HELLO DEVELOPERS.
HOW MANY OF YOU GOT TO SEE REJESH'S DEMO THIS MORNING
WHERE ASHIMA SHOWED PASSWORD LIST
AND THE MICROSOFT IDENTITY PLATFORM?
WELL, IF YOU MISSED IT, DON'T WORRY.
THIS SESSION IS PACKED FULL OF DEMOS.
MY NAME IS LESHA DILEEPA
AND I'M A PM ON THE MICROSOFT IDENTITY TEAM,
DRIVING APP REGISTRATION EXPERIENCES IN THE AZURE PORTAL.
AND MY NAME IS SAYID AKHTAR.
I'M A LEAD PM ON THE MICROSOFT IDENTITY TEAM
IN-CHARGE OF AUTHENTICATION SDKS.
LET'S GET STARTED.
BEFORE WE GET STARTED,
I'LL TELL YOU ABOUT THE MICROSOFT IDENTITY PLATFORM
AND WHY YOU'RE GOING TO LOVE IT.
HOW MANY OF YOU THINK INTEGRATING
WITH MICROSOFT'S IDENTITY STACK IS EASY?
WELL, THAT'S VERY LITTLE OF YOU.
SO WE'LL GET STARTED WITH SHOWING A DEMO
OF HOW ACTUALLY WE HAVE MADE IT REALLY EASY
TO INTEGRATE WITH A MICROSOFT IDENTITY PLATFORM.
THEN, WE'LL TAKE A LOOK AT WHAT GOES ON BEHIND THE SCENES
AND HOW YOU'LL GET A LOT OF STUFF FOR FREE
WITHOUT HAVING TO WRITE ANY ADDITIONAL EXTRA CODE.
THEN WE'LL TAKE A LOOK AT SOME ADVANCED SCENARIOS
LIKE HOW TO CONTROL USER CONCENT EXPERIENCE
AND CUSTOMIZE YOUR APPLICATION.
LASTLY, WE HAVE SOME RELEASE ANNOUNCEMENTS
AND THEN UPDATE ON OUR ROADMAP.
SO, WHAT IS THE MICROSOFT IDENTITY PLATFORM?
FIRST OF ALL, THE MICROSOFT IDENTITY PLATFORM
ALLOWS YOU TO BUILD APPLICATIONS THAT
TARGET ORGANIZATIONAL ACCOUNTS
ALSO REFERRED TO AS AZURE ID ACCOUNTS
AS WELL AS PERSONAL MICROSOFT ACCOUNTS
SUCH AS LIVE AND HOTMAIL ACCOUNTS.
TOGETHER, THIS ACCOUNTS FOR OVER A BILLION USERS
AND ALL OF THESE USERS SEE A UNIFIED SIGN-IN EXPERIENCE.
YOU CAN ALSO USE AZURE DE VITA C
TO SIGN-IN USERS THAT BRING IN EMAIL OR A SOCIAL IDENTITY.
NEXT, THE MICROSOFT IDENTITY PLATFORM ALLOWS YOU
TO BUILD DATA RICH APPLICATIONS.
YOU CAN CONNECT TO ANY OF YOUR APIS
AS WELL AS A VARIETY OF MICROSOFT APIS
SUCH AS MICROSOFT GRAPH.
WE ARE ON A MISSION TO RID THE WORLD OF PASSWORDS
WITH TECHNOLOGIES LIKE WINDOWS LOW,
MICROSOFT AUTHENTICATOR,
AND FIDO2 SECURITY KEYS.
FUTURE PROOF YOUR APPLICATION BY BUILDING
ON THE MICROSOFT IDENTITY PLATFORM.
CONDITIONAL ACCESS IS ONE
OF AZURE AD'S FASTEST GROWING FEATURES.
IT ALLOWS IT ADMIN'S TO DO THINGS LIKE SET POLICIES
WHERE AN EMPLOYEE IS PROMPTED
FOR MULTI-FACTOR AUTHENTICATION WHEN THEY ARE NOT
IN THE OFFICE.
BUILD ON OUR PLATFORM TO COMPLY
WITH THESE POLICIES IS REALLY EASILY.
YOU GET ALL OF THIS WITH A SIMPLE DEVELOPER PLATFORM.
WE'VE GIVEN YOU AN EASY APP REGISTRATION EXPERIENCE
AND A FAMILY OF OPEN SOURCE AUTHENTICATION LIBRARIES.
AND THE BEST PRAT IS THAT THIS IS AN EVOLUTION
OF AZURE ACTIVE DIRECTORY FOR DEVELOPERS.
THAT MEANS ALL YOUR EXISTING APPLICATIONS AND API'S
ARE NOT LEFT BEHIND.
THEY CAN INTER-OPERATE WITH YOUR NEW ONES.
THIS ECOSYSTEM ALREADY HAS
OVER A MILLION ACTIVE APPLICATIONS.
WELL, WHEN WE ASKED YOU
IF IDENTITY WAS SIMPLE, NOT MANY OF YOU RAISED YOUR HAND.
WELL, WE'RE GONNA CHANGE THAT.
IDENTITY CAN BE SIMPLE
AND WE'VE MADE GREAT STRIDES
IN SIMPLIFYING THE DEVELOPER EXPERIENCE.
I'M GONNA SHOW YOU WHAT THAT LOOKS LIKE.
LET'S BUILD AN APP.
HERE I AM IN THE APP REGISTRATION'S PORTAL
IN AZURE APP DIRECTORY.
HERE'S THE LIST OF ALL MY APPS.
I'M GONNA GO AHEAD AND BUILD A NEW APP.
YOU NEED TO REGISTER YOUR APP
WITH THE MICROSOFT IDENTITY PLATFORM
IN ORDER FOR YOUR APP TO COMPLETE A SIGN IN PROCESS
AND IN ORDER FOR IT TO CONNECT UP TO THE SERVICE.
AND YOU NEED THREE THINGS.
THE FIRST THING IS THE NAME.
THIS IS THE NAME OFF THE APPLICATION
THAT YOU AND USERS WILL SEE WHEN THEY SIGN IN TO THE APP.
THE SECOND THING IS WHO CAN SIGN INTO THE APP.
SO YOU SEE THREE OPTIONS HERE.
THE FIRST OPTION IS ALL THE USERS WITHIN YOUR ORGANIZATION.
THE SECOND OPTION, IS USERS IN ANY ORGANIZATION.
IMAGINE YOU'RE BUILDING A LINE OF BUSINESS APP
THAT ANY ENTERPRISE OR SCHOOL CAN USE.
AND THE THIRD IS THE BROADEST POSSIBLE REACH
WHICH IS YOUR APPLICATION SIGNING IN ANY MICROSOFT IDENTITY
WHETHER IT BE PERSONAL, OR WORK OR SCHOOL.
AND LASTLY, THERE'S A REDIRECT URI THAT'S NECESSARY.
YOU CAN THINK OF THIS AS AN ALLOW LIST
OF SAFE PLACES TO SEND AN ACCESS TOKEN.
WE DON'T WANNA BE SENDING AN ACCESS TOKEN
WHICH CAN BE USED TO ACCESS USER DATA TO ANY MALICIOUS APP.
WE WANT IT TO GO TO YOUR APP.
SO I'M GONNA FILL THESE OUT.
WE'RE GONNA SIGN-IN ANY MICROSOFT IDENTIFY
AND I'M GOING TO LEAVE REDIRECT URI BLANK FOR NOW
AND WE'RE GOING TO RUN THROUGH A QUICK START
THAT WILL CREATE US A LOCAL HOST REDIRECT URI
FOR LOCAL TESTING.
WE'RE GONNA JUMP RIGHT TO THE QUICKSTART EXPERIENCE.
SO I'D LIKE TO POINT OUT THAT THIS ONE APP REGISTRATION
THAT YOU'VE CREATED CAN BE USED FOR ALL
OF YOUR APP PLATFORMS.
YOU DON'T NEED A SEPARATE APP REGISTRATION
FOR WEB, FOR DESKTOP, FOR MOBILE.
YOU CAN USE ONE APP REGISTRATION FOR ALL THE PLATFORMS
OF YOUR APPLICATION THAT YOU'RE BUILDING.
AND THIS ONE APP REGISTRATION, AGAIN,
CAN BE USED FOR ANY PLATFORM,
AND ANY MICROSOFT IDENTITY SIGNING IN.
WE'RE GONNA BUILD A JAVASCRIPT, BROWSER BASED APPLICATION
ALSO CALLED SINGLE-PAGE APPLICATIONS.
AND WHEN I OPEN THIS QUICKSTART,
THE FIRST THING YOU'LL SEE IS A DIAGRAM
THAT EXPLAINS THE AUTHENTICATION FLOW
AND WHAT'S HAPPENING UNDER THE HOOD.
YOU DON'T HAVE TO UNDERSTAND ANY OF THIS QUITE YET.
YOU CAN JUST FOLLOW ALONG WITH THE QUICKSTART
AND REFER BACK TO THIS ONCE YOU WANNA KNOW MORE.
SO I'M GONNA SCROLL DOWN AND I'M GONNA GO TO THE FIRST STEP.
AND THE FIRST STEP IS TO FIGURE THAT REDIRECT URI
FOR LOCAL HOST TESTING
AND TO ENABLE A FLOW CALLED IMPLICIT GRANT FLOW.
THIS IS AN AUTHENTICATION FLOW
THAT'S DESIGNED FOR BUILDING BROWSER BASED APPLICATIONS
FOR SINGLE-PAGE APPLICATIONS.
I'M GONNA CLICK, MAKE THESE CHANGES FOR ME,
AND I GET TO PREVIEW EXACTLY WHAT CHANGES
ARE GOING TO BE MADE TO MY APP REGISTRATION.
IT LOOKS GOOD.
REDIRECT URI, IMPLICIT GRANT FLOW,
I'M GONNA MAKE THESE UPDATES.
AND RIGHT AWAY, WE GET CONFIRMATION
THAT THIS APP REGISTRATION IS NOW CONFIGURED
WITH THE NECESSARY ATTRIBUTES
TO BE ABLE TO RUN THIS QUICKSTART.
THE NEXT STEP IS TO DOWNLOAD THIS PROJECT.
I'M GONNA OPEN IT IN CODE.
NOW, IF I SCROLL PAST THE MTL AND I GET TO THE JAVASCRIPT,
THE FIRST THING THAT I SEE IS THE CONFIGURATION.
THE APP REGISTRATION THAT WE CREATED IN THE PORTAL
CREATED A CLIENT ID.
THIS IS A GRID THAT UNIQUELY IDENTIFIES YOUR APPLICATION.
SO IT SAYS, ENTER THE APPLICATION ID HERE.
WE NEED TO GRAB IT.
WE'VE MADE THIS EASY IN THE PORTAL.
SO I CLICK COPY.
I GO BACK TO THE CODE.
I PAST IT RIGHT HERE.
I SAVE THIS OFF.
AND WE'RE GONNA RUN IT.
AND WE'RE NOT EVEN 10 MINUTES IN
AND WE ALREADY HAVE AN APPLICATION RUNNING.
LET ME SHOW YOU THAT IT WORKS.
I CLICK SIGN IN.
AND I AUTOMATICALLY GET SINGLE SIGN-ON EXPERIENCE.
I HIT ACCEPT.
AND IT'S NOW GIVING ME INFORMATION
ABOUT THIS USER.
SO, I'M SIGNED IN WITH A WORK OR SCHOOL ACCOUNT,
IT'S CALLING MICROSOFT GRAPH,
IT'S CALLING THE ME ENDPOINT.
THIS ENDPOINT RETURNS INFORMATION ABOUT THE PHONE NUMBER,
THE OFFICE, FIRST NAME, LAST NAME,
THAT SORT OF THING.
LET ME SIGN IN WITH A MSA MICROSOFT ACCOUNT.
THIS IS A PERSONAL ACCOUNT.
NOW WE'RE GONNA SIGN IN AGAIN.
THIS TIME BECAUSE I'M SIGNED IN WITH TWO ACCOUNTS.
I GET AN ACCOUNT SELECTION SCREEN
TO SELECT MY PERSONAL ACCOUNT OR MY WORK ACCOUNT.
I SIGN IN WITH MY PERSONAL ACCOUNT.
AND AGAIN, I GET A CONSENT DIALOGUE.
FOR MY PERSONAL ACCOUNT,
I NEED TO TRUST THIS APP TO BE ABLE
TO READ MY PROFILE INFORMATION.
I CLICK YES.
AND GREAT, IT RETURNS INFORMATION.
SO LET ME SHOW YOU WHAT THE CODE LOOKS LIKE.
IN ORDER TO CALL MICROSOFT GRAPH,
WE NEED TO ASK PERMISSION TO READ DATA.
IN THE MICROSOFT AUTHENTICATION LIBRARY,
THE WAY YOU DO THIS IS BY PASSING A SCOPES PARAMETER.
THIS IS A COMMA SEPARATED WITH A HUMAN READABLE,
LEAST PRIVILEGED SCOPES,
THAT ALLOWS YOU TO CONTROL EXACTLY
WHAT DATA YOU NEED ACCESS TO.
WE NEED TO CALL THE ME ENDPOINT.
SO THIS IS A MICROSOFT GRAPH, REST API ENDPOINT
THAT WE'RE GOING TO CALL.
AND I'M GONNA SHOW YOU THIS PATTERN.
THIS IS A COMMON PATTERN YOU'LL SEE THROUGHOUT ALL
OF OUR QUICKSTARTS AND SAMPLES.
WE TRY ACQUIRE TOKEN SILENT,
AND IF THAT FAILS, THEN WE DO ACQUIRE TOKEN POP UP.
THIS MAXIMIZES OUR OPPORTUNITY
FOR GETTING A SINGLE SIGN-ON EXPERIENCE.
AND IT ENSURES THAT IN SITUATIONS
WHERE WE DO NEED INTERACTIVE URI,
SUCH AS MULTI-FACTOR AUTHENTICATION
OR CONCESS SCREENS, THAT THE APP IS UNABLE
TO GET A TOKEN SILENTLY,
POPS THE NECESSARY INTERACTIVE DIALOGUE
FOR THE USER TO COMPLETE THAT FLOW.
THAT WAS SIMPLE, WASN'T IT?
(CLAPPING)
THAT WAS SIMPLE.
WITH JUST A FEW SIMPLE STEPS WE'RE ABLE
TO GET OUR BASIC APPLICATION CONFIGURED.
FIRST, WE REGISTERED THE APPLICATION
BY PROVIDING NAME, WHICH ACCOUNTS WE WANT TO SUPPORT,
AND A REDIRECT URI.
THEN WE WERE ABLE TO USE A QUICKSTART
FOR THE PLATFORM OF OUR CHOICE
TO DOWNLOAD THE SAMPLE CODE.
AND LASTLY, WE NEEDED TO PROVIDE THE PERMISSIONS
FOR THE DATA THAT WE NEED ACCESS TO.
AND THE BEST PART IS,
THAT YOU GET A LOT FOR FREE WITHOUT HAVING
TO WRITE ANY EXTRA CODE.
YOU GET ACCESS TO FEATURES LIKE SINGLE SIGN-ON,
TOKEN MANAGEMENT, PASSWORDLESS
AND SATISFYING CONDITIONAL ACCESS POLICIES.
WELL, THAT'S IT FOLKS, YOU CAN GO HOME.
BUT STICK AROUND BECAUSE THE REST OF THE SESSION IS ABOUT
GETTING THE MOST OUT OF THE MICROSOFT IDENTITY PLATFORM.
WE'LL TALK ABOUT CUSTOMIZING YOUR APP REGISTRATION.
THIS INCLUDES BRANDING AND REQUESTING ACCESS TO MORE DATA.
WE'LL TALK ABOUT PERMISSIONS AND CONSENT
AND HOW THE FLOWS WORK FROM ALL THE DIFFERENT PERSPECTIVES:
FROM THE USER PERSPECTIVE,
FROM THE DEVELOPER, IT PERSPECTIVE.
WE'LL TALK ABOUT BEST PRACTICES TO GET GREAT SINGLE SIGN ON
EXPERIENCES WITHIN YOUR APPLICATION
AS WELL AS SOME SECURITY BEST PRACTICES.
AND WE'LL TALK ABOUT YOUR EXISTING INVESTMENTS
AND ALL THOSE APIS YOU HAVE.
YOUR OWN APIS, MICROSOFT GRAPH APIS,
OTHER MICROSOFT APIS AND HOW YOU CAN ACCESS A DIVERSE SET
OF APIS USING THE MICROSOFT IDENTITY PLATFORM.
SO WE SAW
THAT SAYID CONFIGURED A BASIC REGISTRATION
FOR HIS APPLICATION.
BUT WE'LL TAKE A CLOSER LOOK INTO
WHAT THAT EXPERIENCE LOOKS LIKE
AND WHAT KIND OF CUSTOMIZATIONS WE CAN MAKE.
SO WE'LL GET BACK INTO THIS PORTAL EXPERIENCE.
AND I WANT TO DRAW YOUR ATTENTION
TO THIS LIST OF APPLICATIONS HERE.
THIS SHOWS A LIST OF ALL YOUR APPLICATIONS
THAT WERE REGISTERED WITH THE MICROSOFT IDENTITY PLATFORM
REGARDLESS OF WHICH PORTAL EXPERIENCE YOU USED.
NOW WE'LL GO AHEAD AND CLICK INTO ONE OF THESE.
THIS IS THE OVERVIEW OF THE APPLICATION.
IT SHOWS YOU SOME BASIC INFORMATION ABOUT THE APP.
LIKE ITS APPLICATION ID THAT WE USE TO CODE
TO REFERENCE THIS REGISTRATION.
IT ALSO SHOWS US WHICH ACCOUNT TYPES WE'RE SUPPORTING
THAT OUR REDIRECT URI WAS REGISTERED.
SOME LINKS TO DOCUMENTATION AND SOME STEPS TO GET STARTED.
NOW WE'LL TAKE A LOOK AT THIS LEFT HAND NAVIGATION HERE.
WE DID A BIG CARD SORTING EXERCISE WITH DEVELOPERS
TO FIGURE OUT HOW THE PROPERTIES OF AN APPLICATION OBJECT
SHOULD BE GROUPED.
AND WE THINK WE'VE FIGURED IT OUT.
SO LET'S TAKE A LOOK AT BRANDING.
THIS HAS ALL OF THE INFORMATION ASSOCIATED
WITH WHAT YOUR USERS WILL SEE WHEN THEY'RE SIGNING IN
AND CONSENTING TO YOUR APPLICATION.
IT HAS THE NAME OF THE APP, A LOGO,
LINKS TO TERMS OF SERVICE AND PRIVACY STATEMENT.
WE'LL SEE LATER, HOW THIS INFORMATION IS REFLECTED
TO THE END USER.
IN CERTAIN SCENARIOS, AN APPLICATION NEEDS
TO PROVE ITS IDENTITY.
IT CAN DO SO USING A CLIENT SECRET,
ALSO REFERRED TO AS AN APPLICATION PASSWORD
OR EVEN BETTER A CERTIFICATE.
YOU CAN CONFIGURE THOSE PIECES OF INFORMATION HERE.
I'M GOING TO SKIP OVER API PERMISSIONS FOR NOW.
WE'LL SEE THAT IN A SECOND.
AND MOVE ON TO EXPOSING AN API.
IF YOU'RE BUILDING AN API,
YOU'LL NEED TO PROVIDE A UNIQUE IDENTIFIER,
WHICH IS REFERRED TO AS THE APPLICATION ID URI.
THEN YOU CAN GO AHEAD AND DEFINE YOUR PERMISSIONS.
HERE WE HAVE TWO PERMISSIONS.
THE PAYROLL DOT READ WHITE DOT ALL PERMISSION
AND PAYROLL DOT READ.
NOTICE THAT THE PAYROLL DOT READ PERMISSION
CAN BE CONSENTED TO BY ADMINS AND USERS.
THIS OTHER ONE WE CONSIDER MORE HIGHLY PRIVILEGED
SO IT CAN ONLY BE CONSENTED TO BY ADMINS.
NOT ONLY DO WE HAVE THE URI,
WE ALSO HAVE AN API.
SO THE API CAN BE REALLY USEFUL IN SOME SCENARIOS
WHICH IS DEV OPPS.
IMAGINE THAT YOU NEED TO ROLL KEYS FROM TIME TO TIME.
ANOTHER SCENARIO THAT MIGHT BE REALLY INTERESTING
FOR THE PROGRAMMATIC API IS IF YOU NEED
TO DO NIGHTLY TESTING WHERE YOU WANT TO BUILD UP AN APP,
GO THROUGH A BUNCH OF AUTHENTICATION AND TESTING,
AND THEN TEAR IT DOWN.
LET ME SHOW YOU WHAT THIS API LOOKS LIKE.
WE'RE GONNA USE A TOOL CALLED GRAPH EXPLORER.
I CAN GET THERE BY GOING TO AKA DOT MS GE
FOR GRAPH EXPLORER.
NOW THIS TOOL IS ABOUT
EXPLORING ALL THE DIFFERENT APIS IN GRAPH.
RATHER THAN HAVING TO WRITE A BUNCH OF CODE,
AND THEN RUN IT LOCALLY, SEE IF THAT MAKES ANY SENSE.
THIS ALLOWS YOU TO PLAY AROUND WITH APIS, SEE THE RESULTS,
AND THEN DECIDE, YEAH, THIS MAKES SENSE FOR MY APP.
SO I'M SIGNED IN WITH MY WORK ACCOUNT HERE.
AND IF YOU WANNA SEE WHAT APIS ARE AVAILABLE
YOU JUST GO TO THIS SHOW MORE SAMPLES
AND SEE THAT I'VE TURNED ON APPLICATIONS BETA HERE.
THAT GIVES ME THE SIDE PANEL
AND WE HAVE ALL THE DIFFERENT APIS, EXAMPLE APIS
THAT YOU CAN RUN.
SEE LISTING AN APPLICATION, CREATING A NEW APPLICATION,
UPDATING, DELETING.
WE'RE GONNA CLICK RETRIEVE THE LIST.
THIS CALLS THE SLASH APPLICATIONS AND POINT
WITH A REST GET CALL.
AND IT RETURNS THE JSON RESULT
WHICH HAS ALL OF OUR APPLICATIONS
INCLUDING THE APPLICATION THAT WE JUST REGISTERED EARLIER.
SO IN SUMMARY, THIS GIVES YOU THE MOST FLEXIBILITY.
WHETHER IT'S AN API OR THE PORTAL,
YOU HAVE YOUR CHOICE.
WE RECOMMEND, IF YOU'RE BUILDING YOUR FIRST APPLICATION,
THAT YOU GO TO THE PORTAL
AND GO THROUGH THAT EXPERIENCE FIRST,
AND THEN AS YOU NEED DEV OPPS, OR TESTING SCENARIOS,
THEN YOU USE THE API.
WE'VE MENTIONED PERMISSIONS AND CONSENT
BUT LET'S TAKE A DEEPER DIVE INTO WHAT THESE THINGS MEAN.
AS AN APPLICATION DEVELOPER,
YOU REQUEST PERMISSIONS FOR THE DATA
THAT YOUR APPLICATION NEEDS ACCESS TO.
BUT YOU DON'T ACTUALLY GET ACCESS TO THIS DATA
UNTIL A USER OR AN ADMIN GRANTS CONSENT.
CONSENT IS REQUESTED IN THE FORM OF A CONSENT PROMPT
WHICH YOU CAN SEE ON THE RIGHT.
IT CONTAINS A BUNCH OF DATA THAT THE END USER OR ADMIN
CAN USE TO MAKE AN EDUCATED DECISION
ABOUT WHETHER OR NOT THEY WANT TO GRANT CONCENT
TO YOUR APPLICATION.
FOR EXAMPLE, IT HAS THE NAME OF THE APPLICATION
THAT'S REQUESTING ACCESS, IT'S LOGO,
IT'S TERMS OF SERVICE AND PRIVACY STATEMENT
FOR THE USER TO REVIEW,
AND WHERE THE USER CAN GO IF THEY CHANGE THEIR MIND LATER
AND WOULD LIKE TO REVOKE CONSENT.
WHEN A USER MAKES A DECISION HERE,
ULTIMATELY THE IT ADMIN CAN OVERRIDE THAT DECISION.
THEY CAN CHOSE TO DISABLE APPS IN THEIR ECOSYSTEM.
WHAT THIS CONSENT PROMPT ALSO HAS
IS A LIST OF REQUESTED PERMISSIONS.
WE'LL TAKE A LOOK AT HOW THE DEVELOPER CAN ACTUALLY
CONFIGURE THESE PERMISSIONS.
IN SUMMARY, CONSENT IS THE BROKER BETWEEN
WHAT THE USER WANTS, WHAT IT WANTS,
AND WHAT THE DEVELOPER IS TRYING TO DO.
SO LET'S TAKE A LOOK AT THE DEVELOPER
AND IT ADMIN EXPERIENCES.
SO WE'RE BACK IN THE PORTAL HERE
AND WE'RE GOING TO LOOK AT THE API PERMISSIONS SECTION.
WE CAN SEE THAT WE'RE ALREADY REQUESTING ACCESS
TO SOME PERMISSIONS BUT WE'LL GO AHEAD
AND REQUEST SOME MORE.
WE'LL CLICK ADD A PERMISSION
AND HERE WE HAVE A VARIETY OF MICROSOFT APIS TO SELECT FROM.
WE CAN ALSO SELECT FROM APIS OUR ORGANIZATION USES
OR OUR OWN APIS.
WE'RE GOING TO SELECT MICROSOFT GRAPH.
NOW WE HAVE A CHOICE BETWEEN DELEGATED PERMISSIONS
AND APPLICATION PERMISSIONS.
DELEGATED PERMISSIONS ARE USED
WHEN THERE'S A SIGNED IN USER PRESENT.
SO FOR EXAMPLE, IF I'M BUILDING A PAYROLL APPLICATION
WHERE MY EMPLOYEES CAN SIGN IN AND SEE THEIR PAYROLL DATA,
I WOULD USE DELEGATIVE PERMISSIONS.
ON THE OTHER HAND, APPLICATION PERMISSIONS
ARE USED WHEN THE APPLICATION IS RUNNING
AS A BACKGROUND SERVICE.
SO IF I'M BUILDING A PAYROLL PROCESSING APPLICATION
THAT IS RUNS IN THE BACKGROUND,
I'D USE APPLICATION PERMISSIONS.
FOR OUR PURPOSES, WE'RE GOING
TO SELECT DELEGATED PERMISSIONS
AND REQUEST ACCESS TO READING USERS CALENDARS.
SO WE'LL NAVIGATE TO THE CALENDARS SECTION
AND WE'LL GO AHEAD AND DIG IN
AND FIND THE CALENDARS DOT READ PERMISSION.
NOTICE HERE THAT IT'S A LOT EASIER TO FIND THE PERMISSIONS
THAT YOU NEED TO REQUEST.
AND YOU CAN SEE A LOT OF DATA ABOUT THE PERMISSIONS.
WE'LL GO AHEAD AND REQUEST THE CALENDARS DOT READ PERMISSION
AND ADD IT TO THE APPLICATION.
WHEN WE DO THAT, IT'S NOW REQUESTED
IN THE TABLE OF PERMISSIONS
AND WE GET A NOTIFICATION THAT PERMISSIONS HAVE CHANGED.
NOW, THIS IS JUST REQUESTING ACCESS TO THESE PERMISSIONS.
BUT LIKE I MENTIONED BEFORE,
A USER OR AN ADMIN ACTUALLY HAS TO ACTUALLY GRANT CONSENT
FOR THE APPLICATIONS TO HAVE ACCESS TO THIS DATA.
BECAUSE I'M SIGNED IN WITH AN ADMIN ACCOUNT,
I CAN ACTUALLY GO AHEAD AND GRANT ADMIN CONSENT
FOR MY DIRECTORY.
I'M GOING TO CONFIRM THE ACTION
AND NOW WE CAN SEE THAT ADMIN CONSENT
HAS BEEN GRANTED FOR THESE PERMISSIONS IN MY DIRECTORY.
THAT MEANS WHEN MY CONTOSO USERS SIGN INTO THIS APPLICATION
THEY WILL NOT NEED TO GRANT CONSENT THEMSELVES.
NOW LET'S GO AHEAD AND LOOK AT WHAT THE IT ADMINISTRATOR'S
VIEW LOOKS LIKE.
FOR AN IT ADMINISTRATOR,
WHEN THEY NAVIGATE TO THE ENTERPRISE APPLICATION SECTION
OF AZURE ACTIVE DIRECTORY, IN THE AZURE PORTAL,
THEY SEE A VIEW LIKE THIS
WHERE THEY CAN SEE WHICH PERMISSIONS
HAVE BEEN GRANTED CONSENT BY THEIR USERS.
THEY CAN SEE THIS DATA AND THEY CAN ULTIMATELY CHOOSE
TO REVOKE THE ACCESS OR DISABLE THE APPLICATION
IN THEIR TENANT IF THEY DECIDE THAT IT'S NOT RIGHT FOR THEM.
LET'S TALK ABOUT THE BEST PRACTICES
FOR PERMISSION AND CONSENT.
FIRST UP, YOU WANT TO BUILD APPS WITH LEAST PRIVILEGE.
YOU DON'T WANT TO BE ASKING FOR A BUNCH OF PERMISSIONS
THAT YOUR APPLICATION DOESN'T NEED BECAUSE IT COMES A TARGET
FOR MALICIOUS ACTORS TO TRY AND FIGURE OUT
HOW THEY CAN TAKE ADVANTAGE OF THOSE OVER PRIVILEGES.
NEXT IS WHENEVER A USER SIGNS IN,
YOU WANT TO USE USER DELEGATED PERMISSIONS
IN ORDER TO ACCESS THEIR DATA.
LET'S GO BACK TO THE QUICK START.
IN THE QUICK START WE ASKED FOR USER DOT READ.
USER DOT READ IS A USER DELEGATED PERMISSION
THAT ALLOWS THE APP TO ONLY ACCESS THAT USER'S DATA.
THERE IS ALSO WHAT WE CALL AN APP PERMISSION
CALLED USER DOT READ DOT ALL.
IT ALLOWS YOU TO READ ALL USER DATA
INSIDE THE ENTIRE DIRECTORY OF THE ORGANIZATION.
THIS IS DESIGNED FOR SITUATIONS LIKE A BACKGROUND PROCESS
OR A DEMON APP THAT NEEDS TO PROCESS ALL THE DATA
FOR ALL THE USERS IN THE DIRECTORY
BUT IT'S NOT APPROPRIATE FOR YOUR APP TO USE
WHEN, IN THE CONTEXT OF A USER THAT IS SIGNED IN.
THE NEXT OP IS,
HAVE YOU EVER HAD THAT SITUATION
WHEN YOU GET A CONSENT DIALOGUE THAT ASKS FOR 40 PERMISSIONS
AND YOU HAVEN'T EVEN USED THE APP YET?
AND YOU'RE THINKING, DO I SAY YES TO THIS THING?
WHAT IS IT GONNA ACCESS AND WHAT IS IT GONNA DO
WITH ALL THAT DATA?
WELL, WE HAVE DATA SHOWING
THAT CUSTOMERS DON'T LIKE THIS EXPERIENCE.
YOU WANNA BUILD YOUR APPLICATION TO ASK ONLY FOR THE MINIMUM
OF WHAT'S NECESSARY TO GET STARTED
AND SEE VALUE IN YOUR APPLICATION
BEFORE YOU START ASKING FOR PERMISSION AFTER PERMISSION.
AND WHEN YOU ASK FOR PERMISSIONS AFTER THEY'VE INTERACTED
WITH THE APPLICATION,
IT'LL MAKE SENSE TO THEM IN CONTEXT WHY THAT PERMISSION
MIGHT BE NECESSARY
AND THEY'RE MUCH MORE LIKELY TO ACCEPT.
NEXT, REGARDLESS OF WHETHER YOU ASK FOR PERMISSIONS
IN YOUR APPLICATION UP FRONT
OR WHETHER YOU ASK FOR PERMISSIONS
DOWN THE ROAD INCREMENTALLY WITHIN YOUR APPLICATION,
WE WANT YOU TO AGGREGATE ALL OF THE DIFFERENT PERMISSIONS
THAT YOU APP EVER ASKS FOR
AND CONFIGURE THEM IN THE APP REGISTRATION ON THE PORTAL.
SO WHY DO WE ASK YOU TO DO THIS?
THERE ARE ENTERPRISE, AND SCHOOLS EXPERIENCES,
ORGANIZATION IT ADMINISTRATOR EXPERIENCES,
WHERE THEY WANT TO PRE CONCENT YOUR APPLICATION
FOR USE WITHIN THE ORGANIZATION
SO THAT THEY'RE USERS NEVER SEE A CONSENT SCREEN.
IN ORDER FOR US TO DO THIS SUCCESSFULLY,
WE NEED THE FULL LIST.
THE UP FRONT, THE INCREMENTAL, EVERYTHING,
AND THAT DOESN'T MEAN THAT YOUR APP
GETS ALL OF THOSE PERMISSIONS WHEN IT STARTS.
IT DOESN'T.
IT GETS ONLY THE PERMISSIONS
THAT YOU ASK FOR IN CODE.
AND THE LIST IN THE APP REG PORTAL IS NECESSARY
FOR IT ADMINISTRATORS TO CLICK ONE BUTTON
AND PRE CONSENT EVERYTHING THAT THE APP WILL EVER ASK FOR.
SO IF YOU FOLLOW THIS BEST PRACTICES
AND IT ADMINISTRATOR PRE CONCENT APP,
USERS IN THAT ORGANIZATION WILL NEVER SEE A CONSENT SCREEN.
ALL OF THESE BEST PRACTICES AND A LOT MORE
ARE AVAILABLE ON OUR IDENTITY PLATFORM CHECKLIST.
THIS IS GREAT FOR MAKING SURE THAT YOUR APP IS READY
TO GET TO PRODUCTION.
SO I MENTIONED, DON'T ASK FOR ALL THE THINGS UP FRONT.
AND YOU MAY BE THINKING, WELL, THAT SOUNDS COMPLICATED.
LET ME SHOW YOU HOW IT LOOKS.
OKAY.
THIS IS THE QUICK START THAT YOU'RE ALL FAMILIAR WITH NOW.
WHAT WE'RE GONNA DO IS WE'RE GONNA ADD ANOTHER BUTTON
CALLED THE SHARE BUTTON.
NOW, LET ME GIVE YOU THE SCENARIO.
YOU WANT TO MAXIMIZE THE VIRAL NATURE OF YOUR APP
AND GET AS MANY OF THE COWORKERS USING IT AS POSSIBLE
SO THAT YOU CAN GO TO YOUR BOX AND SAY,
LOOK AT WHAT A GOOD JOB I DID.
THE WHOLE ORGANIZATION IS USING THE APP.
SO WE'RE GONNA ADD A SHARE BUTTON.
THIS IS GONNA CALL GRAPH AND REQUEST A LIST
OF ALL THE PEOPLE THAT I WORK WITH
AND ALLOW ME TO SELECT ONE OF THEM
SO I CAN VERY QUICKLY GET EVERYONE ELSE INTO THE APP
THAT I LOVE.
LET'S START WITH THE PERMISSION.
SO WE ASK FOR USER DOT READ UP FRONT.
WE'RE GOING TO ASK FOR
PEOPLE DOT READ DOWN THE ROAD.
AND WE'RE GONNA CALL THIS INC INCREMENTAL FOR SHORT.
THEN WE NEED ANOTHER ENDPOINT.
SO LET ME TAKE HIS GRAPH ENDPOINT, DUPLICATE IT.
THIS IS GONNA BE THE PEOPLE ENDPOINT.
AND NOW WE'RE GONNA GO TO THAT FUNCTION
WHERE I SHOWED YOU WE CALL ACQUIRE TOKEN SILENT
AND THEN CALL INTERACTIVE.
WE'RE GONNA DUPLICATE IT.
AND I'M SURE YOU COULD DO A MUCH BETTER JOB
OF NOT DUPLICATING SO MUCH CODE.
BUT I'M HACKING AND SLASHING.
SO WE'RE NO LONGER REQUESTING OUR UP FRONT PERMISSIONS.
WE'RE NOW GONNA REQUEST, WHETHER IT'S SILENT OR POP-UP,
WE'RE GONNA ASK FOR OUR INCREMENTAL PERMISSIONS.
AND WE'RE NO LONGER GONNA CALL THE GRAPH ENDPOINT
ME ENDPOINT, WE'RE GONNA GO GRAPH PEOPLE ENDPOINT.
AND NOW, WE NEED TO WIRE UP THIS FUNCTION TO A BUTTON.
SO I'M GONNA COPY THIS.
WE'RE GONNA GRAB, DUPLICATE THIS LINE,
ADD A SHARE BUTTON.
WE'RE GONNA CALL OUR NEW FUNCTION.
SHARE.
AND WHILE I GET THIS RUNNING,
LESHA'S GONNA EXPLAIN EXACTLY WHAT WE EXPECT TO SEE.
SO WE EXPECT THAT WHEN WE SIGN
INTO THIS APPLICATION WE WILL NOT SEE A CONSENT PROMPT
AT FIRST BECAUSE WE'VE ALREADY CONSENTED
TO THOSE PERMISSIONS WHEN SAYID SIGNED IN EARLIER.
HOWEVER WHEN WE CLICK THE SHARE BUTTON
WE'LL EXPECT TO SEE A NEW CONSENT PROMPT
THAT HAS THE ADDITIONAL PERMISSIONS HE'S REQUESTING.
LET'S SEE IF THAT'S WHAT HAPPENS.
I'M JUST GONNA SHOW YOU
THAT THIS WORKS WITH BOTH
PERSONAL ACCOUNTS AND WORK ACCOUNTS.
SO I'M GONNA SIGN IN
AND I GET TO CHOOSE ANY KIND OF IDENTITY.
I'M GONNA CHOOSE MY PERSONAL.
AND THIS IS THE FIRST API CALL.
SO WE ALREADY CONSENTED.
WE NEVER SAW A CONSENT DIALOGUE JUST AS LESHA SAID.
NOW WE'RE GONNA PRESS SHARE.
CROSS YOUR FINGERS THAT I DIDN'T MAKE A MISTAKE.
WE GET THE CONSENT DIALOGUE
BECAUSE WE ARE NOW REQUESTING ACCESS TO READ USERS
THAT ARE RELEVANT TO ME, MY PEOPLE LIST.
SO ALL I HAVE TO DO IS CLICK YES AND AGREE TO THIS
AND NOW WE'VE REQUESTED PERMISSION.
WE'RE ABLE TO CALL THE PEOPLE API AND GET A LIST
OF ALL THE PEOPLE THAT ARE RELEVANT TO ME
NOW THAT I HAVE PERMISSION.
