Azure Active Directory (Azure AD) for office 365 Developers : SPFestDC 2019

WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH
1
SM
@pgbhoyar #SharePointFestDC
Prashant G Bhoyar MVP
SharePoint Fest, Washington, DC, USA https://sharepointfest.com/DC/
01 May 2019
Azure Active Directory (Azure AD)
for Office 365 Developers

2
SM
Who AM I ?
• Born and raised in India
• Came to United States of America in 2007 for studies
• University of Maryland College Park Alumni
• Co-Author of the book “PowerShell for Office 365”
• Technical Reviewer of the book “Pro : SharePoint 2013 Administration”
• Founder and Organizer of Artificial Intelligence and Machine Learning User Group
and DC-Metro Office 365 User Group
➢ Monthly in person & online free event
➢ https://www.meetup.com/ArtificialIntelligenceAndMachineLearning/
➢ http://www.meetup.com/DC-Metro-Office-365-User-Group/
• Organizer of
➢ Global Azure Bootcamp – Day long free event
➢ AI Fest
➢ Azure Data Fest
➢ SharePoint Saturday Baltimore (SPSBMORE)- – Day long free event
http://www.spsevents.org/city/baltimore
➢ Organizer of SharePoint Saturday DC ( SPSDC ) - Day long free event
➢ http://www.spsevents.org/city/DC/
Prashant G Bhoyar
(PGB)

3
SM
Who AM I ?
• Recipient of Antarctic Service Medal
• Microsoft MVP ( Most Valuable
Professional)
• Solution Architect at Withum Smith
and Brown PC
➢https://digital.withum.com
➢Former Portal Solutions
➢Focus on Microsoft Solutions and
Services
➢Works in Bethesda, Maryland Office
Prashant G Bhoyar
(PGB)

4
SM
01010101010101010101010101010010101010101010101010110011110101011000111110000000000000000000000
000000001111101101101101010101010101010101010101010010101010101010101010110011110101011000111110
00000000000000000000000000000111110110110111010101010101010101010101010010101010101010101010110
011110101011000111110000000000000000000000000000001111101101101101010101010101010101010101010010
101010101010101010110011110101011000111110000000000000000000000000000001111101101101101010101010
10101010101010101001010101010101010101011001111010101100011111000000000000000000000000000000111
110110110110101010101010101010101010101001010101010101010101011001111010101100011111000000000000
00000000000000000011111011011011
Microsoft MVPs
On Staff
4
100+
Microsoft Cloud
Deployments
(Office 365, Azure, Dynamics, Power BI)
50+Consultants
(Project Managers, Business Analysts,
Developers, Data Scientists,
Engineers, Software Developers, User
Experience Designers)
16Years as:
Microsoft Gold
Partner
About Withum Digital

5
SM
• 100 Level Session
• What is Azure Active Directory?
• Why we need to use/learn Azure AD?
• Azure AD in the Enterprise
• Azure AD in the Office 365
• How to get started?
• Demos
• Key Takeaways
• Q&A
Agenda

6
SM
Housekeeping
▪ Slides: https://www.slideshare.net/pgbhoyar
▪ Giveaway : PowerShell for Office 365
▪ Drop your business card
▪ Ask lot of questions

7
SM

8
SM
Audience Poll
▪ How many of you are Power Users?
▪ How many of you are Business Users?
▪ How many of you are IT pros?
▪ How many of you are Developers?
▪ How many of you are already using Azure Active Directory?
▪ How many of you have built custom membership/role provider?
8

9
SM

10
SM
Authentication & Authorization
Authentication Authorization
• Always the First Step
• Confirms the Identity
• Example : Security queue at Airport
• Comes after Authentication
• Confirms the access level
based on permissions
• Example : Flight Boarding Pass
at the Airport gate

11
SM

12
SM
▪ It is Software as a service offering (SaaS)
▪ It is Microsoft’s cloud-based identity and
access management service
▪ It provides Single Sign on (SSO) between
many applications like Office 365,
Salesforce.com, Dropbox etc
▪ It is highly reliable and runs out of
Microsoft’s data centers around the
world
12
Source :https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/
What is Azure Active Directory?

13
SM
▪ IT admins.
▪ To control access to your apps and your app resources,
based on your business requirements.
▪ To require multi-factor authentication when accessing
important organizational resources.
▪ To automate user provisioning between your existing Windows
Server AD and your cloud apps, including Office 365.
▪ To automatically help protect user identities and credentials
and to meet your access governance requirements.
13
Who uses Azure Active Directory?

14
SM
▪ App developers.
▪ Azure AD gives us a standards-based approach for adding single sign-on (SSO) to
your app, allowing it to work with a user's pre-existing credentials.
▪ Provides APIs that can help you build personalized app experiences leveraging
existing organizational data.
▪ Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers.
▪ As a subscriber, you're already using Azure AD.
▪ Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is
automatically an Azure AD tenant.
▪ We can immediately start to manage access to your integrated cloud apps.
14
Who uses Azure Active Directory?

