out-of-Band PushOne-Time-Passcode Out-of-Band Call

Out-of-Band TextOne-Time Passcode

Architecture

ISV/CSV Apps

Windows AzureActive Directory

Microsoft AppsCustom LOB Apps

Custom LOB Apps

ActiveAuthentication

Users sign in from any device using their existing username/password.

Users must also authenticate using their phone or mobile device before access is granted.

Credentials are checkedin Windows Azure AD. Then Active Authentication is triggered for additional verification.

1

2

Embracing BYODAD Workplace Join Users join their device to their workplace, making the device known to the

company’s Active Directory

Single Sign On (SSO)Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices.

Work From Anywhere Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management

Multi-factor Authentication

Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk

Multi-factor Access Control

Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user’s network location and use of additional auth factors

AD Authentication Library

ISVs build enterprise apps that delivery SSO and allow enterprises to set the access control policies based on user, device and network location, and MFA

Windows Azure AD• Extension of Active

Directory into the cloud• The platform for Microsoft

Cloud Apps• Designed to meet the

needs of cloud applications, scale an multi-tenancy

• Provides directory and identity services: an essential part of Platform as a Service

• Your cloud directory for your apps

ISVApp

OtherMSFTApps

YourCustom IT

App

Office365

ISVApp

Azure

Active Directory

Active Directory

Over 3 million tenants

Over 7 Billion authenticationsJust last week

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.