(CLAPPING)
LET'S CONTINUE ON WITH SOME BEST PRACTICES.
FIRST UP, SINGLE SIGN-ON.
NOBODY LIKES TO SEE CONSTANT POP-UPS SAYING SIGN-IN,
SIGN-IN, SIGN-IN.
WELL, WE'VE REALLY MADE THIS SIMPLE.
WE GIVE YOU TWO APIS CALLED,
ONE CALLED ACQUIRE TOKEN SILENT,
AND ONE CALLED ACQUIRE TOKEN.
THIS IS THE COMMON PATTERN THAT YOU WANNA USE
THROUGHOUT YOUR CODE.
IT NOT ONLY GIVES YOU THE BEST SINGLE SIGN-ON EXPERIENCE,
IT ALSO ALLOWS YOU TO HANDLE SITUATIONS
LIKE IT POLICY.
SO ONE OF THOSE SITUATIONS MIGHT BE
IF YOU'RE IT ADMINISTRATOR HAD SET A POLICY
TO REQUIRE MULTI-FACTOR AUTHENTICATION
WHEN YOU'RE NOT IN THE OFFICE.
SO WHAT WOULD HAPPEN IS,
EVEN THOUGH YOU ARE SIGNED IN,
AND YOU TRY AND ACQUIRE A TOKEN SILENTLY,
IT WOULD FAIL.
YOU WOULD GO TO ACQUIRE TOKEN.
YOU GET AN INTERACTIVE DIALOGUE.
AND THEN YOU WOULD BE ABLE
TO COMPLETE THAT MULTI-FACTOR IDENTIFICATION
IN THAT DIALOGUE AND THEN GET INTO THE APPLICATION.
SO NEXT UP IS BEST PRACTICES FOR SECURITY.
DON'T TRY AND IMPLEMENT THE PROTOCOL YOURSELF.
WE'VE MADE A SIGNIFICANT INVESTMENT
IN THE MICROSOFT AUTHENTICATION LIBRARY
AND DOT NET MIDDLEWARE
TO MAKE THIS SUPER EASY
WHETHER YOU'RE BUILDING AN ASP NET APP
OR WHETHER YOU'RE BUILDING A CLIENT APP.
AND THESE LIBRARIES WERE BUILT
USING MICROSOFT'S SECURE DEVELOPMENT LIFE CYCLE.
SO TAKE ADVANTAGE OF THEM.
NEXT IS, CLIENTS SHOULD NOT BE INSPECTING ACCESS TOKENS.
CLIENTS SHOULD BE LOOKING INSIDE ID TOKENS
FOR ALL THE INFORMATION THAT THEY NEED
SUCH AS FIRST NAME, LAST NAME.
OR YOU CAN CUSTOMIZE YOUR ID TOKENS
TO CONTAIN ANY INFORMATION THAT THE CLIENT MAY NEED.
ACCESS TOKENS ARE INTENDED TO GO TO THE RESOURCE.
AND IF YOU START HAVING CLIENTS POKING
INTO THE ACCESS TOKENS TO READ INFORMATION
IT PREVENTS YOUR ABILITY TO TAKE ADVANTAGE
OF OTHER FEATURES DOWN THE ROAD
LIKE ENCRYPTING ACCESS TOKENS
TO PROTECT API INFORMATION ONLY INTENDED FOR THE RESOURCE.
DON'T TRY AND CREATE YOUR OWN DATA BASE OF USERNAMES
AND PASSWORDS.
IT'S VERY DIFFICULT TO GET RIGHT.
THERE'S SALTING, HASHING, OPERATIONAL SECURITY.
ALL SORTS OF ISSUES TO THINK ABOUT
THAT ARE VERY DIFFICULT TO IMPLEMENT CORRECTLY.
IF YOU DO NEED TO BUILD AN APPLICATION
THAT SIGNS IN YOUR CUSTOMERS
WITH A USERNAME AND PASSWORD THAT THEY CREATE
OR AN EMAIL PASSWORD THAT THEY CREATE
WE HAVE A GREAT PRODUCT CALLED AZURE AD BETA C
AND MSAL WORKS GREAT WITH IT.
APPS SHOULD NEVER HANDLE RAW PASSWORDS.
THERE IS A FLOW SUPPORTED BY LIBRARIES
CALLED RESOURCE OWNER PASSWORD CREDENTIALS GRANT.
IT'S THERE FOR SOME SCENARIOS WHERE IT MAKES SENSE
SUCH AS TESTING.
IF YOU NEEDED AUTOMATED TESTS THAT SIGNS IN A USER
THIS IS A GREAT FLOW.
BUT YOU SHOULD NEVER USE IT IN YOUR PRODUCTION APPS
INTENDED FOR END USERS.
AND THERE'S A COUPLER REASONS WHY.
ONE IS YOUR APP BECOMES A TARGET FOR MALICIOUS ACTORS
IF YOU'RE HANDLING RAW TOKENS.
SO IT BECOMES A WEAK LINK IN THE END TO END SECURITY
AND REMEMBER IF YOU HAVE YOUR PASSWORD,
YOUR CONSENT DIALOGUES ARE NOT GONNA STOP
AN APP FROM ACCESSING DATA.
THE OTHER IS THIS REALLY ALLOWS YOU TO TAKE ADVANTAGE
OF ALL THE FUTURE INNOVATION THAT COMES FORM PASSWORD LISTS
AND FROM MULTI-FACTOR AUTHENTICATION.
IF YOU'RE USING RAW USERNAME AND PASSWORD
YOU WON'T BE ABLE TO TAKE ADVANTAGE OF THIS.
ALL OF THESE BEST PRACTICES AND MANY MORE
ARE AVAILABLE ON OUR IDENTIFY PLATFORM CHECKLIST.
AND THIS IS A GREAT CHECKLIST TO GO THROUGH
ONCE YOU'RE READY TO START MOVING YOUR APP TO PRODUCTION
TO MAKE SURE YOU'VE GOT EVERYTHING TAKEN CARE OF.
LET'S TALK ABOUT BEST PRACTICES FOR UPDATING
TO THE MICROSOFT AUTHENTICATION LIBRARY.
FIRST OFF, WE WANT YOU TO WRITE ALL OF YOUR NEW APPS
TAKING ADVANTAGE OF THE MICROSOFT IDENTITY PLATFORM
AND THE MICROSOFT AUTHENTICATION LIBRARIES.
ALL FUTURE INNOVATION IS GONNA HAPPEN ON THE NEW STACK
AND YOU WANT TO BE ON THE NEW STACK
TO TAKE ADVANTAGE OF THIS.
IF YOU HAVE APPS THAT WERE DEVELOPED
FOR AZURE ACTIVE DIRECTORY FOR DEVELOPERS
USING OUR AZURE ACTIVE DIRECTORY LIBRARY, OR ADAL,
WE'D LIKE YOU TO UPDATE TO THE LATEST VERSION
OF ADAL AND HERE'S WHY.
WE MADE A SIGNIFICANT INVESTMENT IN ADAL AND IN MSAL
TO MAKE SURE THAT YOUR PORTFOLIO OF ADAL AND MSAL APPS
GET GREAT SINGLE SIGN-ON EXPERIENCES TOGETHER.
THEY HAVE CAPABILITIES TO READ AND WRITE
FROM A UNIVERSAL CACHE.
IN ORDER TO TAKE ADVANTAGE OF THIS
YOU WANT TO UPDATE YOUR ADAL APPS TO LATEST VERSION
OF ADAL EVEN IF YOU'RE NOT READY
TO MOVE THEM TO MICROSOFT IDENTIFICATION LIBRARY.
AND LASTLY, WE'RE NOT RIPPING THE RUG OUT
FROM UNDERNEATH YOU.
UPDATE YOUR APPS TO THE MICROSOFT AUTHENTICATION LIBRARY
WHEN YOU SEE VALUE.
