Impressive growth of Azure Active Directory users since 2011 • Over 3 million companies, 469K active tenants last week • Approaching 146

Download Report

Transcript Impressive growth of Azure Active Directory users since 2011 • Over 3 million companies, 469K active tenants last week • Approaching 146

Impressive growth of Azure Active Directory users since 2011
• Over 3 million companies, 469K active tenants last week
• Approaching 146 million directory users, 16 million active users last week
• For the past 3 months, 25,000 new users have logged into Azure Active
Directory for the first time
Today, global enterprises run on Windows Server Active Directory
• 90% of US enterprises and 70% of international corporations use Active
Directory
• Over 400 million Active Directory users
• Active Directory users will move to Azure Active Directory.
REST
Interface
Graph
API
REST
OAuth
Divided into Tenants
Example: Users, Groups, Contacts, Roles, Licenses
Member/Member of, Manager/Direct reports
7
Graph
URL
(static)
Tenant of interest –
can be tenant’s
verified domain or
objectId.
Specific entity type, such as users,
groups, contacts, tenantDetails, roles,
applications, etc.
https://graph.windows.net/contoso.com/users?apiversion=2013-04-05&$filter=state eq ‘WA’
API version – “2013-04API version – “2013-04-05” is
05” is the 1.0 version
the Supported GA version
Optional Odata query arguments: $filter, $top
http://graphExplorer.cloudapp.net/
3. HTTP Request
with JWT Token
4. Return
Response and
Data
Authentication - Acquiring a token
OAuth 2.0 grant type=client credentials
POST
https://login.windows.net/contoso.com/oauth2/token?api-version=1.0
HEADERS
Content-Type: application/x-www-form-urlencoded
BODY
grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=52752c8ed73c-4f9a-a0f92d75607ecb8e&client_secret=qKDjII5%2FK8WyKj6sRo5a5vD6%2Bm74uk1A%2BpIlM%3D
RESPONSE: 200 OK
Token will be returned back to the calling application if all values are valid
Notes: OAuth 2.0 Client Credential grant type, client_id and client_secret are pre-configured through
the Azure Management Portal, under Active Directory/Applications
GET
https://graph.windows.net/contoso.com/users?api-version=2013-04-05
HEADERS
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
Content-type: Application/JSON;odata=minimalmetadata
RESPONSE: 200 OK
RETURN User Objects in JSON
GET
https://graph.windows.net/contoso.com/users/[email protected]/thumbnailPhoto?apiversion=2013-04-05
HEADERS
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
Content-type: Application/JSON;odata=minimalmetadata
RESPONSE: 200 OK
RETURN: data representing User’s thumb nail photo
POST
https://login.windows.net/contoso.com/oauth2
/token?api-version=1.0
HEADERS
Content-Type: application/x-www-formurlencoded
BODY
grant_type=client_credentials&resource=https
%3a%2f%2fgraph.windows.net&client_id=5275
2c8e-d73c-4f9a-a0f92d75607ecb8e&client_secret=qKDjII5%2FK8Wy
Kj6sRo5a5vD6%2Bm44uk1A%2BpIlM%3D
RESPONSE: 200 OK
Notes: Oauth 2.0 Client Credential grant type,
client_id and client_secret are pre-configured
through the Azure Management Portal, under
Active Directory/Applications
Create a New User
POST
https://graph.windows.net/contoso.com/users?api-version=2013-04-05
HEADERS
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
BODY
{
}
"accountEnabled":true,
"userPrincipalName":"[email protected]",
"displayName":"New User",
"passwordProfile":{ "password":"VStrongP@ssword1", "forceChangePasswordNextLogin":true},
"mailNickname":"NewUser"
RESPONSE: 201 Created
Notes: (1)the password must meet the tenant’s Accepted password complexity requirements.
(2 )the minimum set of properties to create a user is shown in the example above.
(3) setting the user’s usage location is not shown above.
Add a User to a Group
Update Group or Role membership
POST
https://Graph.windows.net/contoso.com/groups/02a8a087-a371-43f9-94dfcf0f654de307/$links/members?api-version=2013-04-05
HEADERS
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
BODY:
{
"url":"https://graph.windows.net/contoso.com/directoryObjects/93d8feee-6365-4b3b-98c014da134a2b1e"
}
RESPONSE: 204
Notes: replace /groups with /roles to support Role membership updates
Reset a User’s password
Reset a User’s password
PATCH
https://graph.windows.net/contoso.com/users/[email protected]?api-version=2013-04-05
HEADERS
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
BODY:
{
"passwordProfile":
{
"password":"newPassword1!",
"forceChangePasswordNextLogin":false
}
}
RESPONSE: 204
Notes: password must meet the tenant’s accepted password policy (matching password complexity,
length and password re-use policy)
User License Assignment Preview
POST
https://graph.windows.net/graphtest9.onMicrosoft.com/users/[email protected]/assignLicense?api-version=2013-04-10preview
HEADERS
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1T….
BODY:
{
"addLicenses": [
{
"disabledPlans": [],
"skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
}
],
}
"removeLicenses":null
RESPONSE: 200
Notes:
1. the user being assigned a License must have a valid Usage location property (by default, creating a new user doesn’t assign a usage location,
therefore you should validate that the user has a usage location before executing license assignment).
2. The SkuID can be acquired by getting licenses that the Tenant owns. The following request will return subscribed SKU data. GET
https://graph.windows.net/GraphDir1.OnMicrosoft.com/subscribedSkus?api-version=2013-04-05
Demo
Read and Write Operations in C#
Visual Studio Project using WCF Data Services 5.3
+ Graph Helper Class
Graph
URL
(static)
Tenant of interest – can
be tenant’s verified
domain or objectId.
Resource set of interest – To indicate specific
entity type, specify “users” / “groups” /
“contacts”. Use “directoryObjects” to include all 3
entities types.
https://graph.windows.net/contoso.com/directoryObje
cts?api-version=2013-04-05&deltaLink=
API version – “2013-0405” is the 1.0 version
Empty, to indicate this is an initial query.
Subsequent queries contains deltaLink/nextLink
value obtained from previous response.
Differential Query Demo
Graph Explorer
https://graph.windows.net/graphDir1.OnMicrosoft.co
m/users?api-version=2013-04-05&deltaLink=
Knowledge
increases by
sharing.
So, pass it on!
Knowledge
increases by
sharing.
So, pass it on!
atwork.at
Why Delegate365 ?
Office 365 has a role based access model
Customers, like Franchisers, Universities, Communities, Schools or anyone
who wants a dezentralized administration is interested in delegated admin
rights for other users
With Delegate 365 they are able to split administration rights among users
Delegate365 Administration
Access to an user object
Domain + OU
Delegate365 portal key features
Delegate365 next features
Our WAAD Graph API wishlist
Projections to lower network traffic
Single call operations (create user and assign license in a single call)
User authentication in addition to SPN credentials
More filtering options, eg. Search for example .EndsWith
[email protected]
https://microsoft.qualtrics.com/SE/?SID=SV_3OFY7hFRayuoxI9
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn