Azure Identity Premier Fast Start Optional Module Using

Azure Identity Premier Fast Start Optional Module

Using the Directory Graph API 3

Graph API Scenarios Reading from Microsoft Azure Active Directory • Implement People or Group Picker – List/search users/groups • Design workflows that lookup Manager/Direct Report relationships • Make Authorization Decisions – determine users' Group and Role Membership • Check tenant and users' subscribed services such as Microsoft Exchange, Microsoft Share. Point, Skype, Microsoft Dynamics CRM, Intune, GSM • Requesting changed data – "delta changes" Writing to Azure Active Directory • Updating users and groups • Setting users' password • Adding users to Groups/Roles • Provisioning/de-provisioning users Microsoft Confidential 4

What Is Graph RESTful interface for Azure Active Directory • Tenant-specific queries are scoped to individual tenant context • Programmatic access to directory objects, such as Users, Groups, Roles • Access relationships – members, member. Of, manager, direct. Reports Requests use standard HTTP methods • GET, POST, DELETE to create, read, update, and delete • Responses support JSON, XML, standard HTTP status codes • Compatible with OData V 3 OAuth 2. 0 for authentication, role-based assignment Microsoft Confidential 5

What Is REST • REST – Representational State Transfer • Originated from a Ph. D dissertation by Roy Fielding ◦ An architecture style, not a protocol ◦ Description of how HTTP should be used for accessing data • RESTful web services expose resources through a URI PUT GET POST Resource DELETE Microsoft Confidential 6

Authentication and Authorization to Graph API Service-to-Service OAuth 2. 0 grant type client credentials 1. Request JWT token (pass input claims) 2. Return token 3. HTTP Request with JWT token Application Azure AD Authentication Endpoint (OAuth) REST Service Validates token, processes request, returns data Authorization Check 4. Return Response and Data 7

Query Format Tenant of interest – Graph URL can be tenant’s verified domain or (static) object. Id Specific entity type, such as users, groups, contacts, tenant. Details, roles, applications, etc. https: //graph. windows. net/contoso. com/users? apiversion=2013 -04 -05&$filter=state eq 'WA' API version – "2013 -04 -05" is the supported GA version Optional Odata query arguments: $filter, $top 8

Other Examples of Read Operations Request https: //graph. windows. net/graph. Dir 1. On. Microsoft. com/tenant. Details? api-version=2013 -04 -05 https: //graph. windows. net/graph. Dir 1. On. Microsoft. com/groups/7373 b 0 af-d 462 -406 e-ad 26 f 2 bc 96 d 823 d 9/members? api-version=2013 -04 -05 https: //graph. windows. net/Graph. Dir 1. On. Microsoft. com/users? $filter=display. Name eq 'Adam Barr'&apiversion=2013 -04 -05 https: //graph. windows. net/Graph. Dir 1. On. Microsoft. com/users? $filter=display. Name ge 'A' and display. Name le 'F'&api-version=2013 -04 -05 https: //graph. windows. net/Graph. Dir 1. On. Microsoft. com/users? api-version=2013 -0405&$filter=startswith(display. Name, 'James') https: //graph. windows. net/Graph. Dir 1. On. Microsoft. com/users? api-version=2013 -0405&$filter=proxy. Addresses/any(c: startswith(c, 'SMTP: Ad')) Description Returns tenant-level information including company name, tech contact, subscriptions Returns a group's members Using odata filter to get a specific user Filters for a range of users An example odata filter using starts. With An example odata filter using the any operator, search for users who have a proxy address starting with 'SMTP: ad' https: //graph. windows. net/Graph. Dir 1. On. Microsoft. com/users/adam@graphdir 1. onmicrosoft. com/memb Gets a users' group membership er. Of? api-version=2013 -04 -05 https: //graph. windows. net/graph. Dir 1. On. Microsoft. com/users/Adam@graph. Dir 1. On. Microsoft. com/mana Gets an individual user's manager ger? api-version=2013 -04 -05 https: //graph. windows. net/graph. Dir 1. On. Microsoft. com/users/Adam@graph. Dir 1. on. Microsoft. com/direct. R Gets an individual user‘s direct reports? api-version=2013 -04 -05 https: //graph. windows. net/graph. Dir 1. On. Microsoft. com/roles? api-version=2013 -04 -05 Returns roles https: //graph. windows. net/graph. Dir 1. On. Microsoft. com/subscribed. Skus? api-version=2013 -04 -05 Returns all subscriptions that the tenant owns 9

Create a New User POST https: //graph. windows. net/contoso. com/users? api-version=2013 -04 -05 Graph API Write Operations HEADERS Content-Type: application/json Authorization: Bearer ey. J 0 e. XAi. Oi. JKV 1 Qi. LCJhb. Gci. Oi. JSUz. I 1 Ni. Is. Ing 1 d. CI 6 Ik 5 HVEZ 2 ZEst. Znl 0 a. EV 1 T…. BODY { "account. Enabled": true, "user. Principal. Name": "New. User@contoso. com", "display. Name": "New User", "password. Profile": { "password": "VStrong. P@ssword 1", "force. Change. Password. Next. Login": true}, "mail. Nickname": "New. User" } RESPONSE: 201 Created Notes 1. The password must meet the tenant's Accepted password complexity requirements 2. The minimum set of properties to create a user is shown in the example above 3. Setting the user's usage location is not shown above Microsoft Confidential 10

Implementation on the App POST https: //login. windows. net/contoso. com/oauth 2/token? api-version=1. 0 HEADERS Content-Type: application/x-www-form-urlencoded BODY grant_type=client_credentials&resource=https%3 a%2 f %2 fgraph. windows. net&client_id=52752 c 8 e-d 73 c-4 f 9 a -a 0 f 92 d 75607 ecb 8 e&client_secret=q. KDj. II 5%2 FK 8 Wy. Kj 6 s. Ro 5 a 5 v. D 6%2 Bm 44 uk 1 A%2 Bp. Il. M%3 D RESPONSE 200 OK Notes Oauth 2. 0 Client Credential grant type, client_id, and client_secret are pre-configured through the Azure Management Portal, under Active Directory/Applications Microsoft Confidential 11