AND WHEN YOU DO, THE APPS THAT WERE PREVIOUSLY BUILT
USING ADAL WILL AUTOMATICALLY KEEP THAT USER SIGNED IN
WHEN THAT USER SIGNS IN WITH MSAL.
I MENTIONED EARLIER,
THAT THE MICROSOFT IDENTITY PLATFORM
IS AN EVOLUTION OF AZURE ACTIVE DIRECTORY FOR DEVELOPERS.
TO DEMO THIS, WE NEED AN API THAT WAS PROTECTED
USING AZURE ACTIVE DIRECTORY FOR DEVELOPERS.
WE HAVE A TO-DO LIST APPLICATION THAT YOU MAY
BE FAMILIAR WITH BECAUSE IT'S ALL OVER OUR SAMPLES.
IT HAS A CLIENT AND A SERVER.
THE CLIENT IS STATELESS,
IT JUST SIGNS THE USER IN
AND THE SERVER KEEPS TRACK OF TO-DO LIST ITEMS
FOR THE SIGNED IN USER.
WE'RE GOING TO USE THIS SAMPLE
TO DEMO CALLING A DIVERSE SET OF APIS.
OKAY.
SO WHAT WE HAVE IS THIS IS THE SERVICE
RUNNING IN THE BACKGROUND.
IN ORDER TO CALL THE SERVICE YOU NEED AN ACCESS TOKEN
SO IT'S NOT ABLE TO SHOW RETURNING DATA
WITHOUT A CLIENT THAT'S CONFIGURED TO DO THAT.
SO LET ME SHOW YOU THE CLIENT.
THE CLIENT I'M SIGNED IN, I AUTOMATICALLY
GOT SINGLE SIGN-ON.
AND AS I ENTERED MY TO-DO LIST ITEMS HERE
THEY'RE SENT TO THE SERVER.
SO THE CLIENT IS STATELESS.
IT'S SENDING ALL OF THIS TO THE SERVER
AND I HAVE A LIST OF TO-DO ITEMS
THAT IS ASSOCIATED TO ME AND NO-ONE ELSE.
GREAT.
SO THIS WAS BUILT
USING AZURE ACTIVE DIRECTORY FOR DEVELOPERS.
THE API WAS PROTECTED USING VSP DOT NET.
BUT GOING TO OUR V ONE ENDPOINT
AND THE CLIENT APPLICATION WAS BUILT USING ADAL.
NOW, YOU'VE GOT THIS EXISTING INVESTMENT
AND YOUR BOSS COMES TO YOU WITH A NEW IDEA
AND SAYS, HEY, WE'RE DOING A CONFERENCE
AND WE REALLY NEED A KIOSK.
AND YOU SAY, OKAY, GREAT,
SOUNDS LIKE AN OPPORTUNITY TO TAKE ADVANTAGE OF MSAL.
THIS KIOSK, WHEN YOU WALK UP TO IT, YOU NEED
TO BE ABLE TO SIGN IN AND SEE YOUR LIST OF TO-DO ITEMS.
BUT THERE'S ONE PROBLEM.
THIS KIOSK HAS NO KEYBOARD.
WELL, SINCE MSAL DOT NET IS NOW A TRUE SUPER SET
OF THE CAPABILITIES THAT EXISTED IN ADAL DOT NET,
YOU HAVE ACCESS TO THE FULL RANGE OF AUTHENTICATION FLOWS
INCLUDING A FLOW CALLED DEVICE CODE FLOW.
DEVICE CODE FLOW ALLOWS YOU TO GENERATE A URL
WHICH CAN BE TURNED INTO A QR CODE.
AND ONCE YOU SIGN IN USING THAT YOU ARE YOUR OWN URL CODE
ON YOUR MOBILE DEVICE WHICH YOU ARE PROBABLY
ALREADY SIGNED INTO.
THEN YOU COMPLETE THE FLOW ON THE PHONE
AND YOU SIGN IN AND THAT KIOSK WILL BE SIGNED IN AS WELL.
SO LET'S GO DOWNLOAD A SAMPLE
AND SEE HOW THIS WORKS.
SO THIS IS ONE OF THE MSAL DOT NET SAMPLES
THAT WE HAVE ON GET HUB.
SO IF YOU GO TO GET HUB FORWARD SLASH AZURE DASH SAMPLES
YOU'LL FIND A BUNCH OF DIFFERENT MSAL DOT NET SAMPLES.
THIS IS ONE OF THEM.
AND I MADE JUST SOME MINOR MODIFICATIONS
IN ORDER TO CALL MY TO-DO LIST SERVICE.
AND I'M GONNA WALK YOU THROUGH THOSE CHANGES.
SO FIRST IS I HAD TO ASK FOR PERMISSION TO ACCESS THE DATA.
WELL,
IN AZURE ACTIVE DIRECTORY FOR DEVELOPERS
A VERY COMMON PATTERN WAS TO ASK FOR PERMISSION
TO ACCESS A SERVICE URI AS THE USER,
OR IT'S CALLED THE USER IMPERSONATION.
IT BASICALLY ALLOWS YOU, AS A SIGNED-IN USER
TO ACCESS ALL DATA BEHIND A PARTICULAR SERVICE.
SO I'M GONNA SHOW YOU IN THE APP REGISTRATION PROTAL
WHAT THAT LOOKS LIKE.
WE HAVE TWO APPS REGISTERED.
ONE IS THE SERVICE AND ONE IS THE CLIENT.
ONE OF THE KEY DIFFERENCES OF THE PLATFORM
THAT EXISTED BEFORE, AZURE ACTIVE DIRECTORY FOR DEVELOPERS,
IS THAT YOU NEEDED A SEPARATE APP REGISTRATION
FOR ALL THE DIFFERENT APPS IN YOUR ECOSYSTEM.
THAT'S NO LONGER NECESSARY.
YOU CAN NOW USE ONE APP FOR EVERYTHING.
SO WE COULD COLLAPSE THESE IF WE WANTED TO.
BUT THERE ARE SOME ADVANTAGES
OF HAVING TWO SEPARATE APP REGISTRATIONS IN THIS SCENARIO.
IMAGINE YOU WANTED AN API
THAT HAS IT'S OWN LOGICAL ENTITY THAT CAN BE ACCESSED
FROM A WIDE VARIETY OF CLIENTS.
SOME FROM YOUR COMPANY AND SOME FROM SOME OTHER COMPANY.
IT MAY MAKE SENSE TO KEEP THESE SEPARATE.
WE'RE GONNA GO INTO THE SERVICE
AND THIS IS THE API THAT'S EXPOSED.
SO WE'RE GONNA GO INTO EXPOSE AN API
AND WE'RE GONNA LOOK AT THE PERMISSION.
SO THIS IS JUST A DEFAULT PERMISSION
THAT WAS CREATED WHEN WE CREATED THIS APP A LONG TIME AGO
CALLED USER IMPERSONATION.
AND IT BASICALLY ALLOWS THE USER TO DO EVERYTHING.
READ OR WRITE OR ANYTHING THAT HE WANTS TO DO WITH IT
TO DO A SERVICE.
AND IF WE GO BACK TO THE APP REGISTRATION FOR THE CLIENT
AND WE GO TO API PERMISSIONS THAT THIS APP HAS REQUESTED
YOU'LL SEE THAT LISTED RIGHT HERE
IS THE TO-DO LIST SERVICE AND THE USER IMPERSONATION.
SO NOW WE WANT TO BUILD OUR KIOSK APPLICATION
ON MSAL DO NET.
DO WE NEED AN APP REGISTRATION?
WELL, WE CAN ACTUALLY USE THIS ONE.
EVEN THOUGH THIS APP IS WORKING TODAY AND RUNNING
WITH ADAL WE DON'T NEED TO MAKE ANY MODIFICATIONS TO IT.
WE CAN REUSE THE SAME APP ID WITH OUR MSAL APP.
SO I'LL GRAB THE APPLICATION ID.
