Impressive growth of Azure Active Directory users since 2011 • Over 3 million companies, 469K active tenants last week • Approaching 146
Download ReportTranscript Impressive growth of Azure Active Directory users since 2011 • Over 3 million companies, 469K active tenants last week • Approaching 146
Impressive growth of Azure Active Directory users since 2011 • Over 3 million companies, 469K active tenants last week • Approaching 146 million directory users, 16 million active users last week • For the past 3 months, 25,000 new users have logged into Azure Active Directory for the first time Today, global enterprises run on Windows Server Active Directory • 90% of US enterprises and 70% of international corporations use Active Directory • Over 400 million Active Directory users • Active Directory users will move to Azure Active Directory. REST Interface Graph API REST OAuth Divided into Tenants Example: Users, Groups, Contacts, Roles, Licenses Member/Member of, Manager/Direct reports 7 Graph URL (static) Tenant of interest – can be tenant’s verified domain or objectId. Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc. https://graph.windows.net/contoso.com/users?apiversion=2013-04-05&$filter=state eq ‘WA’ API version – “2013-04API version – “2013-04-05” is 05” is the 1.0 version the Supported GA version Optional Odata query arguments: $filter, $top http://graphExplorer.cloudapp.net/ 3. HTTP Request with JWT Token 4. Return Response and Data Authentication - Acquiring a token OAuth 2.0 grant type=client credentials POST https://login.windows.net/contoso.com/oauth2/token?api-version=1.0 HEADERS Content-Type: application/x-www-form-urlencoded BODY grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=52752c8ed73c-4f9a-a0f92d75607ecb8e&client_secret=qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm74uk1A%2BpIlM%3D RESPONSE: 200 OK Token will be returned back to the calling application if all values are valid Notes: OAuth 2.0 Client Credential grant type, client_id and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications GET https://graph.windows.net/contoso.com/users?api-version=2013-04-05 HEADERS Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. Content-type: Application/JSON;odata=minimalmetadata RESPONSE: 200 OK RETURN User Objects in JSON GET https://graph.windows.net/contoso.com/users/[email protected]/thumbnailPhoto?apiversion=2013-04-05 HEADERS Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. Content-type: Application/JSON;odata=minimalmetadata RESPONSE: 200 OK RETURN: data representing User’s thumb nail photo POST https://login.windows.net/contoso.com/oauth2 /token?api-version=1.0 HEADERS Content-Type: application/x-www-formurlencoded BODY grant_type=client_credentials&resource=https %3a%2f%2fgraph.windows.net&client_id=5275 2c8e-d73c-4f9a-a0f92d75607ecb8e&client_secret=qKDjII5%2FK8Wy Kj6sRo5a5vD6%2Bm44uk1A%2BpIlM%3D RESPONSE: 200 OK Notes: Oauth 2.0 Client Credential grant type, client_id and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications Create a New User POST https://graph.windows.net/contoso.com/users?api-version=2013-04-05 HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY { } "accountEnabled":true, "userPrincipalName":"[email protected]", "displayName":"New User", "passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true}, "mailNickname":"NewUser" RESPONSE: 201 Created Notes: (1)the password must meet the tenant’s Accepted password complexity requirements. (2 )the minimum set of properties to create a user is shown in the example above. (3) setting the user’s usage location is not shown above. Add a User to a Group Update Group or Role membership POST https://Graph.windows.net/contoso.com/groups/02a8a087-a371-43f9-94dfcf0f654de307/$links/members?api-version=2013-04-05 HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY: { "url":"https://graph.windows.net/contoso.com/directoryObjects/93d8feee-6365-4b3b-98c014da134a2b1e" } RESPONSE: 204 Notes: replace /groups with /roles to support Role membership updates Reset a User’s password Reset a User’s password PATCH https://graph.windows.net/contoso.com/users/[email protected]?api-version=2013-04-05 HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY: { "passwordProfile": { "password":"newPassword1!", "forceChangePasswordNextLogin":false } } RESPONSE: 204 Notes: password must meet the tenant’s accepted password policy (matching password complexity, length and password re-use policy) User License Assignment Preview POST https://graph.windows.net/graphtest9.onMicrosoft.com/users/[email protected]/assignLicense?api-version=2013-04-10preview HEADERS Content-Type: application/json Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T…. BODY: { "addLicenses": [ { "disabledPlans": [], "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900" } ], } "removeLicenses":null RESPONSE: 200 Notes: 1. the user being assigned a License must have a valid Usage location property (by default, creating a new user doesn’t assign a usage location, therefore you should validate that the user has a usage location before executing license assignment). 2. The SkuID can be acquired by getting licenses that the Tenant owns. The following request will return subscribed SKU data. GET https://graph.windows.net/GraphDir1.OnMicrosoft.com/subscribedSkus?api-version=2013-04-05 Demo Read and Write Operations in C# Visual Studio Project using WCF Data Services 5.3 + Graph Helper Class Graph URL (static) Tenant of interest – can be tenant’s verified domain or objectId. Resource set of interest – To indicate specific entity type, specify “users” / “groups” / “contacts”. Use “directoryObjects” to include all 3 entities types. https://graph.windows.net/contoso.com/directoryObje cts?api-version=2013-04-05&deltaLink= API version – “2013-0405” is the 1.0 version Empty, to indicate this is an initial query. Subsequent queries contains deltaLink/nextLink value obtained from previous response. Differential Query Demo Graph Explorer https://graph.windows.net/graphDir1.OnMicrosoft.co m/users?api-version=2013-04-05&deltaLink= Knowledge increases by sharing. So, pass it on! Knowledge increases by sharing. So, pass it on! atwork.at Why Delegate365 ? Office 365 has a role based access model Customers, like Franchisers, Universities, Communities, Schools or anyone who wants a dezentralized administration is interested in delegated admin rights for other users With Delegate 365 they are able to split administration rights among users Delegate365 Administration Access to an user object Domain + OU Delegate365 portal key features Delegate365 next features Our WAAD Graph API wishlist Projections to lower network traffic Single call operations (create user and assign license in a single call) User authentication in addition to SPN credentials More filtering options, eg. Search for example .EndsWith [email protected] https://microsoft.qualtrics.com/SE/?SID=SV_3OFY7hFRayuoxI9 http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn