Windows Azure Active Directory Graph API
Edward WuSr Program ManagerMicrosoft Corporation
SIA322
Windows Azure Active Directory Graph APIIntroduction
Goals Querying Directory Data Application Authentication/AuthorizationDemosRoadmap Summer/FallResources/Getting Started
Windows Azure Active Directory Graph API
Windows Azure Active Directory
Is here now – it is integrated with Office 365 and Windows Azure, available to all apps.Integrated modern identity management service for Office 365, Azure & 3rd party web applicationsSingle sign-on across Microsoft and 3rd party applications with increased security control
Graph APIAccess directory data with RESTful Graph APIIntegrates with consumer identity and social networks
Windows Azure Active Directory Graph APIGoals
Make it Easy for applications to integrate with the Azure Active Directory Lay the foundation for creation of higher-level capabilities: look ups, people pickers, security group membership, cross-company collaboration …Provide high usability and interoperability
Solution: new RESTful interface for Windows Azure ADSupport HTTP/REST-based protocol for accessing all directory information
Support HTTP response codes and Return directory objects in JSON/XML
Compatible with Odata V3 for more complex queries & metadata (www.odata.org)Leverage OAuth 2.0 for Authentication
Connecting to Windows Azure Active Directory
5
WindowsAzureActive
Directory
Directory SynchOn PremisesActive
Directory
PowerShell
Admin Portal
Multi Tenant EnvironmentDivided into Tenants
Typed objects Example: Users, Groups, Contacts, Roles, Licenses
RelationshipsMember/Member of, Manager/Direct reports
REST OAuth
New Applications
Applications
LDAPKerberos
REST Interface
Administration Scripting
,PowerShell
Windows Azure Active Directory Resourceshttps://directory.windows.net/Contoso.com/
TenantDetailsUsersGroupsContactsRolesSubscribed Skus
Extended Windows Azure AD for the cloud:Licensing, Provisioning, DirSynch status, Domain Status
REST interface for Directory AccessRequest URI structure
<Service root>/<resource path>[? Query string options]
https://directory.windows.net/contoso.com/Users?$filter=DisplayName eq ‘Adam Barr”
Navigating the URI structurehttps://directory.windows.net/$metadatahttps://directory.windows.net/contoso.com/https://directory.windows.net/contoso.com/TenantDetailshttps://directory.windows.net/contoso.com/Usershttps://directory.windows.net/contoso.com/Groupshttps://directory.windows.net/contoso.com/Roleshttps://directory.windows.net/contoso.com/Contactshttps://directory.windows.net/contoso.com/SubscribedSkusExample of filters
?$filter=City eq ‘Redmond‘?$filter=GivenName eq ‘Adam' and Surname eq ‘Barr‘?$filter=Surname ge ‘Jackson' and Surname le ‘Jz'
ResponseResponse body JSON or XMLHTTP Response Code
GET a User Object
Returned JSON user object"d": {"__metadata": {"id": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')",
"uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')","type": "Microsoft.Online.DirectoryApi.User"
},"Manager": {"__deferred": {"uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')/Manager"}
},"DirectReports": {"__deferred": {"uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')/DirectReports"}
},"MemberOf": {"__deferred": {"uri": "https://directoryppe.windows.net/PharmaSales.info/Users('User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c')/MemberOf"}},
"ObjectId": "d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c","ObjectReference": "User_d7aadc28-a2ea-4c0e-aabe-f13c675b3e9c","ObjectType": "User","AccountEnabled": true,"AssignedLicenses": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.AssignedLicense)"},"results": [ ]},"AssignedPlans": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.AssignedPlan)"},"results": [ ]},"City": "Redmond","Country": "US","Department": null,"DirSyncEnabled": null,"DisplayName": "Adam Barr","FacsimileTelephoneNumber": null,"GivenName": "Adam","JobTitle": null,"LastDirSyncTime": null,"Mail": null,"Mobile": null,"OtherMails": {"__metadata": {"type": "Collection(Edm.String)"},"results": [ ]}"PasswordPolicies": "None","PhysicalDeliveryOfficeName": null,"PostalCode": "98052","PreferredLanguage": null,"ProvisionedPlans": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.ProvisionedPlan)"},"results": [ ]},"ProvisioningErrors": {"__metadata": {"type": "Collection(Microsoft.Online.DirectoryApi.ProvisioningError)"},"results": [ ]},"ProxyAddresses": {"__metadata": {"type": "Collection(Edm.String)"},"results": [ ]},"State": "WA","StreetAddress": "One Microsoft Way","Surname": "Barr","TelephoneNumber": "425-882-8080","UsageLocation": "US","UserPrincipalName": "[email protected]"}}
Request: https://directoryppe.windows.net/PharmSales.info/Users(‘[email protected]’)
Referenced Links Users
Bob
Jill
Adam
/Manager
/DirectReports
https://Directory.windows.net/Contoso.com/Users(‘[email protected]’)/Manager
https://Directory.windows.net/contoso.com/Users(‘[email protected]')/MemberOf
https://Directory.windows.net/Contoso.com/Users(‘[email protected]')/DirectReports
US Sales Team
Bob
Sue
Jim
/MemberOf
Referenced Links Groups
US Sales Team
https://directory.windows.net/contoso.com/Groups('Group_1a9f7ab7-4292-414e-ad33-11dc679f364c')/MemberOf
GlobalSales Team- US Sales- EuropeBob
Sue
Jill
Jim
https://directory.windows.net/contoso.com/Groups('Group_1a9f7ab7-4292-414e-ad33-11dc679f364c')/Members
Querying and Data management
Users are sorted by DisplayName, other entities are un-sortedOData Query Options
$filterLogical And operations, Eq, Ge, LePaging - $tophttp://www.odata.org
Authentication and Authorization for LOB Application
Directory
Application
Return token
Request JWT token(pass input claims)
REST Front EndValidates ACStoken
AuthorizationCheckHTTP Request
with JWT Token
Windows Azure Active Directory
OAuth Endpoint
Navigating the REST interface
Sample Application
Application Authentication and Authorization
1. Company Admin adds an Application Service Principal to his tenant and assigns a Role (Read and/or Write)
2. Developer configures the App to use Application Service Principal Id and App Secret (cert or symmetric key)
3. Developer Runs the App - REST Front End validates ACS
token and Authorizes the request
Paul Reid
Titus
Data security and governance for unstructured information
TITUS solutions protect information assetsPrevent data leaksRaise user security awarenessComply with regulations
Embeds classification metadata into unstructured information
EmailsOffice documentsOther file types
Military
Government
Healthcare
Transportation
Energy &
Utilities
Banking
Insurance
Telecom
Chemical & Petroleum
Retail
Over 300 Enterprise Customers
Across All Industries
2 Million TITUS Users
What the Graph API means to TITUS
18
TITUS believes Metadata is foundational to Information Protection.
More importantly TITUS brings context to the application and understanding of metadata.
The introduction of a REST based Graph API to Windows Azure AD provides;
Access to AD from off Premises.Easier federated access to all hosted Tenants.The Social Graph Aspect allows for “context” of the user attributes in relation to others;
This will facilitate stronger Information Protection through TITUS Products
TITUS Demonstration Scenario
Marcus has been traveling outside of the office for the past several weeks sending emails from the road.He needs to send an email to his engineering team members about their current Project.Since he has been traveling, he has not heard that Anna has been transferred into sales.His company has a policy that non-engineering staff can not receive emails about engineering projects
TITUS solution using Graph API
Windows Azure
AD
HTTP Request Get Group Members of EngineeringWith Token
EngineeringGroup
Derek
Ed
Derek
Ed Anna
Engineering
HTTP Response with Engineering Group Memberships
Michael Brengs
Optimal IDM
Overview of Optimal IdM
Company Highlights Founded in 2005100% organically grownProfitable every quarter since inceptionNo debt or outside investmentHeadquartered in Tampa, Florida Global Presence (solutions on 5 continents)
Core Microsoft Identity & Access Partner Independent Software Vendor (ISV) and Consulting PartnerMember of the Security Partner Advisory Council (PAC)
Meet under NDA with Microsoft on quarterly basis
What is the Virtual Identity Server (VIS)?
