Post on 14-Apr-2017
idea. plan. deliver.
idea. plan. deliver.
Enrique LimaPrincipal Consultant
Windows Azure Active Directory
idea. plan. deliver.
idea. plan. deliver.
Enrique LimaPrincipal Consultant
Windows Azure Active DirectoryMicrosoft
Bi Do, WAAD to MAAD??!!??
idea. plan. deliver.
•Enrique Lima• enrique@thinkalm.com• Principal Consultant / Owner• Microsoft v-TSP BPIO / CoreIO / APPIO• Microsoft Community Contributor• Member of the Geekswithblogs.net Community - Influencer
▫ http://geekswithblogs.net/enriquelima• @enriquelima - twitter.com/enriquelima• Member of INETA
Who am I?
idea. plan. deliver.
idea. plan. deliver.
IdentityIntegrate with enterprise identityEnable single sign-on within your appsEnterprise Graph REST API93% of Fortune 1000 use Active Directory
idea. plan. deliver.
idea. plan. deliver.
What’s a TOKEN? I want Cookie!!!!!
idea. plan. deliver.
Public
Commontechnologies Identity ▪ Virtualization ▪ Management ▪ Development
Private
Broad & deep array of solutions enables customers to use cloud in their own way, at their own pace
Microsoft approach: hybrid cloud
idea. plan. deliver.
idea. plan. deliver.
What if we could?
RESPONDING to the needs for interoperability, social networking, flexibility, and simplicity
REINVENTED for the cloud with modern protocols
PROVIDE the enterprise capabilities of Active Directory
idea. plan. deliver.
idea. plan. deliver.
Windows Azure Active Directory is a modern cloud service providing identity management and access control capabilities to cloud applications.
idea. plan. deliver.
idea. plan. deliver.
Identity Solution: Cloud Single Sign-on with Access Control
Windows Live ID
On-PremisesActive Directory
ADFS 2.0
Third Party Apps
Windows AzureActive Directory
Microsoft Apps
Your Apps
idea. plan. deliver.
idea. plan. deliver.
Active Directory in IaaS• Through Virtual Networking connectivity, on-premises
Active Directory allows domain join and single sign-on for applications in Azure
• Windows Server Active Directory can now be hosted in a Virtual Machine in Windows Azure to support SharePoint or SQL Server and for performance and redundancy
On-premise subnets
DC DNS
Active Directory
Persistent VM Role
DC DNS
Active Directory
Persistent VM Role
Persistent VM Role
SQL
SharePoint
idea. plan. deliver.
idea. plan. deliver.
Windows Azure Active Directory
Windows Azure Authentication
LibraryDeveloper library to make
authentication in Azure apps easy
Windows Azure AD Graph
Developer Restful API for the cloud directory
Windows Azure ADAccess Control
Centralized authentication and authorization hub
Windows Azure ADDirectory
Cloud-based identity store / provider
idea. plan. deliver.
What is it?• Claims-based, • Federated authorization
management service
What does it do?• Simplify user access authorization
across organizations and ID providers
• Perform claims transformation to map identities with access levels
Use for …• Secure Service Bus
communications• Secure web services• Secure web applications
Access Control
idea. plan. deliver.
Identity Challenges
UserDoesn’t want to use different identity for every app
DeveloperDoesn’t want to write code to support multiple identity providers
AdministratorWants to easily grant access to apps to Active Directory identities
Active Directory
Cloud App
Identity Challenges
idea. plan. deliver.
Identity Solution: Cloud Single Sign-on with Access Control
UserCan use his preferred Identity Provider
DeveloperWrites one set of code to accommodate multiple Identity Providers
AdministratorGrants access to all AD users by establishing trust between AD and ACS
Access Control Active
Directory
ADFS 2.0
Identity Solution: Cloud Single Sign-on With Access Control
idea. plan. deliver.
What is it?• A multi-tenant cloud directory
What does it do?• Stores identities, group and role
information that can be used for authentication and authorization
Use for …• Control access to Microsoft online
services such as Office 365, Dynamics CRM Online and Windows Intune, as well as Windows Azure applications for a true single sign-on experience
Directory
idea. plan. deliver.
idea. plan. deliver.
Directory• Cloud authentication, authorization multi-tenant directory for
Microsoft and 3rd party cloud services
• “Organization-owned” identity provider
• Easily federates and synchronizes with on-premises AD
• Central “hub” to provision/de-provision/manage users and their computers/devices
• Support for multi-factor authentication
SAML
idea. plan. deliver.
What is it?• An enterprise social graph service
What does it do?• Provides a way for applications to
query the Directory and other sources for identity information and relationships, to provide a richer experience for users
Use for …• Build social enterprise apps
Graph
idea. plan. deliver.
What is it?• A developer library
What does it do?• Provides a way for developers to
easily take advantage of Windows Azure AD from their rich client applications and services
Use for …• Add authentication capabilities
to your rich client applications• Authenticate incoming calls to
your services
Azure Authentication Library
idea. plan. deliver.
Single sign-on across all your cloud applications
ScenariosWindows Azure Active Directory enables:
Build social enterprise apps in the cloud
Build Secure Applications that integrate with multiple web identity providers
idea. plan. deliver.
For ISVs and organizations of all sizes
Enterprises
CSVs
• Centralized policy and access control• Single sign-on for users to Microsoft and 3rd
party applications running in the cloud• Easy administration – sync and federate to on-
prem AD• Deliver SaaS solutions in Azure with single-
sign-on from users in Windows Azure AD (Office 365)
• Write applications using a new enterprise social graph
Small Business• Provide access control with no on-prem identity
infrastructure required• Easy to use with little IT skills required
idea. plan. deliver.
idea. plan. deliver.
How it works
ACCESS CONTROL
HARVESTED ICE
WEASEL TOWN
1 Define access control rules
0 Establish trust via key exchange
2Request token(pass input claims)
4 Return token (receive output claims)
5 Send messagewith token
3 Map input claims to output claims based on access control rules
6 Process
token
How it WorksArendelle
idea. plan. deliver.
idea. plan. deliver.
Let it go, let it goCan't hold back anymoreLet it go, let it goTurn away and slam the door
I don't care what they're going to sayLet the storm rage onThe CLOUD never bothered me anyway
idea. plan. deliver.
•Enrique Lima• enrique@thinkalm.com• Principal Consultant / Owner• Microsoft v-TSP BPIO / CoreIO / APPIO• Microsoft Community Contributor• Member of the Geekswithblogs.net Community - Influencer
▫ http://geekswithblogs.net/enriquelima• @enriquelima - twitter.com/enriquelima• Member of INETA
Who am I?
idea. plan. deliver.
•Content from Windows Azure Training Kit
Acknowledgements
idea. plan. deliver.