[Shupps] Introduction to Azure Web Applications for Office and SharePoint Developers
Download as PPTX, PDF0 likes426 views
The document provides an overview of Azure web applications, including security, configuration, and deployment for single-tenant and multi-tenant architectures. It discusses authentication mechanisms, token management, permission types, and necessary components for creating a multi-tenant Azure application. Additional resources and links for further exploration are also included.
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Developers
- 1. INTRODUCTION TO AZURE WEB APPLICATIONS Eric Shupps Office Servers and Services MVP
- 2. DIAMOND, PLATINUM AND GOLD SPONSORS
- 3. About Me @eshupps sharepointcowboywww.sharepointcowboy.com slideshare.net/eshupps linkedin.com/in/eshupps Eric Shupps Office Servers & Services MVP
- 5. INTRODUCTION
- 6. ACHTUNG! Diese Sitzung entspricht nicht der DSGVO. Bitte verlassen Sie jetzt, wenn Sie nicht bemerkt werden möchten. Wir versprechen zu vergessen, dass du jemals hier warst.
- 9. MODEL
- 11. Scope • Single-tenant • Bound to single AD domain • Cannot be accessed by other domains • Simplified authorization model • Multi-tenant • Owned by single authorizing domain • Accessible by any Azure AD domain • Authorized by Azure admin for individual domains • App owner must manage tenant registration
- 12. SECURITY
- 14. Authentication • Authenticate via Azure sign-in page • Developers cannot modify login experience • User interface is suboptimal • Single sign-on with O365 and other Azure resources • Access to resources requires permission definition • OAuth tokens for O365 and other resources • POST to app with user/tenant details • Context • Explicit per endpoint • App launcher in O365 • Users notified of app availability in alerts
- 15. Authorization Flows Authorization Exchange authorization codes for access tokens Refresh tokens enable long-lived sessions Designed for native clients and server- side API’s Client Credential Requires app authorization consent from administrator Shared secrets or certificates used to request tokens Designed for service apps and server-to- server scenarios Implicit Retrieve access tokens directly from single endpoint No refresh tokens (local session management only) Designed for SPA's (requires manifest modification)
- 16. Authorization • Multi-tenant • Manifest: oauth2AllowImplicitFlow = true (SPA, JavaScript) • Token and authorization endpoints • Tenant ID = “common” for multi-tenant • WSFED “common” endpoint • Consent • Non-customizable consent page in MSFT domain GET: https://login.microsoftonline.com/common/oauth2/authorize?client_id={client ID}& response_type=token&redirect_uri={redirect URI}
- 17. Token Management • Use authorization/request tokens to obtain short-lived access tokens • Include access tokens in resource calls • Store refresh tokens to obtain new access tokens upon expiration • Track tokens by tenant (multi-tenant), app or user • Force token expiration to prompt authentication • Utilize client secret only in confidential client apps
- 18. Token Configuration Property Policy String Affects Default Minimum Maximum Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML 2 tokens 1 hour 10 minutes 1 day Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Single-Factor Session Token Max Age MaxAgeSessionSingle Factor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Multi-Factor Session Token Max Age MaxAgeSessionMultiF actor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Reference: http://bit.ly/2IUuJNo
- 19. Permissions • Types • Application • Delegated • Administrative Level • Minimum: “Sign in and read user profile” • Beware permission level restrictions • Resources • Exchange Yammer AzureAD • SharePointOnline Power BIAzure Management • O365 Management Skype
- 20. Consuming SharePointAPI’s • App-only access tokens • Client ID and Client Secret • Certificate exchange • PowerShell https://bit.ly/2JB8Uzc • appregnew.aspx & appinv.aspx https://bit.ly/2HCDHLx • Permission Scope • Administrative Consent
- 22. DEMO Creating a Sample AzureWeb Application
- 23. Configuration • Name • Sign-On URL • Logo • Multi-tenant • Client ID • User Assignment • Keys • App ID URI • Reply URL • Permissions MANIFEST
- 24. Multi-Tenant Requirements • Visual Studio templates are incomplete • What you need to make multi-tenant work: • Database • Tenants, IssuingAuthorityKeys, SignupTokens • Registration Module • XML Response Parser • Tenant and User Information • AuthTokens • Federation, Realm and Identity Configuration • HTTPS Redirection • Sign-In Page (optional)
- 25. DEMO Configuring a Multi-Tenant Azure Application
- 26. DEPLOYMENT
- 27. Deployment • AD Apps • SSL • DNS • SSO • Permissions • Multi-tenant Configuration •Servers, Networking,Authentication,Admin Access •AzureAD Premium* Resources • AdminAuthorization • User/GroupAssignment* Distribution