Active Directory DirectX Internet Explorer Lync Microsoft Microsoft Corporate Logo MSDN Office 365 Outlook SharePoint SkyDrive Visual Studio Windows Microsoft Azure Windows Live Windows Logo Windows ID: 671055
Download Presentation The PPT/PDF document "Microsoft Azure: Developing Solutions" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Microsoft Azure:
Developing SolutionsSlide2
Active
Directory, DirectX
, Internet
Explorer,
Lync, Microsoft
, Microsoft Corporate Logo,
MSDN, Office 365, Outlook
,
SharePoint, SkyDrive
,
Visual Studio, Windows
,
Microsoft Azure, Windows Live, Windows Logo, Windows
Server, Windows Vista, Xbox 360 and Zune are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.Slide3
How to View This Presentation
Switch to Notes Page view:
Click View on the ribbon and select Notes Page
Use page up or page down to navigate
Zoom in or out as needed
In the Notes Page view you can:
Read any supporting text, now or after the delivery
Add your own notes
Take the presentation files home with
youSlide4
Introduction and Logistics
Your trainer
You
Your role
Your company
Your experience in this technology area
Your goals for this workshop
Start and end times
Facilities (bathrooms, smoking)
Meals
Computers, phones, tablets, etc.
Please set to vibrate
What’s on your desk?Slide5
Module 7:
Identity
and Access Control
in the Cloud
Module Overview
Why…
…do we need a new way of authenticating users and managing access to resources?
What…
…is required to manage identity and access in the cloud environment?
How…
…does Azure AD and related infrastructure support these requirements and how do you develop with it?Slide6
Module 7:
Identity and Access Control in the Cloud
Why?Slide7
What we are accustomed to….
7
Application
Directory
From having a trusted domain for users and apps…Slide8
Trusted domain
Cloud identity – external application
Application
How does the application get data from the on-premises, firewalled identity store?
How does the application trust data sent by the identity store?
How does the identity store know that it is OK to send user data to the Application?Slide9
Trusted domain
Cloud identity – mobile users
Application
How does the user provide credentials to the firewalled identity store?
How to avoid having the user sign-in separately to each application (SSO)?
Do we trust users outside the domain the same way as those on the domain?Slide10
Cloud identity – no trusted domain – public internet
Application
How do we support multi-tenant applications (one application, many organizations)?
How do we support organizations with no identity infrastructure and individual users?
How do we support different application and identity platforms?Slide11
Cloud identity – some issues
User:
Whom can I trust with my credentials?
I want
single sign-on
to all my applications, no matter where they
are or who owns them
Application:
Can I trust the token?
How do I get the token? (directory behind firewall – application outside)
My users belong to many organizations (multi-tenancy)
Directory
How do I decide whether this is a valid user?
Can I give information about the user to this application?
Which token format do I give?Slide12
Module 7:
Identity and Access Control in the Cloud
What?Slide13
Glossary
Security Token
– serialized collection of claims about a user, signed with a crypto key to confirm issuer, e.g.: JWT (
Json
) and SAML (Xml).
Claims
– a collection of name/value pairs items describing a user (e.g. email address, display name, age).
Security Token Server
– a web service capable of determining user identity (e.g. via password credentials) and issuing a Security Token using an authentication/authorization protocol.
Authentication/Authorization protocol
– an agreed way of requesting, issuing, renewing
or cancelling a Security Token, e.g. WS-Federation, SAML-P, OAuth2.Slide14
Example – passive client
Application
STS
1
3
2
4
Trust
A
A
A
0Slide15
Passive authentication – notable facts
There is no need for direct connectivity between the STS and the Application.
User needs to authenticate to the STS only once. After that, the STS can use a cookie to keep track of who the user is (SSO support).
The application has no access and doesn’t deal with user credentials. It is not even aware of how the STS determined users identity (password, certificate, Multi-Factor Authentication; this info may be communicated back to the application as a claim).
