What is Office 365 & Microsoft Azure?
- Exchange Online
- SharePoint Online
- and more...
- Great for business-y / enterprise-y / office-y solutions
- Host custom code
- Leverage PaaS offerings for custom solutions
- Leverage IaaS for legacy solutions
- Tons of OOTB services
- Can be used OOTB or integrated into custom solutions
- Office 365 uses an Azure AD directory under the covers to store users
- Azure AD directories can be sync'd with on-premises Active Directories
- Azure Active Directory != Windows Active Directory
- Azure AD supports app authentication (currently in preview)
- Custom apps can leverage Azure AD to authenticate users
- You can associate your Azure subscription with your Office 365 directory
- Enables apps to leverage Azure AD for authentication (user & app)
- Azure AD apps provide Office 365 access via app permissions (regardless of user permissions)
- Now custom apps can take advantage of powerful Office 365 services:
- Metadata
- Search
- Workflow
- Lists & libraries
- Document management (checkin/checkout, declare record, versions, alerts, etc)
- Azure AD returns OAuth2 access token upon successful authentication
- Same access token can be used when accessing Office 365
- OAuth2 access tokens are like currency 💰
- Regardless of how it was obtained, anyone can use it
- Some protection built into the token (JWT)
- Issued by...
- Intended for...
- Not valid before...
- Expires in...
- Never pass it over HTTP, always use HTTPS (SSL)
- Never pass it to the client, keep it server-side
- Once it touches the client, it's clear text & anyone can see it
- Create an intermediary that obtains, protects & uses the access token
- Store in session state / cache / database
- Use standard web auth with your app & intermediary
- Example: .NET's Anti-Forgery Class
- Once the ASP.NET intermediary site has the access token...
- Can include it in future HTTP requests to...
- Office 365 / SharePoint Online REST API
- Office 365 / SharePoint Online CSOM
- Office 365 / Exchange Online REST API
- Resources that trust Azure AD
#Resources
- MSDN P&P Web Dev - Project Silk: Client Web Development for Modern Browsers, Chapter 12: Security
- GitHub: Microsoft Azure Active Directory Samples and Documentation
- GitHub: AzureADSamples / WebApp-WebAPI-OAuth2-UserIdentity-DotNet
- GitHub: OfficeDev / Research Project Code Sample
- Same scenario I built for the Microsoft Office 365 Developer team
- Channel9 video of me explaining the solution