AND YOU CAN SEE THAT I'M USING THE SAME APPLICATION ID HERE
AND WE'VE SET UP,
I'VE CHANGED THE ENDPOINT
TO BE OUR TO-DO LIST ENDPOINT.
AND I'VE SET UP THE SCOPE.
SO IN MICROSOFT IDENTITY PLATFORM SCOPES ARE HUMAN READABLE
AND LEAST PRIVILEGE.
SCOPES THAT EXISTED PRIOR
FOR AZURE ACTIVE DIRECTORY FOR DEVELOPERS
WERE A SERVICE ENDPOINT FOLLOWED BY A HUMAN READABLE
LEAST PRIVILEGE SCOPE.
SO WE ACTUALLY HAVE TO CONCATENATE THEM
IN ORDER TO BE ABLE TO CALL THIS API.
THIS IS THE PERMISSION I NEED TO ASK FOR.
THIS IS THE PATTERN TO USE WHEN WRITING AN MSAL APP
THAT ACCESSES AND API PROTECTED WITH THE V ONE.
AND THE SAME PATTERN APPLIES HERE.
WE TRY AND ACQUIRE TOKENS SILENTLY.
WHEN WE CAN'T, THEN WE GO THROUGH DEVICE CODE FLOW
AND WE'RE JUST GONNA PRINT OUT THE URL.
AND THEN THE ONLY OTHER CHANGES I MADE
WHERE VERY COSMETIC.
I PULLED THEN THE TO-DO LIST CLASS
AND I NOW HAVE A DISPLAY FUNCTION
TO DISPLAY MY TO-DO LIST ITEMS.
OTHER THAN THAT I REALLY DIDN'T MODIFY THIS EXAMPLE AT ALL.
SO LET'S GO AHEAD AND RUN THIS.
I THOUGHT ABOUT THROWING UP A QR CODE FOR EVERYONE
AND HAVING A RACE TO SEE WHO COULD SIGN IN FIRST.
BUT THEN THE REAL TEST WOULD'VE BEEN
TO SEE IF THEY WERE FOOLISH ENOUGH
TO ACCEPT THE CONSENT DIALOGUE
AND HAVE THEIR INFORMATION DISPLAYED ON THE BIG SCREEN.
OKAY, SO I'M SIGNING IN.
I WANNA GET THESE SIDE-BY-SIDE SO YOU GET TO SEE IT.
I GET SINGLE SIGN-ON EXPERIENCE
'CAUSE I'M ALREADY SIGNED IN.
I'M GONNA SELECT THIS ACCOUNT.
THERE'S MY TO-DO LIST.
(CLAPPING)
ALL RIGHT LET'S TALK ABOUT SOME OF THE RELEASES AND ROADMAP.
THANK YOU
TO EVERYONE WHO PROVIDED FEEDBACK
WHILE THE APP REGISTRATION EXPERIENCE WAS IN PREVIEW.
I'M HAPPY TO ANNOUNCE
THAT THE NEW APP REGISTRATION EXPERIENCE
IN THE AZURE PORTAL IS NOW GENERALLY AVAILABLE.
YOU CAN ACCESS IT AT AKA DOT MS SLASH APP REGISTRATIONS.
WE ARE TARGETING GA OF THE APPLICATION API
IN MICROSOFT GRAPH BY IGNITE 2019.
AND I'M HAPPY TO ANNOUNCE
THAT MICROSOFT AUTHENTICATION LIBRARY DOT NET
AND JS ARE NOW GA.
YOU CAN FIND ALL THE SAMPLES AND DOCKS FOR MSAL DOT NET
ALREADY POINTING TO THE GA LIBRARY.
AND FOR MSAL DOT JS YOU'LL SEE THE SAMPLES
AND DOCUMENTATION POINTING TO THE GA LIBRARY
BY THE TIME YOU GET BACK TO YOUR OFFICE NEXT WEEK.
WE'VE ALSO MADE A LOT OF PROGRESS ON MSAL ANDROID
AND MSAL IOS.
THESE ARE FEATURE-COMPLETE LIBRARIES.
BUT THEY HAVE A DEPENDENCY ON AUTHENTICATOR APP
AND COMPANY PORTAL THAT'S GOING TO BE ROLLING OUT
IN THE COMING MONTH TO ENABLE SOME ENTERPRISE SCENARIOS
WHERE YOU NEED TO DO MOBILE DEVICE MANAGEMENT.
SO IT'S GA, WE WANT YOU TO BUILD AN APP.
WHO'S BETTING ON IT WITHIN MICROSOFT?
LET'S TALK ABOUT VISUAL STUDIO 16.1 PREVIEW,
AS WELL AS THE DEV TOOLS.
SO CLI, POWERSHELL, AND THE REST.
ALL OF THESE HAVE ALREADY INTEGRATED WITH MSAL
AND THEY'RE BENEFITING FROM SINGLE SIGN-ON EXPERIENCES
ACROSS ALL OF THESE.
IF YOU'D LIKE TO SEE A DEMO OF THIS AMANDA
HAS A SESSION LATER TODAY
WHERE THEY SHOW ALL OF THE DEV TOOLS
SIGNED IN AND GETTING FULL SINGLE SIGN-ON EXPERIENCE
AT CROSS TOP.
NEXT, IN THE DEMO THIS MORNING AT THE RAJESH KEYNOTE,
ASHAMA SOWED THE AUTHENTICATOR APP.
THIS IS USING MSAL AND I JUST SHOWED GRAPH EXPLORER.
THIS IS USING MSAL JS.
WE ALSO HAVE APIS WITHIN MICROSOFT THAT ARE TAKING ADVANTAGE
OF THE MICROSOFT IDENTITY PLATFORM TO SECURE THEIR API.
THIS INCLUDES MICROSOFT ADVERTISING
AS WELL AS MICROSOFT GRAPH.
WE WANT YOU TO BUILD YOUR NEXT APPLICATION
ON THE MICROSOFT IDENTITY PLATFORM.
SO MICROSOFT IS USING THAT, THAT'S GREAT.
BUT DO WE HAVE ANY CUSTOMERS AT SCALE?
AT SCALE?
HEY, YOU SIR, LOOKS LIKE YOU'RE READING YOUR EMAIL
ON YOUR IOS DEVICE?
APPLE IS PROVIDING A CONSISTENT USER EXPERIENCE
FOR ALL MICROSOFT IDENTIFIES,
REDUCING DEVELOPER COMPLEXITY
AND REDUCING SUPPORT COSTS
FOR SIGNING IN WITH MICROSOFT IDENTIFIES
ON APPLE DEVICES.
LET'S TALK ABOUT CERTIFICATIONS.
WE'RE ON A MISSION TO ELIMINATE PASSWORDS
AND WE'RE HAPPY TO ANNOUNCE THAT WINDOWS HELLO
IS A FIDO 2 CERTIFIED AUTHENTICATOR.
WE ARE ALSO COMMITTED TO STANDARDS COMPLIANCE.
SO I'M ALSO HAPPY TO ANNOUNCE
THAT THE MICROSOFT IDENTITY PLATFORM ENDPOINT
IS NOW OPENID CONNECT CERTIFIED.
LASTLY, LET'S TALK ABOUT NEXT STEPS.
YOU CAN HEAD OVER TO AKA DOT MS SLASH IDENTITY PLATFORM
TO GET STARTED WITH OUR DOCUMENTATION.
WE ALSO HAVE PUBLIC OFFICE HOURS
THAT HAPPEN EVERY TWO WEEKS ON THURSDAYS.
SO YOU CAN JOIN THOSE TO GET FEEDBACK
AND GET YOUR QUESTIONS ANSWERED.
SORRY GIVE FEEDBACK.
WE ALSO HAVE VIBRANT STACK OVERFLOW COMMUNITY.
SO YOU CAN GO THERE, POST YOUR QUESTIONS,
AND TAG IT WITH MICROSOFT IDENTITY PLATFORM.
THAT'S IT FOLKS, FOR REAL THIS TIME.
(CLAPPING)
