Skip to content

Latest commit

 

History

History
132 lines (89 loc) · 4.02 KB

presentation.md

File metadata and controls

132 lines (89 loc) · 4.02 KB
Raw

Overview

  1. Office 365 & Microsoft Azure Overview
  2. Identity: Office 365 & Azure AD
  3. How Does it Work?

Office 365 & Microsoft Azure Overview

What is Office 365 & Microsoft Azure?

Office 365

  • Exchange Online
  • SharePoint Online
  • and more...
  • Great for business-y / enterprise-y / office-y solutions

Microsoft Azure

  • Host custom code
  • Leverage PaaS offerings for custom solutions
  • Leverage IaaS for legacy solutions

When Combined...

  • Tons of OOTB services
  • Can be used OOTB or integrated into custom solutions

Identity: Office 365 & Azure AD

  • Office 365 uses an Azure AD directory under the covers to store users
  • Azure AD directories can be sync'd with on-premises Active Directories
    • Azure Active Directory != Windows Active Directory
    • Azure AD supports app authentication (currently in preview)
  • Custom apps can leverage Azure AD to authenticate users

Office 365 + Azure AD = Identity Bliss

  • You can associate your Azure subscription with your Office 365 directory
  • Enables apps to leverage Azure AD for authentication (user & app)
  • Azure AD apps provide Office 365 access via app permissions (regardless of user permissions)
  • Now custom apps can take advantage of powerful Office 365 services:
    • Metadata
    • Search
    • Workflow
    • Lists & libraries
    • Document management (checkin/checkout, declare record, versions, alerts, etc)

How Does it Work?

Office 365 Trusts Azure AD

  • Azure AD returns OAuth2 access token upon successful authentication
  • Same access token can be used when accessing Office 365

What about that OAuth2 Access Token?

  • OAuth2 access tokens are like currency 💰
    • Regardless of how it was obtained, anyone can use it
  • Some protection built into the token (JWT)
    • Issued by...
    • Intended for...
    • Not valid before...
    • Expires in...

Protecting the Access Token

  • Never pass it over HTTP, always use HTTPS (SSL)
  • Never pass it to the client, keep it server-side
    • Once it touches the client, it's clear text & anyone can see it
  • Create an intermediary that obtains, protects & uses the access token
    • Store in session state / cache / database
    • Use standard web auth with your app & intermediary
    • Example: .NET's Anti-Forgery Class

How Does Authentication Work?

Demo: Exploring the Authentication Flow

demo time

Using the Access Token

  • Once the ASP.NET intermediary site has the access token...
  • Can include it in future HTTP requests to...
    • Office 365 / SharePoint Online REST API
    • Office 365 / SharePoint Online CSOM
    • Office 365 / Exchange Online REST API
    • Resources that trust Azure AD

Demo: Scenario - Project Research Tracker

demo time

#Resources