An STS can delegate user authentication to another STS and thus federate users from many different STS’ representing for example users from different organizations.Slide16
Limits of passive authentication
Browser not (always) available for passive (redirected) flow
Client is a server-side process
Client is an SPA – cannot be redirected
Multiple applications – may require delegation of identity
Mobile applications calling back-end services
Web UI application calling a Web API application
Embedded systems calling other systems
16Slide17
OAuth2 – abstract flow
Client
Resource
Authentication
Server
Authorization
Server
Resource owner
Authorization request
Authorization grant
Authorization grant
Access token
Access token
Resource
http://tools.ietf.org/html/rfc6749Slide18
OAuth flows
Flow name
Typical scenario
Authorization code grant
Client: Web UI application accessing Web API resources. Browser used to redirect to authentication/authorization. Thereafter direct communication between UI server
and API server. Good access token security.
Also used by native mobile application capable of hosting a browser.
Implicit flow
Client: JS SPA calling
Web API. Cross-domain restriction prevents browser redirection. Potential for token theft. No refresh token.
Client
credential
Client:
service which also owns the resources. Usually a non-UI daemon. Client manages own credentials (e.g. X509 cert).
Resource owner pwdClient: native UI apps unable to support browser controls. Credentials supplied by owner to client.Slide19
OAuth Authorization Code GrantSlide20
OpenID Connect
Add-on protocol for OAuth2 – another parameter in token request
Allows client to get a token with user identity (in addition to the access token for use with the resource)
Can also be used to access for only the identity token (when no access token is needed)
Replaces WS-Federation as the preferred authentication protocol (default in VS.NET wizards)
20Slide21
Module 7:
Identity and Access Control in the Cloud
How?
STS components
SDKs
APIsSlide22
On-premises
AD
ADFS
(STS)
Cloud
WAP
AAD
(STS)
WAP
Protocol
endpoints
Protocol
endpoints
GraphAPI
Sync toolVMsAD
ADFS
VNet
Applications
WIFOwinADALLDAPMicrosoft identity environmentSlide23
AAD Protocols
Microsoft Azure
Active Directory
Interface
RESTful
Graph
API
OAuth2
SAML-P
Metadata
STS
WS-Federation
TenantSlide24
Creating an Azure AD
Implicitly when creating an Azure or O365 subscription (default directory)
Explicitly from an existing Azure subscription
Add existing tenant (from another Azure or O365 subscription)
Create new tenant
Azure subscription allows an explicitly added directory to become the default directory
Azure editions: Free, Basic and PremiumSlide25
Demo: Creating an Azure AD tenantSlide26
Demo: AAD basic operationsSlide27
AAD Features
Your directory in the cloud
Connect on-premises directories to Azure AD
Azure AD Sync Multi-Forest Support
Single Sign-on to thousands SaaS apps+ LoB and Custom application support
Application Proxy
Enterprise SLA of 99.9 percent
Empower users
Self-service password change
Self-Service password reset
Delegated group management
Self-Service security settings management
Single Sign-On to on-premises applications from the Access Panel (Azure AD Application Proxy)
Centrally managed identities and access
Group-based user assignment to SaaS apps
Group-based provisioning
Role-based access
Company branding
Password writebackApplication defined roles and user/group assignment to theseMonitor and protect access to applicationsAdvanced Security reporting and analyticsApplication usage reportsAlerting/NotificationsMulti-factor authenticationSlide28
AD
Common deployment scenarios
ADFS
(STS)
WAP
AAD
(STS)
AAD
(STS)
Sync with
pwd
hashes
ADFS
(STS)
WAPAAD(STS)Sync with nopwd hashes
Federation
AD
On-premises only
Cloud onlyMainly cloudFull federationSlide29
Deployment features
On-premises only
Cloud-only
Suitable for small organizations with no existing identity infrastructure
Allows self-management
Full identity support for 3
rd
party applications
Mainly cloud
If ADFS also present, support same-
signon
(not SSO)
Simpler on-premises infrastructure
No need for crossing the firewall
Full federationFull SSOGreat DR supportSlide30
Developing applications
Understand your scenario: Web UI, Web API, rich client, delegated authority, …
Choose the appropriate protocol
Configure AAD for this application
Use the correct classes/toolkits to implement identity handling in the applicationSlide31
Common scenarios
Web UI
Browser is always available to support passive flow
Web API
Rich client: browser available initially to authenticate user but then cannot be displayed to refresh expiring tokens; able to flow security tokens directly between server-based application and STS
Native client/service: no UI, typically using certificates to authenticate, no need for refresh tokens
Browser-based client (SPA): initial authentication can use browser but cross-side scripting forbidden
Multi-hop services: delegate original user identity to secondary servicesSlide32
Demo: Web UI applicationSlide33
Passive flow
33Slide34
Full list of scenarios
See
https://
azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenariosSlide35
Azure AD application configuration methods
VS.NET tooling (basic)
Azure AD UI (more extensive)
Manifest file (full)
35Slide36
Functions
assignLicense
checkMemberGroups
getAvailableExtensionProperties
getMemberGroups
getMemberObjects
getObjectsByObjectIds
isMemberOf
restoreSlide37
Demo: Show application configuration in AAD
37Slide38
Module 7:
Identity and Access Control in the Cloud
GraphAPISlide39
Purpose of the Graph API
‘LDAP’ to an Azure AD tenant
REST API with some OData extensions
OAuth security – AAD tenant is both the resource and the authorization server
Supports CRUD on AAD entities and some special functions
Any attributes
sync’ed
from on-premises are read-only
Support for schema extensionsSlide40
GraphAPI
Entities
Application
AppRoleAssignment
Contact
Device
DirectoryLinkChange
DirectoryRole
DirectoryRoleTemplate
ExtensionProperty
Group
OAuth2PermissionGrant
ServicePrincipal
SubscribedSku
TenantDetailUserSlide41
Demo:
GraphExplorerSlide42
Module 7: Identity
in Microsoft Azure
ARM - Role Based Access Control (RBAC)Slide43
Role Based Access Control
Users
Groups
Service Principals
Resource
Azure Active Directory
Azure Subscription
Authentication
& Authorization
Role
– Resource defined name for a set of actions that resource allows users mapped to that role. Users, groups or services can be mapped to
a
role.
Role
Assignment
- Access is granted to Azure AD
users, groups and/or
services by assigning
them to a role.Slide44
Azure AD Security Principals
Roles can be assigned to the following types of Azure AD security principals:
Users
Organizational users in AAD
External Microsoft accounts (@outlook.com) – use Invite action
Enables Guest account to be enabled
Groups
Roles assigned to AAD security groups
Users in groups automatically granted access
Groups can also be integrated with on-premises directories
Service Principals
Service identities are represented as service principals in AAD
Assign to roles via Azure PowerShell
cmdletsSlide45
Resource Scope
Role Assignment Scopes
R
R
R
R
R
R
RG
RG
RG
S
Subscription
Resource
Groups
Resources
Access InheritanceSlide46
Role Assignment Throughout the Scope – REST API
/subscriptions/{id}/
resourceGroups
/{name}/providers/…/sites/{site}
S
ubscription
level – grants permissions for all resources in the sub
R
esource
group level – grants permissions for all resources in the group
R
esource
level – grants permissions to the
specific resourceSlide47
Built-in Roles
API Management Service Contributor
Application Insights Component Contributor
BizTalk Contributor
ClearDB
MySQL DB Contributor
Contributor
Data Factory Contributor
Document DB Account Contributor
Intelligent Systems Account Contributor
NewRelic
APM Account Contributor
Owner
Reader
Redis Cache ContributorSQL DB ContributorSQL Security Manager SQL Server Contributor Scheduler Job Collections ContributorSearch Service ContributorStorage Account ContributorUser Access Administrator Virtual Machine Contributor
Virtual Network ContributorWeb Plan Contributor
Website Contributor Slide48
Demo:
RBAC in the Preview PortalSlide49
RBAC with PowerShell
Who you want to assign a role to
Get-
AzureADUser
Get-
AzureADGroup
Get-
AzureADGroupMember
Get-
AzureADSrvicePrincipal
What role you want to assign
Get-
AzureRoleDefinition
What Scope you want to assign
Get-AzureResourceGroupGet-AzureResourceCreate Role AssignmentsNew-AzureRoleAssignment –Mail <usersemail> RoleDefinitionName ReaderSlide50
Demo:
RBAC with PowerShellSlide51
RBAC – Things you don’t expect
Owners – Full access for management
Contributors – Full access for management but can’t give access to users or groups
App Service Workloads (web apps) that require write access
Commands (e.g. start, stop, etc.)
Changing settings like general configuration, scale settings, backup settings, and monitoring settings.
Accessing publishing credentials and other secrets like app settings and connection strings.
Streaming logs
Diagnostic logs configuration
Console (command prompt)
Active and recent deployments (for local
git
continuous deployment)
Estimated spend
Web testsVirtual networkSlide52
RBAC – Things you don’t expect (
con’t
)
Example – Granting Access to only a Web App
App Service Plan access required
View pricing tier
Scale configuration
Quotas
Resource Group access required
SSL Certificates and Bindings
Alert Rules
Autoscale
Settings
Application Insights Components
Web TestSlide53
RBAC – Things you don’t expect (
con’t
)
Virtual Machine Workloads
Virtual Machine related resources – Domain names, virtual networks, storage accounts and alert rules
Write access required for
Endpoints
IP Addresses
Disks
Extensions
Write Access to both Virtual Machine and Resource Group access required
Availability Set
Load balanced sets
Alert RulesSlide54
Knowledge check
How does an application know a token came from a trusted issuer
?
How does an STS decide whether to respond to a request for security token from an application?
True or false: an application defined in Azure AD must be deployed to Azure Cloud?
What protocols does Azure AD support?
True or false: Azure AD requires an on-premises installation of ADFS?
What is the purposes of ADAL?
What is the purpose of
GraphAPI
?
What does RBAC stand for?Slide55
Resources
Azure AD code samples
–
https://
msdn.microsoft.com/en-us/library/azure/dn646737.aspx
Cloud Identity Workshop – 2 day intensive, hands on tour through protocols, tools and SDKs
55Slide56Slide57
Optional materialSlide58
Schema extensions
Custom properties for Azure AD entities
Tenant specific data (e.g. connection strings – alternative to
KeyVault
)
User data specific to an application
Specific to AAD, not
sync’ed
back to AD (if sync used)Slide59
Create
extension
attribute
definitions
(back)
Request
POST
https://graph.windows.net/contoso.com/applications
/
<applicationObjectID>
/
extensionProperties
{ "name": “<extensionPropertyName>", "dataType": “String”, “targetObjects”: [”User”, ”TenantDetail”, “Group”, “Application”, “ServicePrincipal”, “Device”]}Response201 Created{ "objectId": "5ea3a29b-8efd-46bf-9dc7-f226e839d146", "objectType": "ExtensionProperty", "name": “<UniqueExtensionPropertyNameGivenByService>", "dataType": “String”, “targetObjects”: [”User”,”TenantDetail” , “Group”, “Application”, “ServicePrincipal”, “Device”]}Contains original requested extension property name and appId of the applicationSlide60
Write or remove extension values
(back)
Request
PATCH
https://graph.windows.net/contoso.com/users/
joe@contoso.com
{
“extension_6efdc23e73e548fa9d12a599308d821c_username”: “joe@travelapp.fabrikam.com”
}
Response
204 No Content
Update an existing user with a new extension attribute value (can also create user).
Request
PATCH https://graph.windows.net/contoso.com/users/joe@contoso.com{ “extension_6efdc23e73e548fa9d12a599308d821c_username”: null}Response204 No ContentUpdate an existing user to remove an extension attribute value.Slide61
Read extension values
(back)
Request
GET
https://graph.windows.net/contoso.com/users/
joe@contoso.com
Response
200 OK
{
"
objectId
": "ff7cd54a-84e8-4b48-ac5a-21abdbaef321",
"
displayName
": “Joe Smith", "userPrincipalName": “joe@contoso.com”, “objectType”: “User”, "mail": “null”, "accountEnabled": “True” , “extension_<different App ID>_employeeId”: “100010210102020”, “extension_6efdc23e73e548fa9d12a599308d821c_username”: “joe@travelapp.fabrikam.com” }Get a user who has multiple extension attribute values.Slide62
Some limitations
Max 100 extension per entity
Max length
256 bytes
.
Prefix
searches on extensions are limited to 71 characters for string searches and 207 bytes for searches on binary
extensionsSlide63
Debugging protocol issues
Use Fiddler
Common issues:
ReplyTo
url
not identified to AAD
Invalid
AppId
…Slide64
Using your own identity store – don’t!
Reasons why - TBDSlide65
Module Knowledge Check
Question
Question
QuestionSlide66
Answers – Module Knowledge Check
Question
Answer
Question
Answer
Question
Answer