Monday 2 February 2015

Azure AD Graph API Introduction & Installation

This is the first chapter about how to communicate between the Graph API and one simple platform we are going to create.

If you don’t know what Graph API is, I am going to give you a quick description… it is just an API to talk with AZURE AD, so something like get users, user properties, permissions etc.

So, let’s go to explain everything in more detail… In Azure Active Directory (AAD) there is a Graph API. The idea of a Graph API come probably from Facebook, the were the first ones in going ahead with the idea or at least the one the extend the idea.

So why is it called Graph API?, that is an interesting question, isn’t it? A graph is a mathematical concept which surface nodes and more nodes, and connect them in one way or another, so if you see how Active Directory works, you will realise it is the same thing, so the Azure version AAD is just that. So Graph API for Azure AD allows you to do CRUD (Create, Read, Update, Delete) operations against AD (or being clear Azure AD) with the REST (Representational State Transfer) protocol, It is simple to use, especially when compared with with the horrible directory access such as the LDAP.

I always like to compare a AD or Azure AD with a file system, so image with want to access to some files in your file system…we could use a Graph API (not this one a custom one :) )

Access to the Graph API is done in two steps.

  1. The first one is the authentication (based on tenant-ID, client-ID and credentials), which is done against the Windows AAD authentication service. The authentication service returns a JWT Token.
  2. This token then can be used for running Graph API queries. The Graph API relies on an RBAC (Role Based Access Control) model. It authorizes every request and returns the result set if the authorization has been successful.

image

What do we need?

  1. An Internet Connection: If you don’t have one, you will be not probably reading this so…
  2. Azure Subscription: If you don’t have one,you can get a 90 days trial one, here is the link Azure Free Trial.
  3. Azure AD Tenant Permissions to Access Directory Data: We need to grant access, to the API… see below.
Permission name Description Type
Enable sign-on and read users' profiles Allow users to sign in to the application with their organizational accounts and let the application read the profiles of signed-in users, such as their email address and contact information. Delegation permission only. Can be consented by users.
Access your organization's directory Allow the application to access your organization's directory on behalf of the signed-in user.

Delegation permission only. Can be consented by users in a native client and only by an administrator for web applications.

Read directory data Allow the application to read data in your organization's directory, such as users, groups and applications.

Delegation and application permission. Must be consented by an administrator.

Read and write directory data Allow the application to read and write data in your organization's directory, such as users and groups.

Delegation and application permission. Must be consented by an administrator.

So now… you will be asking where is this coming from:

Go to https://manage.windowsazure.com

Go to Active Directory:
image

Go to AD Name:
 image

Select APPLICATIONS and then your application, in this case WebApplication5
image

Select CONFIGURE and in Windows Azure Active Directory select all the Delegated Permissions and Application Permissions
 image

With all of this done, I think we are ready for the next step, login into Windows and  the Graph API. That will be the next post.

No comments: