WAD-B308: Deep Dive into the Windows Azure Active Directory ...

longtermagonizingInternet and Web Development

Dec 13, 2013 (3 years and 5 months ago)

172 views

Today, global enterprises run on Windows Server Active Directory


90% of US enterprises and 70% of international corporations use Active
Directory


Over 400 million Active Directory users


Active
Directory users will move to
Azure Active Directory.


Impressive growth of Azure
Active Directory
users since 2011


Over 3 million companies, 469K active tenants last week


Approaching 146 million directory users, 16 million active users last week


For the past 3 months, 25,000 new users have logged into
Azure Active
Directory
for the first time


7

Divided into Tenants

Example: Users, Groups, Contacts, Roles, Licenses

Member/Member of, Manager/Direct reports

REST

OAuth

REST

Interface

Graph

API

https://graph.windows.net/
contoso.com
/users
?api
-
version=2013
-
04
-
05
&$filter=state eq ‘WA’

Graph
URL
(static)

Specific entity type, such as users,
groups, contacts, tenantDetails, roles,
applications, etc.

Tenant of interest


can be tenant’s
verified domain or
objectId.

API version


“2013
-
04
-
05” is
the Supported GA version

Optional Odata query arguments: $filter, $top

API version


“2013
-
04
-
05” is the 1.0 version



http
://
graphExplorer.cloudapp.net/
3. HTTP Request

with JWT Token

4. Return

Response
and


Data

Authentication
-

Acquiring a token

OAuth 2.0 grant type=client credentials

POST

https://login.windows.net/contoso.com/oauth2/token?api
-
version=1.0

HEADERS

Content
-
Type: application/x
-
www
-
form
-
urlencoded

BODY

grant_type=
client_credentials
&
resource=
https%3a%2f%2fgraph.windows.net&
client_id=
52752c8e
-
d73c
-
4f9a
-
a0f9
-
2d75607ecb8e&
client_secret=
qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm74uk1A%2BpIlM%3D

RESPONSE
:
200 OK


Token

will be returned back to the calling application if all values are valid

Notes
: OAuth

2.0 Client Credential grant type, client_id and client_secret are pre
-
configured through
the Azure Management Portal, under Active Directory/Applications

GET

https://
graph.windows.net/contoso.com/users?api
-
version=2013
-
04
-
05

HEADERS

Authorization
: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T
….

Content
-
type: Application/JSON;odata=minimalmetadata


RESPONSE:
200 OK

RETURN

User Objects in JSON

GET

https://
graph.windows.net/contoso.com/users/adam@contso.com/thumbnailPhoto?api
-
version=2013
-
04
-
05

HEADERS

Authorization
: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T
….

Content
-
type: Application/JSON;odata=minimalmetadata


RESPONSE:
200 OK

RETURN:

data representing User’s thumb nail photo

POST

https://login.windows.net/contoso.com/oauth2
/token?api
-
version=1.0

HEADERS

Content
-
Type: application/x
-
www
-
form
-
urlencoded

BODY

grant_type=client_credentials&resource=https
%3a%2f%2fgraph.windows.net&
client_id=
5275
2c8e
-
d73c
-
4f9a
-
a0f9
-
2d75607ecb8e&
client_secret=
qKDjII5%2FK8Wy
Kj6sRo5a5vD6%2Bm44uk1A%2BpIlM%3D

RESPONSE
:
200 OK

Notes
: Oauth

2.0 Client Credential grant type,
client_id and client_secret are pre
-
configured
through the Azure Management Portal, under
Active Directory/Applications

Create a New User

POST

https://
graph.windows.net/contoso.com/users?api
-
version=2013
-
04
-
05

HEADERS

Content
-
Type: application/json

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….

BODY



{


"accountEnabled":true,


"userPrincipalName
":"NewUser@contoso.com
",


"displayName
":"New User",


"passwordProfile":{ "password
":"VStrongP@ssword1",
"forceChangePasswordNextLogin
":true},


"
mailNickname
":"NewUser
"

}



RESPONSE: 201 Created

Notes: (1)the password must meet the tenant’s Accepted password complexity requirements.

(2 )the minimum set of properties to create a user is shown in the example above.

(3) setting the user’s usage location is not shown above.

Update Group or Role membership

POST

https://
Graph.windows.net/contoso.com/groups/02a8a087
-
a371
-
43f9
-
94df
-
cf0f654de307
/$
links/members?api
-
version=2013
-
04
-
05



HEADERS

Content
-
Type: application/json

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….

BODY:

{


"url":"https://
graph.windows.net/contoso.com/directoryObjects/93d8feee
-
6365
-
4b3b
-
98c0
-
14da134a2b1e
"

}



RESPONSE: 204

Notes: replace /groups with /roles to support Role membership updates

Add a User to a Group

Reset
a User’s password

PATCH

https://
graph.windows.net/contoso.com/users/adam@contoso.com?api
-
version=2013
-
04
-
05



HEADERS

Content
-
Type: application/json

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….

BODY:

{


"passwordProfile":


{


"password
":"newPassword1!",


"forceChangePasswordNextLogin":false


}

}



RESPONSE: 204

Notes: password must meet the tenant’s accepted password policy (matching password complexity,
length and password re
-
use policy)

Reset a User’s password

User License Assignment Preview

POST

https://graph.windows.net/graphtest9.onMicrosoft.com/users/adam@graphtest9.onMicrosoft.com/assignLicense?api
-
version=
2013
-
04
-
10
-
preview

HEADERS

Content
-
Type: application/
json

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….

BODY:


{


"
addLicenses
": [


{


"
disabledPlans
": [],


"
skuId
": "6fd2c87f
-
b296
-
42f0
-
b197
-
1e91e994b900"


}


],




"
removeLicenses
":null

}



RESPONSE: 200

Notes:

1. the user being assigned a License must have a valid Usage location property (by default, creating a new user doesn’t assig
n a

usage location,
therefore you should validate that the user has a usage location before executing license assignment).

2. The
SkuID

can be acquired by getting licenses that the Tenant owns. The following request will return subscribed SKU data.
GET
https://graph.windows.net/GraphDir1.OnMicrosoft.com/subscribedSkus?api
-
version=2013
-
04
-
05


Demo

Read and Write Operations in C#

Visual Studio Project using WCF Data Services 5.3

+ Graph Helper Class

https://graph.windows.net/
contoso.com
/directoryObje
cts
?api
-
version=2013
-
04
-
05
&deltaLink=

Graph
URL
(static)

Resource set of interest


To indicate specific
entity type, specify “users” / “groups” /
“contacts”. Use “directoryObjects” to include all 3
entities types.

Tenant of interest


can
be tenant’s verified
domain or objectId.

API version


“2013
-
04
-
05” is the
1.0 version

Empty, to indicate this is an initial query.
Subsequent queries contains deltaLink/nextLink
value obtained from previous response.

Differential Query Demo

Graph Explorer

https://graph.windows.net/graphDir1.OnMicrosoft.co
m/users?api
-
version=2013
-
04
-
05
&deltaLink=


Knowledge
increases by
sharing.

So, pass it on!

Knowledge
increases by
sharing.

So, pass it on!


atwork.at

Why

Delegate365 ?
Office 365
has

a
role

based

access

model

Customers,
like

Franchisers
,
Universities
, Communities, Schools
or

anyone

who

wants

a
dezentralized

administration

is

interested

in
delegated

admin

rights

for

other

users

With

Delegate

365
they

are

able

to

split

administration

rights

among

users

Delegate365 Administration
Access
to

an
user

object
Domain + OU

Delegate365
portal

key

features
Delegate365
next

features
Projections

to

lower

network

traffic

Single
call

operations

(
create

user
and

assign

license

in a
single

call
)

User
authentication

in
addition

to

SPN
credentials

Our

WAAD Graph API
wishlist
More filtering options,
eg
. Search for example .
EndsWith

edwu@Microsoft.com
https
://microsoft.qualtrics.com/SE/?SID=SV_3OFY7hFRayuoxI9
http://microsoft.com/msdn

www.microsoft.com/learning

http://channel9.msdn.com/Events/TechEd

http://microsoft.com/technet