Azure Active Directoryfor software as a service providers

By : ThuruDate : 14th May 2015@thurutweetshttp://thuruinhttp.wordpress.com

The big NOs of Azure AD• Azure AD is NOT part of or a child service of Microsoft Azure

• Azure AD is NOT a Domain Controller

Azure AD

• Cloud Identity Management Platform - Yes it does this majority of the time.

You get an Azure ADWhen you sign up for any Microsoft cloud service offering – documented as following service

• Microsoft Azure• Office 365• Microsoft Intune

You need an Azure AD account to access these services.

https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx

Demo• Azure AD trusts Microsoft consumer Identity system• Login using MS account• Login using Azure AD account• Details in Power Shell

• Directory Integration with an on premise AD• Login using Local AD

Demo• Azure AD with Office 365• Azure AD is not an integral part of Microsoft Azure

DemoCreating a Single Sign On enabled Multi tenant cloud application on Azure AD

Single Sign OnScenario 1 – Local AD is synced with Azure AD with passwords and no federation in Local AD

MassRover

1. MassRover application is registered as a multi tenant enabled app in the MassRover’s Azure AD2. Bank ABC has an internal domain controller that is synced with Bank ABC’s Azure AD3. A user from Bank ABC’s Azure AD global admin role will sign up for the MassRover application. 4. Now tom can sign in to MassRover with tom@abc.onmicrosoft.com – authentication.5. Authorization for Tom is handled by the MassRover application6. The above scenario is very the common one in most organizations

Things to Note : Tom never becomes the user of the MassRover’s Azure AD. Tom could be placed in MassRover application database for the authorization

Bank ABCAzureOn premise

abc\tom tom@abc.onmicrosoft.com

Ban ABC’s Azure AD trusts MassRover.this could be revoked by Bank ABC admins any time and MassRover has no control over this

Single Sign OnScenario 2 – Local AD is synced with Azure AD with / without passwords and Local AD has federation

MassRover

1. MassRover application is registered as a multi tenant enabled Azure AD app.2. Bank ABC has an internal domain controller that is synced with Bank ABC’s Azure AD and ADFS enabled.3. A user with Azure AD global admin role will sign up for the MassRover application. During the process Bank ABC’s AD

tries to contact the synced and federated local AD in order to complete the authentication4. After the sync tom can login to the application – each login will make Bank ABC’s Azure AD to call local AD to

complete the authentication.

Bank ABC

AzureOn premise

abc\tom tom@abc.onmicrosoft.com

Ban ABC’s Azure AD trusts MassRover. this could be revoked by Bank ABC adminsany time and MassRover has no control over this

Bank ABC local AD is synced and federated with Azure AD. And local AD should be connected to Internet in order to handle authentication requests from Azure AD

DemoAzure AD Graph API

DemoAzure AD Graph API – Simple

Demo Branding Azure AD

Q & A