ECS 2018: Introduction to Azure Web Applications
Download as PPTX, PDF0 likes260 views
This document provides an introduction to creating and configuring Azure web applications. It discusses the model for single-tenant and multi-tenant applications. It covers security concepts like authentication, authorization, and permissions. It also demonstrates creating a sample application and configuring it for multi-tenancy. The document concludes with an overview of deploying applications and necessary considerations for resources, configuration, and distribution.
ECS 2018: Introduction to Azure Web Applications
- 1. INTRODUCTION TO AZURE WEB APPLICATIONS Eric Shupps Office Servers and Services MVP
- 2. DIAMOND, PLATINUM AND GOLD SPONSORS
- 3. About Me @eshupps sharepointcowboywww.sharepointcowboy.com slideshare.net/eshupps linkedin.com/in/eshupps Eric Shupps Office Servers & Services MVP
- 5. INTRODUCTION
- 6. ACHTUNG! Diese Sitzung entspricht nicht der DSGVO. Bitte verlassen Sie jetzt, wenn Sie nicht bemerkt werden möchten. Wir versprechen zu vergessen, dass du jemals hier warst.
- 9. MODEL
- 11. Scope • Single-tenant • Bound to single AD domain • Cannot be accessed by other domains • Simplified authorization model • Multi-tenant • Owned by single authorizing domain • Accessible by any Azure AD domain • Authorized by Azure admin for individual domains • App owner must manage tenant registration
- 12. SECURITY
- 14. Authentication • Authenticate via Azure sign-in page • Developers cannot modify login experience • User interface is suboptimal • Single sign-on with O365 and other Azure resources • Access to resources requires permission definition • OAuth tokens for O365 and other resources • POST to app with user/tenant details • Context • Explicit per endpoint • App launcher in O365 • Users notified of app availability in alerts
- 15. Authorization Flows Authorization Exchange authorization codes for access tokens Refresh tokens enable long-lived sessions Designed for native clients and server- side API’s Client Credential Requires app authorization consent from administrator Shared secrets or certificates used to request tokens Designed for service apps and server-to- server scenarios Implicit Retrieve access tokens directly from single endpoint No refresh tokens (local session management only) Designed for SPA's (requires manifest modification)
- 16. Authorization • Multi-tenant • Manifest: oauth2AllowImplicitFlow = true (SPA, JavaScript) • Token and authorization endpoints • Tenant ID = “common” for multi-tenant • WSFED “common” endpoint • Consent • Non-customizable consent page in MSFT domain GET: https://login.microsoftonline.com/common/oauth2/authorize?client_id={client ID}& response_type=token&redirect_uri={redirect URI}
- 17. Token Management • Use authorization/request tokens to obtain short-lived access tokens • Include access tokens in resource calls • Store refresh tokens to obtain new access tokens upon expiration • Track tokens by tenant (multi-tenant), app or user • Force token expiration to prompt authentication • Utilize client secret only in confidential client apps
- 18. Token Configuration Property Policy String Affects Default Minimum Maximum Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML 2 tokens 1 hour 10 minutes 1 day Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Single-Factor Session Token Max Age MaxAgeSessionSingle Factor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Multi-Factor Session Token Max Age MaxAgeSessionMultiF actor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Reference: http://bit.ly/2IUuJNo
- 19. Permissions • Types • Application • Delegated • Administrative Level • Minimum: “Sign in and read user profile” • Beware permission level restrictions • Resources • Exchange Yammer AzureAD • SharePointOnline Power BIAzure Management • O365 Management Skype
- 20. Consuming SharePointAPI’s • App-only access tokens • Client ID and Client Secret • Certificate exchange • PowerShell https://bit.ly/2JB8Uzc • appregnew.aspx & appinv.aspx https://bit.ly/2HCDHLx • Permission Scope • Administrative Consent
- 22. DEMO Creating a Sample AzureWeb Application
- 23. Configuration • Name • Sign-On URL • Logo • Multi-tenant • Client ID • User Assignment • Keys • App ID URI • Reply URL • Permissions MANIFEST
- 24. Multi-Tenant Requirements • Visual Studio templates are incomplete • What you need to make multi-tenant work: • Database • Tenants, IssuingAuthorityKeys, SignupTokens • Registration Module • XML Response Parser • Tenant and User Information • AuthTokens • Federation, Realm and Identity Configuration • HTTPS Redirection • Sign-In Page (optional)
- 25. DEMO Configuring a Multi-Tenant Azure Application
- 26. DEPLOYMENT
- 27. Deployment • AD Apps • SSL • DNS • SSO • Permissions • Multi-tenant Configuration •Servers, Networking,Authentication,Admin Access •AzureAD Premium* Resources • AdminAuthorization • User/GroupAssignment* Distribution