Thursday, July 19, 2012

A Guided Tour of the Windows Azure Active Directory Developer Preview Sample Application


• Correction 7/19/2012 2:30 PM PDT: You can use an Office 365 Enterprise (E-3) Preview subscription, which includes 25 user licenses, in lieu of a paid production Office 365 subscription for this walkthrough. See the Logging in to a Tenant’s Office 365 Active Directory section of this post and the new Designating Managers and Adding Direct Reports with Exchange in Office 365 Enterprise (E-3) Preview post for details.


Alex Simon posted Announcing the Developer Preview of Windows Azure Active Directory to the Window Azure Team blog on 7/12/2012:

Today we are excited to announce the Developer Preview of Windows Azure Active Directory.

As John Shewchuk discussed in his blog post Reimagining Active Directory for the Social Enterprise, Windows Azure Active Directory (AD) is a cloud identity management service for application developers, businesses and organizations. Today, Windows Azure AD is already the identity system that powers Office 365, Dynamics CRM Online and Windows Intune. Over 250,000 companies and organizations use Windows Azure AD today to authenticate billions of times a week. With this Developer Preview we begin the process of opening Windows Azure AD to third parties and turning it into a true Identity Management as a Service.

Windows Azure AD provides software developers with a user centric cloud service for storing and managing user identities, coupled with a world class, secure & standards based authorization and authentication system. With support for .Net, Java, & PHP it can be used on all the major devices and platforms software developers use today.

Just as important, Windows Azure AD gives businesses and organizations their own cloud based directory for managing access to their cloud based applications and resources. And Windows Azure AD synchronizes and federates with their on-premise Active Directory extending the benefits of Windows Server Active Directory into the cloud.

Today’s Developer Preview release is the first step in realizing that vision. We’re excited to be able to share our work here with you and we’re looking forward to your feedback and suggestions!

The Windows Azure AD Developer Preview provides two new capabilities for developers to preview:

  • Graph API
  • Web Single Sign-On

This Preview gives developers early access to new REST APIs, a set of demonstration applications, a way to get a trial Windows Azure AD tenant and the documentation needed to get started. With this preview, you can build cloud applications that integrate with Windows Azure AD providing a Single Sign-on experience across Office 365, your application and other applications integrated with the directory. These applications can also access Office 365 user data stored in Windows Azure AD (assuming the app has the IT admin and/or user’s permission to do so). …

Read more: Announcing the Developer Preview of Windows Azure Active Directory

OakLeafLogo100pxThe walkthrough of Web Single Sign-On (WebSSO) preview follows below. My A Guided Tour of the Graph API Preview’s Graph Explorer Application provides a detailed look at the Graph API preview. The Graph Explorer requires the WAAD authorization credentials you obtain in this walkthrough.

Kim Cameron (@Kim_Cameron) gave an updated graphical introduction to Windows Azure Active Directory (WAAD) in his Diagram 2.0: No hub. No center. post of 7/2/2012 to his Identity Weblog:

imageAs I wrote here, Mary Jo Foley’s interpretation of one of the diagrams in John Shewchuk’s second WAAD post made it clear we needed to get a lot visually crisper about what we were trying to show. So I promised that we’d go back to the drawing board. John put our next version out on twitter, got more feedback (see comments below) and ended up with what Mary Jo christened “Diagram 2.0″. Seriously, getting feedback from so many people who bring such different experiences to bear on something like this is amazing. I know the result is infinitely clearer than what we started with.

In the last frame of the diagram, any of the directories represented by the blue symbol could be an on-premise AD, a Windows Azure AD, something hybrid, an OpenLDAP directory, an Oracle directory or anything else. Our view is that having your directory operated in the cloud simplifies a lot. And we want WAAD to be the best possible cloud directory service, operating directories that are completely under the control of their data owners: enterprises, organizations, government departments and startups.

Further comments welcome.

Vittorio Bertocci (@vibronet) and Stuart Kwan presented A Lap Around Windows Azure Active Directory at TechEd North America 2012 on 6/11/2012. From Channel9’s description:

Windows Azure Active Directory provides easy-to-use, multi-tenant identity management services for applications running in the cloud and on any device and any platform. In this session, developers, administrators, and architects will take an end to end tour of Windows Azure Active Directory to learn about its capabilities, interfaces and supported scenarios, and understand how it works in concert with Windows Server Active Directory.

Logging in to a Tenant’s Office 365 Active Directory

You’ll need an Office 365 subscription with a few user accounts to make full use of the multi-tenanted Fabrikam Expense Tracking Application sample running in Windows Azure. The following walkthrough assume you have an Office 365 subscription and are willing to add a subscription or two for the limited time required to take this walkthrough:

Update/Correction 7/19/2012 3:30 PM PDT: You can use an Office 365 Enterprise (E-3) Preview subscription, which includes 25 user licenses, in lieu of a paid production Office 365 subscription for this walkthrough. The Enterprise Edition is required to obtain Exchange and Sharepoint instances in the 2013 version. See the Designating Managers and Adding Direct Reports with Exchange in Office 365 Enterprise (E-3) Preview for details. It’s clear from the ugly appearance of some forms that the Exchange 2013 Admin Portal isn’t fully cooked.

