WEBVTT 0:00:02.620000 --> 0:00:09.360000 The purpose of having a cloud-based authentication identity system, such 0:00:09.360000 --> 0:00:15.220000 as Azure AD, is to provide those services and possibly more to applications. 0:00:15.220000 --> 0:00:21.340000 In this video, we're going to take a look at how you establish that application 0:00:21.340000 --> 0:00:24.660000 identity within Azure. 0:00:24.660000 --> 0:00:30.560000 The topics that we're going to cover include looking at Azure AD applications 0:00:30.560000 --> 0:00:31.600000 at a high level. 0:00:31.600000 --> 0:00:33.500000 What are they? How do they interact? 0:00:33.500000 --> 0:00:36.060000 We'll talk about application registrations. 0:00:36.060000 --> 0:00:39.920000 We'll look at some of the settings that you've got for applications within 0:00:39.920000 --> 0:00:47.280000 Azure AD. And take a look at Azure AD permissions, which is kind of, if 0:00:47.280000 --> 0:00:50.300000 you will, maybe not for you, but it always is for me kind of a little 0:00:50.300000 --> 0:00:51.520000 bit confusing part. 0:00:51.520000 --> 0:00:53.280000 We'll try and make that clear. 0:00:53.280000 --> 0:00:56.940000 And then I'm going to go through a demonstration where I'm actually create 0:00:56.940000 --> 0:01:04.080000 an application registration Azure AD and use that in a brand new application. 0:01:04.080000 --> 0:01:08.440000 So let's go ahead and let's take a look. 0:01:08.440000 --> 0:01:14.900000 All right. If we think about application identity in Azure AD, right? 0:01:14.900000 --> 0:01:22.120000 So let's assume that we've got an application. 0:01:22.120000 --> 0:01:30.500000 So this is my application. 0:01:30.500000 --> 0:01:33.260000 And we'll just say app. 0:01:33.260000 --> 0:01:36.020000 Apparently we won't. 0:01:36.020000 --> 0:01:42.500000 There we go. This is my app, right? 0:01:42.500000 --> 0:01:51.240000 And I also, draw it over here, have Azure AD. 0:01:51.240000 --> 0:01:54.540000 So I've got an application. 0:01:54.540000 --> 0:01:55.780000 I've got Azure AD. 0:01:55.780000 --> 0:02:01.140000 My application wants to use the functionality of Azure AD. 0:02:01.140000 --> 0:02:06.560000 Now, in order to do that, if you think about Azure AD, Azure AD has a 0:02:06.560000 --> 0:02:09.340000 number of important things. 0:02:09.340000 --> 0:02:12.940000 For example, it's got identity, right? 0:02:12.940000 --> 0:02:18.260000 I've got a bunch of identity information, my users. 0:02:18.260000 --> 0:02:20.940000 Get that typed in, right? 0:02:20.940000 --> 0:02:33.900000 I also have possibly access to additional information beyond just their 0:02:33.900000 --> 0:02:39.300000 identity. So you can think of things like their profile information, but 0:02:39.300000 --> 0:02:41.040000 also through Azure AD. 0:02:41.040000 --> 0:02:45.020000 I can access things through what's called the Microsoft Graph, including 0:02:45.020000 --> 0:02:48.700000 things like what they're doing in Office 365. 0:02:48.700000 --> 0:02:50.700000 We choose to be Microsoft 365. 0:02:50.700000 --> 0:02:54.240000 And really, they're calendar and all sorts of other things, potentially, 0:02:54.240000 --> 0:02:55.860000 that can be accessed. 0:02:55.860000 --> 0:03:01.820000 Not to mention the fact that the ability potentially to access Azure resources 0:03:01.820000 --> 0:03:08.480000 as well. So there's quite a bit behind Azure AD that's potentially available 0:03:08.480000 --> 0:03:18.900000 for that app. So to control this, we need to have some sort of representation 0:03:18.900000 --> 0:03:24.840000 of the app within Azure AD, right? 0:03:24.840000 --> 0:03:30.420000 And that app is going to have settings that are going to control kind 0:03:30.420000 --> 0:03:33.200000 of the way that really the authentication process works. 0:03:33.200000 --> 0:03:36.320000 It's going to have identity information that's going to be stored over 0:03:36.320000 --> 0:03:38.020000 here in the app and used. 0:03:38.020000 --> 0:03:42.260000 So the app's going to have this identity information for the app registration. 0:03:42.260000 --> 0:03:45.480000 And that's how it's going to communicate with the AD. 0:03:45.480000 --> 0:03:53.300000 And meanwhile, that app actually has its own identity so that you can 0:03:53.300000 --> 0:03:58.120000 potentially give it access to whatever's behind that authentication, right? 0:03:58.120000 --> 0:04:02.680000 So you've got the basic authentication, which in and of itself requires 0:04:02.680000 --> 0:04:04.900000 rights in order to authenticate. 0:04:04.900000 --> 0:04:08.100000 I have to say, okay, I want to allow this application to authenticate 0:04:08.100000 --> 0:04:12.600000 my users. But then beyond that, again, do I want to give it access to 0:04:12.600000 --> 0:04:18.680000 things like their profile, to things like their Microsoft 365 interactions, 0:04:18.680000 --> 0:04:25.760000 etc. And all of that is controlled through an application registration. 0:04:25.760000 --> 0:04:33.220000 And if we take a look at our application registration. 0:04:33.220000 --> 0:04:41.560000 And so the application registration, registration is required for authentication 0:04:41.560000 --> 0:04:43.940000 and identity services. 0:04:43.940000 --> 0:04:47.560000 As I mentioned, that is truly the starting point, right? 0:04:47.560000 --> 0:04:49.880000 So we've got our registration. 0:04:49.880000 --> 0:04:56.060000 Now that registration is associated with an app identity and potentially 0:04:56.060000 --> 0:04:58.580000 a secret as well. 0:04:58.580000 --> 0:05:02.040000 Although, as you'll see, don't always have to use a secret. 0:05:02.040000 --> 0:05:07.300000 There's also additional application information that is included with 0:05:07.300000 --> 0:05:08.000000 the application. 0:05:08.000000 --> 0:05:11.200000 We'll take a look at some of the app settings, the name of the application, 0:05:11.200000 --> 0:05:14.020000 the icon that you want associated with the application. 0:05:14.020000 --> 0:05:18.500000 So a number of interesting things there. 0:05:18.500000 --> 0:05:21.460000 And then also application permissions, right? 0:05:21.460000 --> 0:05:25.980000 Now an application actually uses a service principle, which is the concept 0:05:25.980000 --> 0:05:27.640000 of a service principle. 0:05:27.640000 --> 0:05:32.640000 And that's really what you are granting permissions to, is that service 0:05:32.640000 --> 0:05:39.780000 principle. Now the permissions to access identity, all of this is set 0:05:39.780000 --> 0:05:45.380000 up by the administrator, so in other words, I've got this cool application. 0:05:45.380000 --> 0:05:47.900000 I want to use Azure AD to authenticate. 0:05:47.900000 --> 0:05:51.880000 Plus I want all this other information that I can get from Azure AD. 0:05:51.880000 --> 0:05:55.620000 Well, just because I want to use it, doesn't mean that whoever's tenant 0:05:55.620000 --> 0:05:57.240000 that is wants me to do it. 0:05:57.240000 --> 0:05:59.240000 So of course that's going to be controlled, right? 0:05:59.240000 --> 0:06:04.420000 And it can also be then further granted, either by the administrator or 0:06:04.420000 --> 0:06:06.620000 granted by the user. 0:06:06.620000 --> 0:06:11.200000 So these are really the key elements of application identity. 0:06:11.200000 --> 0:06:15.380000 Again, we're going to see it, if you will, in person. 0:06:15.380000 --> 0:06:20.680000 But what I want to do is go ahead and take a look at just some of the 0:06:20.680000 --> 0:06:27.080000 settings. And you can see these are the basic settings. 0:06:27.080000 --> 0:06:31.580000 And I'm not diving into these, but you can see branding. 0:06:31.580000 --> 0:06:35.520000 So when I use Azure AD, right? 0:06:35.520000 --> 0:06:37.620000 My application uses Azure AD. 0:06:37.620000 --> 0:06:42.000000 That's going to push me into the Azure AD authentication environment, 0:06:42.000000 --> 0:06:44.920000 right? Which means it's going to have by default the look and feel that 0:06:44.920000 --> 0:06:49.420000 Microsoft gives it, but you have the ability to override that. 0:06:49.420000 --> 0:06:54.360000 Authentication is really the key to the application registration. 0:06:54.360000 --> 0:07:00.160000 You're defining how your application is going to authenticate its users. 0:07:00.160000 --> 0:07:03.900000 If you've got certificates and secrets that are part of the authentication, 0:07:03.900000 --> 0:07:06.940000 so in other words, I might want my application to have to authenticate 0:07:06.940000 --> 0:07:12.600000 by certificate when the application makes requests to Azure AD, I can 0:07:12.600000 --> 0:07:13.980000 configure that there. 0:07:13.980000 --> 0:07:17.360000 Token configuration, this is the information that gets sent back upon 0:07:17.360000 --> 0:07:19.500000 a successful authentication. 0:07:19.500000 --> 0:07:23.520000 And I can choose what information I want sent in that initial token. 0:07:23.520000 --> 0:07:29.220000 So for example, if I know I've got an application that always uses the 0:07:29.220000 --> 0:07:33.020000 email address, then I could potentially say, you know what? 0:07:33.020000 --> 0:07:36.560000 I want the email address sent in that authentication token back to my 0:07:36.560000 --> 0:07:42.520000 application. That way, every time I have to pull up the email address, 0:07:42.520000 --> 0:07:45.500000 I don't have to go back and make another call back as an identity service 0:07:45.500000 --> 0:07:48.100000 call to Azure AD. 0:07:48.100000 --> 0:07:50.160000 API permissions, that's another key one. 0:07:50.160000 --> 0:07:53.800000 What is my application going to be able to do? 0:07:53.800000 --> 0:07:58.800000 And then I can also actually expose my application as an API. 0:07:58.800000 --> 0:08:00.300000 And you can see that last thing there. 0:08:00.300000 --> 0:08:04.360000 You can define who owns this application and therefore who can control 0:08:04.360000 --> 0:08:09.760000 it. Okay, so those are my application identity options. 0:08:09.760000 --> 0:08:13.020000 Next is app permissions. 0:08:13.020000 --> 0:08:18.560000 And for me, app permissions are where it can get a little bit confusing. 0:08:18.560000 --> 0:08:22.320000 So let's go ahead and make sure that we dive into this. 0:08:22.320000 --> 0:08:27.760000 The first thing we have is permission scopes, and which sounds like a 0:08:27.760000 --> 0:08:30.080000 really powerful thing. 0:08:30.080000 --> 0:08:30.660000 It's really not. 0:08:30.660000 --> 0:08:33.200000 It's just sets of permissions. 0:08:33.200000 --> 0:08:41.000000 Okay, now Azure AD uses OpenID Connect and OpenID Connect has predefined 0:08:41.000000 --> 0:08:44.720000 scopes. And these can be assigned to your application. 0:08:44.720000 --> 0:08:46.600000 So there's the generic OpenID. 0:08:46.600000 --> 0:08:49.960000 There's an email scope, probably pretty obvious profile, which gives you 0:08:49.960000 --> 0:08:54.460000 certain profile information and the ability to access it offline. 0:08:54.460000 --> 0:08:56.700000 All right, and that's just one type of scope. 0:08:56.700000 --> 0:08:58.320000 There are many others. 0:08:58.320000 --> 0:09:02.060000 Now the two types of permissions. 0:09:02.060000 --> 0:09:05.700000 There's delegated permissions and application permissions. 0:09:05.700000 --> 0:09:09.180000 Delegated permissions are effectively user permissions. 0:09:09.180000 --> 0:09:15.200000 Let's say, for example, that I've got an application and my application 0:09:15.200000 --> 0:09:19.920000 needs to access the current user's calendar. 0:09:19.920000 --> 0:09:24.700000 Well, then that user would have to delegate the permission to access the 0:09:24.700000 --> 0:09:26.700000 calendar to the application. 0:09:26.700000 --> 0:09:28.900000 And so those are delegated permissions. 0:09:28.900000 --> 0:09:34.180000 Now, when a user is interacting with the application, and if they're using 0:09:34.180000 --> 0:09:40.100000 delegated permissions, then the actual permission is the lowest permission 0:09:40.100000 --> 0:09:42.520000 between the user and the delegated permission. 0:09:42.520000 --> 0:09:47.780000 So in other words, I can't delegate the application to access everybody's 0:09:47.780000 --> 0:09:52.240000 calendar if I don't have the rights in my login to access everybody's 0:09:52.240000 --> 0:09:56.700000 calendar. And so that won't let you have that sort of extended rights. 0:09:56.700000 --> 0:10:00.620000 On the other hand, our other type of permission, which is application 0:10:00.620000 --> 0:10:04.340000 permission, these are direct permissions. 0:10:04.340000 --> 0:10:09.120000 These are the permissions that you're going to give directly to the application 0:10:09.120000 --> 0:10:13.040000 that you're going to give directly to the application. 0:10:13.040000 --> 0:10:21.100000 And obviously, if your application has application permissions, then you 0:10:21.100000 --> 0:10:24.500000 don't have any sort of delegation. 0:10:24.500000 --> 0:10:29.100000 Now, permission consent, all of these permissions, whether they are delegated 0:10:29.100000 --> 0:10:36.740000 or application permissions, you have your application has to have been 0:10:36.740000 --> 0:10:39.640000 granted consent to use these. 0:10:39.640000 --> 0:10:43.400000 Now, there's two different ways that consent can be granted. 0:10:43.400000 --> 0:10:49.620000 Consent can be granted by individual users for delegated permissions. 0:10:49.620000 --> 0:10:52.160000 So I could set up a list of delegated permissions. 0:10:52.160000 --> 0:10:55.420000 Think about it. You've probably seen this if you have a mobile device. 0:10:55.420000 --> 0:10:58.540000 You add an app to your mobile device, and it comes up and it says 700 0:10:58.540000 --> 0:11:02.200000 things are just super scary that it needs to be able to do in order to 0:11:02.200000 --> 0:11:07.420000 function. Okay. And, you know, okay, fine. 0:11:07.420000 --> 0:11:09.020000 You can grant that or not. 0:11:09.020000 --> 0:11:13.240000 The other option is administrator granted permissions. 0:11:13.240000 --> 0:11:17.180000 Now, application permissions, because they don't interact with the user, 0:11:17.180000 --> 0:11:22.840000 are always administrator granted or consented permissions. 0:11:22.840000 --> 0:11:28.180000 Administrators can also consent for the users. 0:11:28.180000 --> 0:11:32.240000 All right. And particularly if you've got a, let's say you've got a line 0:11:32.240000 --> 0:11:36.200000 of business application, it's integrating with Microsoft 365. 0:11:36.200000 --> 0:11:39.840000 And there's a number of things the application has to do with 365. 0:11:39.840000 --> 0:11:43.960000 With initial user testing, you found that when you had those as delegated 0:11:43.960000 --> 0:11:46.980000 permissions, your users kind of freaked out. 0:11:46.980000 --> 0:11:49.900000 And you didn't want to say yes, you can do this because it just seemed 0:11:49.900000 --> 0:11:50.940000 like bad practice. 0:11:50.940000 --> 0:11:52.780000 But this is all internal. 0:11:52.780000 --> 0:11:54.720000 So you can say, you know what, we're fine. 0:11:54.720000 --> 0:12:00.960000 So we go ahead administratively and we consent to these delegated permissions. 0:12:00.960000 --> 0:12:08.380000 So application permissions are always granted or consented at the administrator 0:12:08.380000 --> 0:12:15.060000 level. And delegated permissions can be done either at the user level 0:12:15.060000 --> 0:12:16.460000 or at the administrator level. 0:12:16.460000 --> 0:12:20.780000 It's generally recommended for line of business or for enterprise applications 0:12:20.780000 --> 0:12:28.220000 that are yours, that you go ahead and you grant that at the administrative 0:12:28.220000 --> 0:12:31.860000 level. Right. So it just makes it smoother users can just log in. 0:12:31.860000 --> 0:12:34.660000 They don't have to think about it and away you go. 0:12:34.660000 --> 0:12:40.040000 All right. So that is our application identity permissions. 0:12:40.040000 --> 0:12:48.100000 Next thing that I want to do is I want to go ahead and take a demonstration 0:12:48.100000 --> 0:12:51.880000 of registering an application. 0:12:51.880000 --> 0:12:56.160000 Now in this demonstration, I'm going to go and create an application registration. 0:12:56.160000 --> 0:13:09.380000 I am also going to go through and look at some of the features of the 0:13:09.380000 --> 0:13:12.740000 registration. And then I'm going to set up some permissions. 0:13:12.740000 --> 0:13:15.840000 I'm going to set up some application permissions and delegated. 0:13:15.840000 --> 0:13:18.320000 And I'm going to go ahead and just admin grant those permissions because 0:13:18.320000 --> 0:13:20.180000 that is typically best practice. 0:13:20.180000 --> 0:13:25.360000 Then what I'm going to do is create a brand new application and ASP.NET 0:13:25.360000 --> 0:13:30.560000 Core NBC application that is set up to use that application registration 0:13:30.560000 --> 0:13:34.680000 in a Azure and an Azure AD tenant. 0:13:34.680000 --> 0:13:38.380000 So let's go ahead and let's jump into this. 0:13:38.380000 --> 0:13:45.440000 All right. I have my INE demo tenant. 0:13:45.440000 --> 0:13:50.400000 And what I'm going to do is just pop down here to app registrations. 0:13:50.400000 --> 0:13:52.040000 Now I've already got some application registrations. 0:13:52.040000 --> 0:13:54.040000 These are all for background. 0:13:54.040000 --> 0:13:56.460000 Things are going on in my subscriptions. 0:13:56.460000 --> 0:14:04.460000 What I'm going to do is go ahead and create a new application registration. 0:14:04.460000 --> 0:14:11.580000 And so we'll fill this out as demo app because I have no creativity. 0:14:11.580000 --> 0:14:19.140000 All right. Then I've got options of who can use this application or access 0:14:19.140000 --> 0:14:24.240000 this API. And it can be accounts in this organization accounts in any 0:14:24.240000 --> 0:14:29.300000 organizational directory accounts in any organizational directory and 0:14:29.300000 --> 0:14:30.760000 Microsoft accounts. 0:14:30.760000 --> 0:14:35.040000 Then I've got the redirect you to URI. 0:14:35.040000 --> 0:14:39.760000 Now I'm going to take a jump out of here because I forgot to actually 0:14:39.760000 --> 0:14:43.460000 write down the path that I need to specify here. 0:14:43.460000 --> 0:14:46.340000 So I'm going to jump a little bit and I apologize for that. 0:14:46.340000 --> 0:14:55.480000 But I'm going to go into my PowerShell environment. 0:14:55.480000 --> 0:14:56.740000 And hopefully you can see this. 0:14:56.740000 --> 0:15:02.560000 Okay, let's look in like maybe that could be a little bit bigger. 0:15:02.560000 --> 0:15:07.060000 It is 36. I think 72 would be excessive. 0:15:07.060000 --> 0:15:13.560000 Okay. What I'm doing is I've got the .NET CLI installed on my machine. 0:15:13.560000 --> 0:15:19.120000 I'm creating a new .NET core MVC application and it's using the authentication 0:15:19.120000 --> 0:15:23.340000 of single work. You don't really need to know specifics of what that does 0:15:23.340000 --> 0:15:28.320000 other than the fact that it sets it up to work if I did that properly, 0:15:28.320000 --> 0:15:29.920000 which apparently I did not. 0:15:29.920000 --> 0:15:37.060000 It should be a UTH. 0:15:37.060000 --> 0:15:38.520000 Not authentication. 0:15:38.520000 --> 0:15:43.660000 Sorry. I even had that preset. 0:15:43.660000 --> 0:15:45.920000 There we go. All right. 0:15:45.920000 --> 0:15:50.980000 So it is creating an application again that is essentially configured 0:15:50.980000 --> 0:15:55.560000 for use with Azure AD. 0:15:55.560000 --> 0:15:57.780000 Now I'm going to open up a code editor. 0:15:57.780000 --> 0:16:02.060000 In fact, I'm going to open up Visual Studio code and I'm going to take 0:16:02.060000 --> 0:16:03.960000 a look at the settings for this. 0:16:03.960000 --> 0:16:07.480000 Again, I meant to do this kind of at the end, but that's okay. 0:16:07.480000 --> 0:16:09.480000 So we'll jump back and forth a little bit. 0:16:09.480000 --> 0:16:13.780000 All right. So I've got this application and I'm going to jump down here 0:16:13.780000 --> 0:16:17.060000 to my app settings. 0:16:17.060000 --> 0:16:23.080000 And in particular, what I care about is the callback path here, which 0:16:23.080000 --> 0:16:25.360000 is sign in OIDC. 0:16:25.360000 --> 0:16:30.020000 That is what this application by default expects when you call back to 0:16:30.020000 --> 0:16:35.320000 it. So now that I have that information and I could do that afterwards, 0:16:35.320000 --> 0:16:37.240000 but I'd still have to flip back and forth. 0:16:37.240000 --> 0:16:39.060000 So but we go here. 0:16:39.060000 --> 0:17:05.040000 All right. So I'm going to go ahead and register that. 0:17:05.040000 --> 0:17:13.980000 Okay. So now I've got this registered and I need at this point go through. 0:17:13.980000 --> 0:17:15.720000 You can see branding. 0:17:15.720000 --> 0:17:17.000000 Okay, there's the name. 0:17:17.000000 --> 0:17:20.620000 I could provide a logo. 0:17:20.620000 --> 0:17:23.740000 I've got a homepage URL for the application. 0:17:23.740000 --> 0:17:28.620000 So for example, I could go homepage, hctps. 0:17:28.620000 --> 0:17:35.900000 I need calm terms of search, this, etc. 0:17:35.900000 --> 0:17:38.720000 Okay. Now publisher domain. 0:17:38.720000 --> 0:17:45.900000 I don't have, I'm not registered as a Microsoft app provider. 0:17:45.900000 --> 0:17:50.120000 So I don't have a publisher domain that is verified. 0:17:50.120000 --> 0:17:53.180000 Okay. Now next, let's go and save that. 0:17:53.180000 --> 0:17:58.520000 That essentially just sets you up if you're going to end up doing this 0:17:58.520000 --> 0:18:07.380000 as a deployed application through their platform through their marketplace. 0:18:07.380000 --> 0:18:11.480000 All right. Now here's my authentication and you'll notice I've got a web 0:18:11.480000 --> 0:18:19.020000 authentication and I've got a redirect URI for the web. 0:18:19.020000 --> 0:18:21.300000 So that's where that'll go back to. 0:18:21.300000 --> 0:18:23.260000 I can have additional URIs. 0:18:23.260000 --> 0:18:25.960000 I can have a logout URI. 0:18:25.960000 --> 0:18:30.100000 Okay. Now tokens implicit grant and this is a little bit misleading for 0:18:30.100000 --> 0:18:32.980000 my case because it tells you you generally don't need them. 0:18:32.980000 --> 0:18:40.900000 But as it turns out, for a ASP net core MVC application, I actually do. 0:18:40.900000 --> 0:18:42.680000 And then who can use? 0:18:42.680000 --> 0:18:47.260000 We set that up. And treat application as a public client. 0:18:47.260000 --> 0:18:48.280000 Not going to do that. 0:18:48.280000 --> 0:18:50.840000 All right. So there's my authentication. 0:18:50.840000 --> 0:18:51.640000 Now search and secrets. 