Embed Size (px)
Citation preview
Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and More
Edward WuMicrosoft
WAD-B308
Agenda• Azure Active Directory• Graph API Intro• Authentication/Authorization• Example Read Operations• Example Write Operations• Differential Query• Partner Solutions: atwork, AIX Concept
GmbH• Resources
Azure Active Directory’s User Base is Growing
Today, global enterprises run on Windows Server Active Directory• 90% of US enterprises and 70% of international corporations use
Active Directory
• Over 400 million Active Directory users
• Active Directory users will move to Azure Active Directory.
Impressive growth of Azure Active Directory users since 2011
• Over 3 million companies, 469K active tenants last week
• Approaching 146 million directory users, 16 million active users last week
• For the past 3 months, 25,000 new users have logged into Azure Active Directory for the first time
Graph API ScenariosReading from Azure Active Directory • Implement People or Group Picker – List/Search users/groups• Design Workflows that lookup Manager/Direct Report
relationships• Make Authorization Decisions: determine Users’ Group and
Role Membership• Check Tenant and Users’ subscribed services such as
Exchange, SharePoint, Lync, Dynamics CRM, Intune, GSM• Requesting changed data – “delta changes”
Writing to Azure Active Directory• Updating Users and Groups• Setting Users’ Password• Adding Users to Groups/Roles• Provisioning/Deprovisioning Users
Graph API• RESTful interface to Azure Active Directory• Tenant Specific – queries are scoped to individual tenant
context• Programmatic access to directory objects such as Users,
Groups, Contacts, Tenant Information, Roles• Access relationships: members, memberOf, manager,
directReports
• Requests use standard HTTP methods• GET, POST, PATCH, DELETE to create, read, update, and
delete• Response support JSON, XML, standard HTTP status
codes• Compatible with OData V3
• OAuth 2.0 for authentication, role-based assignment for app and user authorization
Connecting to Windows Azure Active Directory
7
WindowsAzureActive
DirectoryDirectory SynchOn Premises
Active Directory
PowerShell
Admin Portal
Multi Tenant EnvironmentDivided into Tenants
Typed objects Example: Users, Groups, Contacts, Roles, Licenses
RelationshipsMember/Member of, Manager/Direct reports
REST OAuth
Applications
Applications
LDAPKerberos
REST Interface
Administration Scripting
,PowerShell
GraphAPI
Query Format
https://graph.windows.net/contoso.com/users?api-version=2013-04-05&$filter=state eq ‘WA’
Graph URL
(static)
Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc.
Tenant of interest – can be tenant’s verified domain or objectId.
API version – “2013-04-05” is the Supported GA version
Optional Odata query arguments: $filter, $top
API version – “2013-04-05” is the 1.0 version
Demo
Graph Explorer Browser based Query toolhttp://graphExplorer.cloudapp.net/
Example:https://graph.windows.net/GraphDir1.OnMicrosoft.com/users/[email protected]/$links/directReportsNote: objects, properties, actions are case sensitive
Authentication and Authorization to Graph APIService-to-ServiceOAuth 2.0 grant type client credentials
Directory
Application
2. Return token
1. Request JWT token(pass input claims)
REST ServiceValidates token, processes request, returns data
AuthorizationCheck3. HTTP Request
with JWT Token
Windows Azure Active Directory
Azure AD Authentication Endpoint (OAuth)
4. Return Response and Data
Authentication - Acquiring a tokenOAuth 2.0 grant type=client credentials POSThttps://login.windows.net/contoso.com/oauth2/token?api-version=1.0HEADERSContent-Type: application/x-www-form-urlencodedBODYgrant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=52752c8e-d73c-4f9a-a0f9-2d75607ecb8e&client_secret=qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm74uk1A%2BpIlM%3DRESPONSE: 200 OK
Token will be returned back to the calling application if all values are validNotes: OAuth 2.0 Client Credential grant type, client_id and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications
GEThttps://graph.windows.net/contoso.com/users?api-version=2013-04-05HEADERSAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….Content-type: Application/JSON;odata=minimalmetadata
RESPONSE: 200 OKRETURN User Objects in JSON
Getting User information
GEThttps://graph.windows.net/contoso.com/users/[email protected]/thumbnailPhoto?api-version=2013-04-05HEADERSAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….Content-type: Application/JSON;odata=minimalmetadata
RESPONSE: 200 OKRETURN: data representing User’s thumb nail photo
Demo
• Using Fiddler• Authenticate (get an Oauth access token) + Query the Graph
Azure Management Portal POST
https://login.windows.net/contoso.com/oauth2/token?api-version=1.0HEADERSContent-Type: application/x-www-form-urlencodedBODYgrant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=52752c8e-d73c-4f9a-a0f9-2d75607ecb8e&client_secret=qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm44uk1A%2BpIlM%3DRESPONSE: 200 OKNotes: Oauth 2.0 Client Credential grant type, client_id and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications
Demo
Registering an Application on the Portalhttps://manage.windowsAzure.com
Write Operations
• Write operations on Users, Groups• User Provisioning• Group Management Update• User password Reset
• Read only objects: Roles, Subscriptions• Note:• Transitive Group Lookup /isMemberOf is implemented as a POST
operation
Create a New UserPOSThttps://graph.windows.net/contoso.com/users?api-version=2013-04-05HEADERSContent-Type: application/jsonAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….BODY { "accountEnabled":true, "userPrincipalName":"[email protected]", "displayName":"New User", "passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser"} RESPONSE: 201 CreatedNotes: (1)the password must meet the tenant’s Accepted password complexity requirements.(2 )the minimum set of properties to create a user is shown in the example above.(3) setting the user’s usage location is not shown above.
User Creation
Update Group or Role membership
POST
https://Graph.windows.net/contoso.com/groups/02a8a087-a371-43f9-94df-cf0f654de307/$links/members?api-version=2013-04-05 HEADERSContent-Type: application/jsonAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
BODY:{ "url":"https://graph.windows.net/contoso.com/directoryObjects/93d8feee-6365-4b3b-98c0-14da134a2b1e"}
RESPONSE: 204
Notes: replace /groups with /roles to support Role membership updates
Add a User to a Group
Reset a User’s passwordPATCHhttps://graph.windows.net/contoso.com/users/[email protected]?api-version=2013-04-05 HEADERSContent-Type: application/jsonAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
BODY:{ "passwordProfile": { "password":"newPassword1!", "forceChangePasswordNextLogin":false }}
RESPONSE: 204Notes: password must meet the tenant’s accepted password policy (matching password complexity, length and password re-use policy)
Reset a User’s password
Assigning a License to a UserUser License Assignment PreviewPOST https://graph.windows.net/graphtest9.onMicrosoft.com/users/[email protected]/assignLicense?api-version=2013-04-10-previewHEADERSContent-Type: application/jsonAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….BODY: { "addLicenses": [ { "disabledPlans": [], "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900" } ], "removeLicenses":null} RESPONSE: 200Notes: 1. the user being assigned a License must have a valid Usage location property (by default, creating a new user doesn’t assign a usage location, therefore you should validate that the user has a usage location before executing license assignment).2. The SkuID can be acquired by getting licenses that the Tenant owns. The following request will return subscribed SKU data. GET https://graph.windows.net/GraphDir1.OnMicrosoft.com/subscribedSkus?api-version=2013-04-05
DemoRead and Write Operations in C#Visual Studio Project using WCF Data Services 5.3+ Graph Helper Class
Introduction to Differential Query
• Efficient way to learn about new changes that have occurred in the directory since the last query
• Where it is not feasible to rewrite an existing application to integrate directly with Azure AD, developers can write a Differential Query client to:• Synchronize application local data store with Azure AD• Provide impendence matching
Differential Query Format
https://graph.windows.net/contoso.com/directoryObjects?api-version=2013-04-05&deltaLink=
Graph URL
(static)
Resource set of interest – To indicate specific entity type, specify “users” / “groups” / “contacts”. Use “directoryObjects” to include all 3 entities types.
Tenant of interest – can be tenant’s verified domain or objectId.
API version – “2013-04-05” is the 1.0 version
Empty, to indicate this is an initial query. Subsequent queries contains deltaLink/nextLink value obtained from previous response.
Differential Query DemoGraph Explorerhttps://graph.windows.net/graphDir1.OnMicrosoft.com/users?api-version=2013-04-05&deltaLink=
Other OAuth 2.0 Authentication for Graph• I showed you OAuth 2.0 Grant type = Client
Credentials• OAuth 2.0 Grant type = Authorization Code • Includes User Authentication and Delegation
• After the User Authn and approves delegated access, the Client App receives an authorization code, which can be redeemed for a token (and refresh token).
• Previewhttp://blogs.msdn.com/b/aadgraphteam/archive/2013/05/17/using-oauth-2-0-authorization-code-grant-for-delegated-access-of-directory-via-aad-graph.aspx
Partners
Manage YOUR Office 365 users, groups and
licenses
Delegate
365
MARTINA GROMCEOatworkOFFICE 365 [email protected]@magrom
Knowledge increases by sharing. So, pass it on!
Knowledge increases by sharing. So, pass it on! atwork.at
Our passion:
Office 365Windows AzureSharePoint AppsOffice AppsFacebook AppsWeb DevelopmentSoftware Development
Why Delegate365 ?
Office 365 has a role based access model
Customers, like Franchisers, Universities, Communities, Schools or anyone who wants a dezentralized administration is interested in delegated admin rights for other users
With Delegate 365 they are able to split administration rights among users
Delegate365 Administration
Portal-Admin
BerlinMunich
BerlinVienna
HRFinance
Access to an user object
Domain + OU
Delegate365 portal key features
Portal-Admin,Administrators,OU & domains
Management of users, aliases, groups, licenses
Fully compatible with WAAD, Office 365, Online CRM
Modern, responsive HTML5-portal
White Label-version for resellers
Runs in Windows Azure
DemoDelegat
e365
Delegate365 next features
Optimization Localization Statistics
Package
- Azure Gallery- Office Store- Win 8 Store
Delegate
365
Projections to lower network traffic
Single call operations (create user and assign license in a single call)
User authentication in addition to SPN credentials
Our WAAD Graph API wishlist
More filtering options, eg. Search for example .EndsWith
Enroll for the preview today!
Delegate365.com
Delegate
365
Thanks for your interest!www.atwork.at
• HQ in Aachen Germany• Founded 2003 • Microsoft Gold Certified ISV• Providing Solutions for K-12 Market• More than 1.000 Customers
AixConcept GmbH
Office 365 Management Portal
• Multi Tenant Support• Multi Language Support• User Management depends on Graph API• Creates both: security and distribution
groups• Creates SharePoint sites for each class and
course• Creates special mailboxes for rooms and
equipment• Hosted on Windows Azure
DEMO
Sebastian FillingerChief Software Architect
Contact InformationBusiness ContactThomas Jordans, [email protected]
Developer ContactSebastian Fillinger, [email protected]
What do you plan to build ?• Tell me more about your applications• Give me feedback• Ask your questions - let us help to unblock
you• Would you like to be an early adopter?
[email protected] API Survey (can remain Anonymous)https://microsoft.qualtrics.com/SE/?SID=SV_3OFY7hFRayuoxI9
Resources ( 1 )
• Graph Explorer• http://graphExplorer.cloudapp.net
• Graph Sample Applications C#, PHP, Java• http://msdn.microsoft.com/en-us/library/hh974459.aspx
• Sign up for your Azure AD tenant and Trial Azure Account• https://account.windowsazure.com/organization
• Walk-through Sign-On, Graph and Multi-tenant App• http://msdn.microsoft.com/en-us/library/dn151121.aspx
Resources (2)
• Team Blog • http://blogs.msdn.com/b/aadgraphteam/
• Preview of Authentication using OAuth Authorization Code• http://blogs.msdn.com/b/aadgraphteam/archive/
2013/05/17/using-oauth-2-0-authorization-code-grant-for-delegated-access-of-directory-via-aad-graph.aspx
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
Evaluate this session
Scan this QR code to evaluate this session.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