VIS is a proxy server to LDAPProvides a real-time proxy of multiple LDAP serversApplications can now support multi-forest with no changes to application.Data is not stored in VIS; it is proxiedAdditional security and control Additional functionality – data transformationAdapters (VISA’s) – to data sources
LDAP Virtual Directory
Office 365 & Cloud DirectoryHave an out-of-the-box Graph API VISA that can read/write to Office 365 (Standard LDAP to read cloud)Will be the mechanism VIS for Office 365 solution provisions/de-provisions to Office 365.
partner
Orcas ConsultingName: Jeremy PalencharTitle: PartnerCompany: Orcas Consulting
Demo Environment
Azure ADpre-production tenant
FIM 2010
On-PremIn Cloud
Salesforce.comorcas development tenantImport
Export
demo
Graph API Management Agent for FIM 2010
Graph API Development – Thoughts & Lessons Learned
FIM MA Page Size & Graph API Continuation TokensReference Objects & Attributes
Easy to consume data using OData for .NetVery little custom code for MA implementationAuthentication tested using symmetric and PKI (asymmetric) tokens
Preview: POST – Creating a new user
{"AccountEnabled":true,"City":Seattle,"Country":US,"DisplayName":“Bob Jones","GivenName": Bob,"PostalCode":98125,"PreferredLanguage":EN,"State":WA,"StreetAddress":123 Main Street,"Surname":Jones,"UsageLocation":US,"UserPrincipalName":[email protected]}
POST /Contoso.com/Users HTTP/1.1Host: https://directory.Windows.netContent-Type: application/json;odata=verboseAuthorization: Bearer ey1287Z………X-ms-dirapi-contract-version: 0.5
Azure AD Graph API Developer Preview- interface to change, no production SLA
Summer: July Preview Read Aug Preview Write Future - Additional Directory properties - User Authentication/Delegation - ISV Commerce scenarios - Notifications and Provisioning Give Us Feedback – what do you need?
34
Getting StartedComing soon
Watch this blog: http://blogs.msdn.com/windowsazureReview MSDN content
http://msdn.microsoft.com/en-us/library/hh974476.aspx
Download the Sample application Run it against a test tenant in Windows Azure AD
Get your own Windows Azure Active Directory Test CompanyOffice 365 Trial Sign-up www.office365.comConfigure your Tenant, Service Principal and Application
Use provided PowerShell Scripts to configure App and to add sample directory data
F5 - Build and Run your app – extend it, play with it, integrate itRate the App, ask Questions and give feedback
Connecting to Windows Azure Active Directory
36
WindowsAzureActive
Directory
PowerShell
Directory Synch
Admin Portal
On PremisesActive
Directory Multi Tenant EnvironmentDivided into Tenants
Typed objects Example: Users, Groups, Contacts, Roles, Licenses
RelationshipsMember/Member of, Manager/Direct reports
REST OAuth
YourApplications
Applications
LDAPKerberos
REST Interface
Related Content that was presented
Find Me Later : at the Party and Online
OSP321 Active Directory Integration with Microsoft Office 365, Tuesday
SIA205 Running AD on Windows Azure VM, Monday
SIA209 A Lap Around Windows Azure Active Directory, Monday
Resources
Watch this Space: http://blogs.msdn.com/windowsazure
MSDN Documentation: Windows Azure AD Graph API http://msdn.microsoft.com/en-us/library/hh974476.aspx
Preview Sample Application download linkhttp://go.microsoft.com/fwlink/?LinkID=95732&clcid=0x409
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC
#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserverHands-On Labs
DOWNLOAD Windows Azure
Windowsazure.com/teched
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
Please Complete an Evaluation Your feedback is important!
Multipleways to Evaluate Sessions
Scan the Tagto evaluate thissession now on myTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
Why REST for the Directory?REST
Broad Industry AdoptionSuper Simple - Http - GET, PUT, POST, DELETELots of available client librarieshttp://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm
REST for the DirectoryEasy integration with any app on any platform
Top Related