The following actions are required for obtaining to authorize accessing existing tenant’s (organization’s) Office 365 subscription:

Note: If you have an earlier version of the Microsoft Online Services PowerShell Module v1.0, you must remove it before installing the update to v1.0.

Following are the additional prerequisites for running the Fabrikam sample code, which is available from GitHub:

Tip: Don’t save your Office 365 administrative credentials for reuse. If you can’t logout, you must delete all your cookies if the WAAD team hasn’t enabled logging out of the sample application.

1. Launch the Fabrikam Fabrikam Expense Tracking Application at

2. Click the Sign Up button to open the Authorizing Your Applications page 1, which covers the Office 365 subscription step and click the Step 2 at the bottom to open page 2:


3. Review the Detailed Walkthrough section, then copy the CreateServicePrincipal.ps1 script from your Download folder to a Windows folder with a shorter path, such as \windows\system32.

4. Launch the Microsoft Online Services Module for Windows PowerShell from its desktop icon, change the directory to the script’s location, type CreateServicePrincipal.ps1 at the command prompt and press Enter:


3. Type r and press Enter to start the script, type a name for the Service Principal to create, waaddemo for this example, and press Enter:


4. When the Windows PowerShell Credential Request form opens, type your administrative username and password for Office 365:


5. Click OK to continue script execution:


6. Press Enter to finish script execution and display the credentials you will need for the Fabrikam Demo (and the Graph Explorer demo):


Note: The App Principal Secret is a well-known demo credential, so it isn’t confidential.

7. Write the Company ID, AppPrincipal ID, App Principal Secret and Audience URI and keep this information in a safe place, return to the Fabrikam demo page, which displays the following sample data and form, and complete the form:


Note: The preceding is valid data for OakLeaf’s Office 365 subscription, but only parts of the confidential information appear above.

8. Click the Complete Setup button to display the following You’re Done page:


9. Click the Click Here To Login Now button to open the Login Through Azure Active Directory page:


10. Click the link to your subscription, usually the last in the list, to open the Welcome page:


Adding Users to a Tenant

Note: This section presupposes a Manager and three SalesPerson accounts have been added in the Office 365 Administrative portal.

1. Click the Add Users to Application Tab to display a Users list:


2. Add the Manager and SalesPersons to the application; optionally, add yourself:


3. Click the Sign Out button to determine if logout has been implemented.


4. If not, you see the following message:


Designating Managers and Adding Direct Reports with Exchange

1. The Fabikam demo documentation’s Creating Managers page notes an Issue: Managers can only have Direct Reports added through [the] Exchange Console:

  1. 1. Log in to your Office365 Administrator Portal
  2. 2. Click the Outlook and Exchange Settings button:


3. Select the mailbox of the person for whom to add a manager:


4. Click Details to open the Mailbox form, scroll to and expand the Organization section and, optionally, add a company name:


5. Click the Browse button to open the Select Manager form and select the manager’s mailbox:


6. Click OK to add the manager as the ReportsTo property, close the Manager form, and return to the Select Manager form:


7. Click Save to save the ReportsTo property value, add the user to the manager’s DirectReports collection and close the Select Manager form.

8. Repeat steps 3 through 7 for each additional person who needs to be assigned to a manager, SalesPerson2 and SalesPerson3 for this example.

9. Verify the manager’s direct reports and, optionally, add company and ReportsTo property values:


10. Click Save to save changes, close the Mailbox form and, optionally, close the Exchange and Tenant Administrative pages.

Adding Expense Reports as a User

1. Close and launch the Fabrikam demon and type the username and password of one of the salesperson# users you created and assigned to a manager in the previous two sections:


2. Click the Sign In button to open the Welcome for the user:


Note: The Add Users to Application tab is missing because these users don’t have administrative authorization.

3. Click the View Your Expense Reports tab to display an empty Invoices list:


4. Click Create button to open a new Invoice header form, type the Reason for Expense Report and edit the default current dates as required:


5. Click Create to add an invoice to the invoices list form for the salesperson:


Note: The Submit Date erroneously defaults to the start date of the report.

6. Review the invoice header details and click the Add a New Item button to open the Create Expense item form:


7. Click Create to add the Expense item to the Invoice Items list:


8. Repeat steps 6 and 7 to add a few more expense items to the list:


9. Click the Back to Invoices Button to return to the Your Invoices list with the Status cell populated:


Submitting and Approving an Expense Report

1. Click the Your Invoices form’s Submit button to start the submit process to the Expense report to the user’s manager and add an optional explanation in the Comment text box:


2. Click Submit for Approval to request approval from the manager:


3. Log out and then log into the application with Manager credentials:


4. Click the Approve Expense Reports tab to open the page with pending expense report submittals listed:


5. Click the Details button to display line items, click Approve or Reject to process the report and remove it from the list, log out or close the browser, then log back in as the employee:


Note: Letting the manager add comments about approval or rejection would be a welcome feature.


With a few minor fixes and additions, small- to medium-size companies could use the Fabrikam Expense Tracking Application for production travel expense processing.

Don’t forget to download the Fabrikam sample code, which is available from GitHub by clicking here, so you can customize the app for use by your organization.