IT managed identities partner@yahoo.com Owner = ellen@outlook.com prospectivecustomer@live.com Active Directory ellen@company.com aaron@company.com Owner = aaron@hotmail.com Owner = xyz@gmail.com Owner = xyz@yahoo.com.

IT managed identities [email protected] Owner = [email protected] [email protected] Active Directory [email protected] [email protected] Owner = [email protected] Owner = [email protected] Owner = [email protected].

Transcript IT managed identities [email protected] Owner = [email protected] [email protected] Active Directory [email protected] [email protected] Owner = [email protected] Owner = [email protected] Owner = [email protected].

IT managed identities
[email protected]
Owner = [email protected]
[email protected]
Active
Directory
[email protected]
[email protected]
Owner = [email protected]
Owner = [email protected]
Owner = [email protected]
Access to Azure and rest of the cloud:
Powered by Azure AD
2000+ Pre-Integrated SAAS Apps
Microsoft Online Services
IT managed identities
Users & Groups
Sync
Active
Directory
[email protected]
[email protected]
Azure
Active
Directory
Roles and Role
Assignments
[email protected]
prospectivecustomer
@live.com
Owner = [email protected]
Owner = [email protected]
Microsoft Azure IAAS/PAAS
Company In-House Developed Cloud Apps
Actions
Owner
*
Contributor
*
Reader
*/Read
SQL Contributor
Microsoft.SQL\*
Tier 1 Operator
*/Read +
Microsoft.Compute\VirtualMachine\*
Not Actions
Microsoft.Authorization/*
Microsoft.Authorization/*
Access Inheritance and Resource
Hierarchy
R
RG
S
R
R
RG
R
Role Assignment
RG
R
Role Assignment
Role = ‘Owner’
Subject = AAD User
Scope = Resource
Role = ‘Reader’
R
Subject = AAD Group
Scope = Subscription Role Assignment
Role = ‘Contributor’
Subject = AAD User
Scope = Resource Group
Azure AD Authorization Platform
Active
Directory
Users and Groups
Sync
Token with group
membership claims
Azure
Active
Directory
Azure Preview Portal & APIs
(Azure Resource Manager)
Access Check
SDK
Roles and Role
Assignments
Synced to closest geo
location
Policy
Roles and Role
Assignments
Audit
Reason over Policy
and Audit
RBAC & Azure Resource Manager
Azure
Active
Directory
RBAC
RP
Roles & Role
Assignments
Events
RP
Azure Events
Azure
Resource
Manager
Using AAD Groups Directly
1
Grants access
to an AAD
group
‘Ellen’s
Ellen
Team’
(Resource Owner)
2
Joe
(Member of ‘Ellen’s
Team’)
3
Sam
(Member of ‘Ellen’s
Team’)
Accesses the
resource. Token
contains groups
claim
Accesses the
resource. Token
contains overage
claim
App persists
the group
objectId in
“permissions
table”
App renders
“people picker”
using AAD Graph
API
Using AAD App Roles
1
Publishes App Roles in
AAD
2
App checks access
by comparing
groups claim value
with persisted
objectIds
App checks access
by comparing user’s
groups with
persisted objectIds
Customer Admin
App queries AAD
Graph API for
user’s groups
App Roles =
“Publisher”,
“Subscriber”
App Developer
Assigns App Roles to
Users, Groups and Client
Applications
Kim -> “Publisher”
Ellen’s Team -> “Subscriber”
Accesses the
resource. Token
contains roles claim
3
Kim
roles=“Publisher”
App checks access
using “IsInRole”
1.
2.
3.
4.
5.
6.
7.
8.
9.
http://technet.microsoft.com/library/dn765472.aspx
http://technet.microsoft.com/en-us/library/hh546785.aspx
http://www.microsoft.com/en-us/server-cloud/products/
windows-azure-pack
http://azure.microsoft.com/en-us/
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://developer.microsoft.com