Today we are excited to announce the Developer Preview of Windows Azure Active Directory.
As John Shewchuk discussed in his blog post Reimagining Active Directory for the Social Enterprise, Windows Azure Active Directory (AD) is a cloud identity management service for application developers, businesses and organizations. Today, Windows Azure AD is already the identity system that powers Office 365, Dynamics CRM Online and Windows Intune. Over 250,000 companies and organizations use Windows Azure AD today to authenticate billions of times a week. With this Developer Preview we begin the process of opening Windows Azure AD to third parties and turning it into a true Identity Management as a Service.
Windows Azure AD provides software developers with a user centric cloud service for storing and managing user identities, coupled with a world class, secure & standards based authorization and authentication system. With support for .Net, Java, & PHP it can be used on all the major devices and platforms software developers use today.
Just as important, Windows Azure AD gives businesses and organizations their own cloud based directory for managing access to their cloud based applications and resources. And Windows Azure AD synchronizes and federates with their on-premise Active Directory extending the benefits of Windows Server Active Directory into the cloud.
Today’s Developer Preview release is the first step in realizing that vision. We’re excited to be able to share our work here with you and we’re looking forward to your feedback and suggestions!
The Windows Azure AD Developer Preview provides two new capabilities for developers to preview:
- Graph API
- Web Single Sign-On
This Preview gives developers early access to new REST APIs, a set of demonstration applications, a way to get a trial Windows Azure AD tenant and the documentation needed to get started. With this preview, you can build cloud applications that integrate with Windows Azure AD providing a Single Sign-on experience across Office 365, your application and other applications integrated with the directory. These applications can also access Office 365 user data stored in Windows Azure AD (assuming the app has the IT admin and/or user’s permission to do so).
As John Shewchuk discussed in his last blog post, the Graph API brings the enterprise social graph contained in Windows Azure AD and Office 365 (and thus Windows Server AD as well) to the Internet and creates an opportunity for a breadth of new collaborative applications to be created.
In this Preview we have released the following features:
- Graph API REST interface (and metadata endpoints) that provide a large set of API to read the data in Windows Azure AD (for a detailed list of data available in the Preview, click on the documentation below)
- PowerShell cmdlets to grant an application read access to a tenant’s Windows Azure AD
- OData support for quick integration with Visual Studio and other Microsoft technologies
- Detailed code walkthroughs for .Net that demonstrate how to add Graph APIs in your application
You can get started using the Graph API here:
- Windows Azure AD Graph Explorer (hosted in Windows Azure)
- Windows Azure AD People Picker Source Code
For more detailed information on the Windows Azure AD Graph API, visit our MSDN page on the topic here.
Please note that this is a preview release. The API’s and features will certainly change between now and our official release. Today the Graph API offers read-only capabilities and only a subset of the Windows Azure AD data is available at this time. Over the coming months, we’ll deliver additional updates which will add more data, additional OData filters, role based access control, and support for write operations.
Web Single-Sign On
To support this preview release of the Graph API we are also releasing a preview of the SSO capabilities of Windows Azure AD. This set of capabilities make it easy to build cloud applications that deliver a Single Sign-On (SSO) experience for users logging-on to their domain joined PCs, on-premises servers and other cloud applications like Office 365. With SSO in Windows Azure AD, businesses and organizations can easily manage user access to cloud applications without the additional cost and hassle of having to acquire and manage new user credentials.
For this Preview release, we provide the following features:
- STS metadata endpoints to integrate Windows Azure AD in to your application
- Support for the WS-Federation protocol with SAML 2.0 tokens
- PowerShell cmdlets to configure a Windows Azure AD tenant to do SSO with your application
- Detailed code walkthroughs for PHP, Java, and .Net that demonstrate SSO capability to your application
Over the coming months we will release updates which broaden our protocol coverage to support authentication protocols commonly used on the internet including SAML 2.0.
You can access code samples and demonstration applications from the following links:
Putting It All Together: The Windows Azure AD Expense Demo App
To provide an example of the power of Windows Azure AD, we have developed a sample expense reporting application that uses Web SSO and the Graph API to provide a seamless sign-on and management experience for Office 365 customers.
This application will be updated as the platform improves, so feel free to download the sample application and provide feedback and updates on the progress.
- Windows Azure AD QuickStart Application (hosted in Windows Azure)
- Windows Azure AD QuickStart Application source
Get Started and Get Involved
Your feedback and input is critical to us and will help us make sure we’re delivering the right capabilities and the right developer experience as we build out the Windows Azure AD platform.
Today we are releasing some great material to get you started on using the Developer Preview of Windows Azure AD:
- Access our Windows Azure AD MSDN Forums here.
- Java, PHP, and .Net code samples on GitHub.
- A sample application built in Windows Azure that demonstrates what’s possible using Azure Active Directory using all of these technologies, available for download from GitHub here.
- Vittorio Bertocci’s blog post with a deep dive into creating a Windows n Azure AD integrated application.
- Kirk Cameron's blog post SCIM and Graph
- Brandon Werner’s blog post on the Windows Azure AD Expense Demo Application.
These are all great resources to understand how to access the Windows Azure AD using the new APIs, learn about the capabilities they offer, and how to enable SSO in your web based applications.
Some Things We Know We Need To Work On
Again, this is a very early preview so as you use the demo application and code samples and you will experience a few issues we are already working on fixing. I wanted to call them out so that you can get up to speed faster.
Tenant Admins Must Use PowerShell to Authorize an Application
During this Preview release, we rely on the Microsoft Online Services Module for Windows PowerShell (updated for this Preview release) as the tool for administrators to enable applications to work with their Windows Azure AD tenant. We have created a PowerShell script that automates much of this work for the admin in our documentation samples, but we are aware of the limitation of this approach and are working to provide a graphical authorization interface in a future release.
Audience URI Varies Based on Tenant and is in spn: Format
When the Developer Preview of Windows Azure AD issues a SAML 2.0 token for an application, the audience URI in the token includes the identifier of the application and the identifier of the tenant, instead of just the identifier of the application. For a Windows Identity Foundation-based application to handle this tenant-varying audience URI, extension code to WIF is required, and has been supplied in the web SSO samples. In addition, the audience URI is in spn: format instead of being the more familiar URL of the application. We are working to simplify this format in a future update.
SAML Token has no AuthenticationStatement
SAML 2.0 tokens issued by the preview do not include an AuthenticationStatement. Some federation software implementations may require the AuthenticationStatement to be present in the token, and may not interoperate with the preview release.
We're far from done, and have a lot of work left to do. Your feedback and suggestions will play a big role in helping us figure out what the right work to do is. We’re looking forward to hearing from you and sharing additional updates with you in the coming months as we continue to evolve Windows Azure AD!
Director of Program Management
Active Directory Division