15
SM

16
SM
Why We Should Care About Azure AD?
▪ This is golden age for technical innovation
▪ The “New” Microsoft is launching lot of new services/products
rapidly
▪ But the life span of new productions/services is decreasing
• Access Services : https://techcommunity.microsoft.com/t5/Office-
Retirement-Blog/Updating-the-Access-Services-in-SharePoint-Roadmap/ba-
p/57148
▪ We need to spend some time doing research before investing time
to learn/explore new product/services
16

17
SM

18
SM
Why We Should Care About Azure AD?
▪ Azure AD is the defacto authentication choice in the Microsoft World
▪ It is backbone of Office 365 and Azure and we should learn it or at least
get familiar with it
▪ The name is misleading
• Lot of developers think AD means IT Pro Stuff…☺
▪ It is basically an authentication and authorization service provided as a
subscription
▪ It enables Application developers to focus on building the applications
18

19
SM
▪ Only Azure Active Directory
▪ Less common
▪ Local Active Directory Synced with
Azure AD
▪ Common
▪ Azure Active Directory Domain
Services
▪ Domain Join Win 10 and Win 2016
machines
19
Source : https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect
Scenarios

20
SM
Azure AD in the Enterprise
▪ Synced with on-premises users
▪ Enable SSO (Single Sign On) between many applications
▪ Can be used with any development platform
▪ Can be used instead of ASP.NET Identity
Source :https://docs.com/OfficeDevPnP/4436/pnp-web-cast-what-should-every-sharepoint?fromAR=1

21
SM

22
SM
Azure AD Pricing as of May 01st 2019 ☺
▪ Comes in 5 editions
• Free
 Comes with Office 365, Azure subscription
• Basic
• Premium P1
• Premium P2
• Office 365 Apps
22
Source :https://azure.microsoft.com/en-us/pricing/details/active-directory/

23
SM
Azure AD Pricing as of May 01st 2019 ☺
Features Free Basic Premiu
m P1
Premiu
m P2
Office
365
Apps
Directory Objects 500,000 object
limit
No object limit No Object Limit No Object Limit No Object Limit
Single Sign-On (SSO) 10 apps per user 10 apps per user No Limit No Limit 10 apps per
user
Join a device to Azure AD, Desktop SSO, Microsoft
Passport for Azure AD, Administrator Bitlocker
recovery
Yes Yes Yes Yes
Company Branding (Logon Pages/Access Panel
customization)
Yes Yes Yes Yes
Multi-Factor Authentication Yes Yes Yes
Pricing 1$ User/Month $6 User/Month $9 User/Month
Source :https://azure.microsoft.com/en-us/pricing/details/active-directory/

24
SM
Azure AD and Office 365
▪ Every Office 365 tenant has Azure AD
▪ SharePoint Online Add-ins (AppRegNew.aspx) are enrolled in
Azure AD
• <SiteUrl>/_layouts/15/AppRegNew.aspx
▪ In Azure AD we can authorize web applications to access other
tenant data
▪ Azure AD has much more user data
▪ The Microsoft Graph API
• We need to get the access token from Azure AD first to make the call
Source :

25
SM
Azure AD and Office 365 Applications
▪ Azure AD stores custom application registration
• Web or REST API
• Native Application
▪ OpenID for Authentication and OAuth 2.0 for authorization
▪ Enforces authorization rules
• Between applications and API
• Out of the box registered API for Office 365
• Or Custom Implemented REST API Services

26
SM
Microsoft Authentication Library (MSAL)
▪ SDK for gaining access to API protected by Microsoft identities
• Fully OSS, easy to use, full-featured, production-ready
• Works with Azure AD v2 (work & school accounts, personal accounts) and B2C
▪ Available on
• .NET 4,5x, .NET Core, Xamarin (iOS, Android, UWP)
• iOS (ObjC/Swift)
• Android (Java)
• Javascript
▪ SafariViewController on iOS, Chrome custom tabs on Android

27
SM
MSAL
PublicClientApplication myApp =
new PublicClientApplication("a7d8cef0-4145-49b2-a91d-95c54051fa3f")
string[] scopes = { "Mail.Read" };
AuthenticationResult rez = await myApp.AcquireTokenAsync(scopes);

28
SM
Azure AD auth endpoints
Work and school Personal
with ADAL

29
SM
App Registration v1.0
▪ Any Application that uses Azure AD for authentication must be
registered in Azure AD
▪ To register an App we need
• Application ID URI
 Identifier for application
• Reply URL
 Azure AD will do a redirect to this url after successful authentication
• ClientID
 Unique ID ( GUID) for application generated by Azure AD
• Permissions
 What access right does this App will have?
Source :https://docs.microsoft.com/en-us/azure/active-directory/active-directory-integrating-
applications

30
SM
App registration v2.0
Create a new application
https://apps.dev.microsoft.com
A unique Id is created for your app
Add app platform
• Web App, SPA, Daemon
• Native App
• Web API (Office Add-in)
Add permissions for admin consent
flows
• For delegated access for all users
in the organization
• For application access

31
SM
App types and permissions
Users can consent for their data or admin can consent for all users Only admin can consent
Delegated
permissions
User
privileges
App
permissions
Permission type: applicationPermission type: delegated
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
Get access on behalf of users Get access as a service
Effective permissionEffective permission

32
SM
Consent
▪ Users grant delegated permissions to apps via consent
▪ Consent prompts are shown at first token request time
▪ User consent is recorded individually
▪ Want to only prompt once per tenant? Admin consent

33
SM
App vs User Permissions
▪ Web apps have their own identity
• OAuth2 “confidential clients”
▪ Resources can expose application permissions
▪ Application permissions:
• Are granted via admin consent
• Once granted, they endow the app with the corresponding privilege

34
SM
Modern authentication protocols
▪ OAuth 2.0 for delegation of access
 Allows the user to consent (give permission) for one service to access the user’s data
held by another service
– Administrator can consent to access on the user’s behalf
 Claims held in an access_token
▪ OpenID Connect
 Adds authentication to OAuth 2.0
 Claims held in a id_token
▪ JSON Web Token (JWT) mandated in OpenID Connect
• Used in most OAuth 2.0 implementations

35
SM
JWT - Lightweight

36
SM
▪ Authentication libraries available for most platforms
• .NET OpenID Connect middleware for web applications
• Active Directory Authentication Library (ADAL) for native and web apps
 Connects to Azure AD v1 endpoints
• Microsoft Authentication Library (MSAL) for native and web apps
 Connects to v2 endpoints to authenticate users with a Microsoft or Azure AD
account
– v2 endpoints introduce new feature and do not currently support all the functionality of the v1
endpoints
Development support

37
SM
Asking for Consent
▪ Administrators can consent on behalf of all users
Some consents need admin privileges

38
SM
Auth
access_token
MSAL or
ADAL
YOUR APP
Your
Application
id_token
access_token refresh_toke
n
Microsoft
Identity

39
SM
Demo

40
SM
▪ Sign up for Office 365 Developer
Program at http://dev.office.com/
▪ Get 1 year of Office 365
subscription for free
▪ Excellent for personal
development use
▪ 1 Month Trial
▪ https://products.office.com/en-
us/business/compare-office-365-
for-business-plans
40
How to get personal Office 365
Developer Tenant?

41
SM

42
SM
42
How to get personal Azure Subscription?
▪ If you have MSDN Enterprise subscription
▪ You can get $150/month Azure credits for free
▪ Sign Up for Free trial :
https://azure.microsoft.com/
▪ Credit Card is required
▪ Microsoft Imagine
▪ Former Dreamspark
▪ No credit card required
▪ Valid .edu account from participating
school/institution
▪ Limited feature sets

43
SM
Key Takeaways
▪ Hopefully the contents we covered today made you to explore Azure
AD and you will go home and play with it ☺
▪ Sign up for Developer Program using https://dev.office.com/
▪ Check out Microsoft Graph APIs
• https://developer.microsoft.com/en-us/graph/
▪ Spend some time doing research before investing time to
learn/explore new product/services

44
SM

45
SM
Recap
▪ What is Azure Active Directory?
▪ Why we need to use/learn Azure AD?
▪ Azure AD in the Enterprise
▪ Azure AD in the Office 365
▪ How to get started?
▪ Demos
▪ Key Takeaways
45

46
SM
References
Appendix/Resources
Getting Started
https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/
https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
Pricing
https://azure.microsoft.com/en-us/pricing/details/active-directory/

47
SM
Q&A

48
SM
Questions? Feedback? Contact me:
▪ Email: pgbhoyar@gmail.com
▪ Twitter: @PGBhoyar
▪ Blog: http://pgbhoyar.com
▪ LinkedIn: https://www.linkedin.com/in/pgbhoyar/
▪ Slides :https://www.slideshare.net/pgbhoyar
▪ Free Consulting/ Q&A: https://pgbhoyar.com/free-question-answer-session/
▪ Feedback : Please provide feedback
▪ Event App
▪ Email
Thank You
Organizers, Sponsors and You for Making this Possible.

Azure Active Directory (Azure AD) for office 365 Developers : SPFestDC 2019

More Related Content

What's hot (20)

Similar to Azure Active Directory (Azure AD) for office 365 Developers : SPFestDC 2019 (20)

More from Prashant G Bhoyar (Microsoft MVP) (20)

Recently uploaded (20)

Azure Active Directory (Azure AD) for office 365 Developers : SPFestDC 2019