Mark Russinovich on Modern Authentication with Azure Active Directory for Web Applications

  • Article

As you might have seen, last week Microsoft Press published Vittorio Bertocci’s Modern Authentication with Azure Active Directory for Web Applications , an authoritative, deep-dive guide to building Active Directory authentication solutions. Today we’re happy to share the book’s Foreword, by Mark Russinovich (Chief Technology Officer for Microsoft Azure), in which Mark describes the importance of Azure AD: “Microsoft Azure Active Directory (Azure AD) is arguably the heart of Microsoft’s cloud platform. All Microsoft cloud services, including Microsoft Azure, Microsoft Xbox Live, and Microsoft Office 365, use Azure AD as their identity provider. And because Azure AD is a public cloud service, application developers can also take advantage of its capabilities.” Here’s the Foreword:

Foreword

The purpose of an application is to take input from users or other applications and produce output that will be consumed by those same users or applications or by other ones. That’s true of a website that gains input from a click on a link and sends back the content of the requested page as output; a middle tier that processes database requests queued from a front end, executing them by sending input to a database; or a cloud service that gets input from a mobile application to look up nearby friends. Given this, a fundamental question faced in the design of every application is, Who is sending the input and should the application process it to produce the resulting output? Put another way: every application must decide on an identity system that represents users and other applications, a means by which to validate an application’s or user’s claimed identity, and a way to determine what outputs the user or application is allowed to produce.

These decisions will determine how easily users and applications can interact with an application, what functionality they can take advantage of to secure and manage their identities and credentials, and how much work the application developer must do to enable these capabilities, which are known as authentication and authorization. The ideal answers make it possible for users and applications to use their preferred identities, whether from Facebook, Gmail, or their enterprise; for the application to easily configure the access rights for authorized users; and for the application to rely on other services as much as possible to do the heavy lifting. Identity and access control, while key to an application’s utility, are not the core value an application delivers, so developers shouldn’t spend any more time on this area than they have to. Why create a database of users and worry about which algorithm to use to encrypt the users’ passwords if you can take advantage of a service that’s built for doing just that, with industry-leading security and management?

Microsoft Azure Active Directory (Azure AD) is arguably the heart of Microsoft’s cloud platform. All Microsoft cloud services, including Microsoft Azure, Microsoft Xbox Live, and Microsoft Office 365, use Azure AD as their identity provider. And because Azure AD is a public cloud service, application developers can also take advantage of its capabilities. If an application relies on Azure AD as its identity provider, it can rely on Azure AD APIs to provision users, rely on Azure AD to manage their passwords, and even give users the ability to use multifactor authentication (MFA) to securely authenticate to the application. For application developers wanting to integrate with businesses, including the many that are already using Azure AD, Azure AD has the most flexible and comprehensive support of any service for integrating Active Directory and LDAP identities. Fueled by enterprise adoption of Office 365, Azure AD is already a connection point for hundreds of millions of business and organizational identities, and it’s growing fast.

Using Azure AD for the most common scenarios is easy, thanks to the open source developer libraries, tooling, and guidance available on Microsoft Azure’s GitHub orga­nization. Going beyond the basics, however, requires a good understanding of modern authentication flows—specifically OAuth2 and OpenID Connect—and concepts such as a relying party and tokens, federation, role-based access control, a provisioned ap­plication, and service principles. If you’re new to these protocols and terms, the learning curve can seem daunting. Even if you’re not, knowing the most efficient way to use Azure AD and its unique capabilities is important, and it’s worthwhile understanding what’s available to you.

There’s no better book than Modern Authentication with Azure Active Directory for Web Applications to help you make your application take full advantage of Azure AD. I’ve known Vittorio Bertocci since I started in Azure five years ago, and I’ve watched his always popular and highly rated Microsoft TechEd, Build, and Microsoft Ignite confer­ence presentations to catch up with the latest developments in Azure AD. He’s a master educator and one of Microsoft’s foremost experts on identity and access control.

This book will guide you through the essentials of authentication protocols, decipher the disparate terminology applied to the subject, tell you how to get started with Azure AD, and then present concrete examples of applications that use Azure AD for their authentication and authorization, including how they work in hybrid scenarios with Active Directory Federation Services (ADFS). With the information and insights Vittorio shares, you’ll be able to efficiently create modern cloud applications that give users and administrators the flexibility and security of Microsoft’s cloud and the convenience of using their preferred identities.

Mark Russinovich

Chief Technology Officer, Microsoft Azure