Nomad_Soul - Fotolia


Windows Azure Active Directory enables single sign-on with cloud apps

Linking Active Directory to multi-tenanted Windows Azure apps can simplify user sign-on in the cloud.

Microsoft’s Windows Azure Active Directory (WAAD) Developer Preview provides simple user authentication and authorization...

for Windows Azure cloud services. The preview delivers online demonstrations of Web single sign-on (SSO) services for multi-tenanted Windows Azure .NET, Java and PHP applications, and programmatic access to WAAD objects with a RESTful graph API and OData v3.0.

The preview extends the choice of IPs to include WAAD, the cloud-based IP for Office 365, Dynamics CRM Online and Windows InTune. It gives Windows Azure developers the ability to synchronize and federate with an organization’s on-premises Active Directory.

Figure 1. The Users page of the Office 365 Administrative portal enables adding detailed user accounts to an organization’s domain, for this example.

Traditionally, developers provided authentication for ASP.NET Web applications with claims-based identity through Windows Azure Access Control Services (WA-ACS), formerly Windows Azure AppFabric Access Control Services.

According to Microsoft, WA-ACS integrates with Windows Identity Foundation (WIF); supports Web identity providers (IPs) including Windows Live ID, Google, Yahoo and Facebook; supports Active Directory Federation Services (AD FS) 2.0; and provides programmatic access to ACS settings through an Open Data Protocol (OData)-based management service. A management portal also enables administrative access to ACS settings.

Running online Windows Azure Active Directory demos
Taking full advantage the preview’s two online demonstration apps requires an Office 365 subscription with a few sample users (Figure 1). Members of the Microsoft Partner Network get 25 free Office 365 Enterprise licenses from the Microsoft Cloud Essentials benefit; others can subscribe to an Office 365 plan for as little as $6.00 per month. According to online documentation, the WAAD team plans to add a dedicated management portal to the final version to avoid reliance on Office 365 subscriptions. Note: The preview does not support Windows 8, so you’ll need to use Windows 7 or Windows Server 2008 R2 for the demo.

Figure 2. Use the Fabrikam demo to add or edit detail items of an expense report.

The preview also requires users to download an updated Microsoft Online Services Module for Windows PowerShell v1.0 for 32-bit or 64-bit systems. You’ll also need to download and save a prebuilt PowerShell authorization script, which you execute to extract the application’s identifier (Application Principal ID), as well as the tenant identifier (Company ID) for the subscribing organization.

The Fabrikam Expense report demo is a tool used to show interactive cloud Web apps to prospective Windows Azure users (Figure 2). The preview also includes open source code developers can download from GitHub and use under an Apache 2.0 license. Working with the source code in Visual Studio 2010 or later requires the Windows Azure SDK 1.7, MVC3 Framework, WIF runtime and SDK, as well as Windows Communication Framework (WCF) Data Services 5.0 for OData v3 and .NET 4.0 or higher. With a bit of tweaking, this ASP.NET MVC3 app could manage expense reports for small- and medium-sized companies.

Traversing Office 365 AD with OData queries

Organizational directories have a hierarchical structure, so they are better represented by a graph of relationships than tables in a relational database. The preview’s Graph API defines reporting relationships by a manager’s DirectReports collection and an employee’s ReportsTo property.

Figure 3. Display top-level EntitySets for the Demo tenant in the Graph Explorer preview. SubscribedSkus are Office 365 subscription types for all users; TenantDetails provide information about the subscribing organization.

The Open Data Protocol (OData) v3, which Microsoft turned over to OASIS for standardization in May 2012, provides a RESTful approach to AD management. The Graph API is a programming alternative to .NET’s Systems.DirectoryServices namespace and the COM-based Active Directory Service Interfaces (ADSI).

The initial Graph API Preview release includes metadata for the following Office 365 AD collections, expressed as Entity Data Framework EntitySets:

  • DirectoryObjects
  • ReferencedObjects
  • Contacts
  • Groups
  • SubscribedSkus
  • Roles
  • TenantDetails
  • Users

To display a list of top-level collections, log into the Graph Explorer, click the Use Demo Company button and then click Get (Figure 3). You can view the metadata for all preceding EntitySets at$metadata.

The preview’s Graph Explorer application, which runs on Window Azure, lets users navigate Office 365 AD with standard OData query operators. For example, you can retrieve details about the Office 365 subscribing organization (Tenant) from an OData URL query after logging in with the same credentials you use for the Fabrikam demo (Figure 4). I offer a brief guided tour of the Graph Explorer on my blog.

Figure 4. Execute OData v3 URL queries to display selected EntitySets or members in ATOMPub format.

Graph Explorer’s implementation is bare bones, to be generous. Enterprise directory admins would welcome a few graphical accouterments, such as a tree view of managers and their direct reports, as well as a network representation of object navigation.

New WAAD and WA-ACS features for enabling Web SSO and RESTful OData queries against Active Directory enhance Windows Azure’s capabilities as an enterprise Platform as a Service (PaaS) competitor. The improvements might also be enabled for Microsoft’s multi-tenanted Infrastructure as a Service (IaaS) product. PaaS and IaaS added-value features will become increasingly important to distinguish services as they trend toward commodity status.


Roger Jennings is a data-oriented .NET developer and writer, a Windows Azure MVP, principal consultant of OakLeaf Systems and curator of the OakLeaf Systems blog. He's also the author of 30+ books on the Windows Azure Platform, Microsoft operating systems (Windows NT and 2000 Server), databases (SQL Azure, SQL Server and Access), .NET data access, Web services and InfoPath 2003. His books have more than 1.25 million English copies in print and have been translated into 20+ languages.

Dig Deeper on Google and other public cloud providers