0:18:51.640000 --> 0:18:53.160000 I'm not going to use, but it is here. 0:18:53.160000 --> 0:18:56.360000 If you got certification certificates or client secrets that you're going 0:18:56.360000 --> 0:19:00.460000 to use for application authentication, you can put those up there. 0:19:00.460000 --> 0:19:04.580000 Token configuration. 0:19:04.580000 --> 0:19:08.540000 So right now I don't have any additional claims. 0:19:08.540000 --> 0:19:15.960000 Remember, a token is a signed set of claims and I could go, okay, in addition 0:19:15.960000 --> 0:19:18.800000 to just what is generally there. 0:19:18.800000 --> 0:19:21.220000 I want to include the email because I keep talking about that. 0:19:21.220000 --> 0:19:26.020000 Okay. That means it's going to put the email into the token. 0:19:26.020000 --> 0:19:29.160000 Okay. Now the next really critical part. 0:19:29.160000 --> 0:19:31.520000 There's really two critical parts versus authentication. 0:19:31.520000 --> 0:19:34.980000 Next is permissions. 0:19:34.980000 --> 0:19:39.760000 Okay. And right now, I've got Microsoft Graph. 0:19:39.760000 --> 0:19:44.820000 That's Microsoft's big identity and Microsoft 365 API. 0:19:44.820000 --> 0:19:47.840000 And right now I've got user read. 0:19:47.840000 --> 0:19:59.140000 That's really the minimally there are Microsoft APIs. 0:19:59.140000 --> 0:20:03.200000 I may have registered APIs that my organization uses or I may have my 0:20:03.200000 --> 0:20:07.480000 own APIs. Okay. But in addition to Microsoft Graph, which is the big one, 0:20:07.480000 --> 0:20:12.780000 you can see there's quite a number of additional Microsoft APIs. 0:20:12.780000 --> 0:20:18.120000 So it's not just identities, things like dynamics, key vault, Azure service 0:20:18.120000 --> 0:20:20.200000 management. Right. 0:20:20.200000 --> 0:20:23.480000 But if I go, Microsoft Graph. 0:20:23.480000 --> 0:20:28.680000 I've got either delegated permissions or application permissions. 0:20:28.680000 --> 0:20:34.240000 If I click delegated permissions, here are all of the different delegated 0:20:34.240000 --> 0:20:40.060000 permissions. And I've got, you know, we talked about those, the domains 0:20:40.060000 --> 0:20:43.760000 here, the different permissions that we've got. 0:20:43.760000 --> 0:20:48.740000 So I've got offline access, open ID and profile, but then quite a number 0:20:48.740000 --> 0:20:50.020000 of additional ones. 0:20:50.020000 --> 0:20:55.480000 This is just from the, we'll go ahead and say email. 0:20:55.480000 --> 0:20:57.560000 This is just from the Microsoft Graph. 0:20:57.560000 --> 0:20:59.820000 Now these are delegated permissions. 0:20:59.820000 --> 0:21:05.700000 I can also go over to application permissions and do similar things. 0:21:05.700000 --> 0:21:07.960000 A different set of permissions. 0:21:07.960000 --> 0:21:09.440000 That's what's okay. 0:21:09.440000 --> 0:21:10.800000 I want to be able to read contacts. 0:21:10.800000 --> 0:21:18.300000 I'm not okay. And so now we can see that there are three permissions that 0:21:18.300000 --> 0:21:19.900000 my API is going to use. 0:21:19.900000 --> 0:21:23.560000 Contacts.read, email and user read. 0:21:23.560000 --> 0:21:25.680000 Okay. Email is delegated. 0:21:25.680000 --> 0:21:30.380000 So is user read, but context .read is an admin. 0:21:30.380000 --> 0:21:33.640000 Okay. And you'll notice it says that admin consent is required. 0:21:33.640000 --> 0:21:34.760000 That's what that's saying there. 0:21:34.760000 --> 0:21:36.720000 Admin consent consent is required. 0:21:36.720000 --> 0:21:40.420000 So what I'm going to do is grant admin consent for the tenant. 0:21:40.420000 --> 0:21:44.620000 And that's going to grant admin consent for all three of those. 0:21:44.620000 --> 0:21:49.440000 So now I've got these rights that are necessary from application. 0:21:49.440000 --> 0:21:52.880000 And as an administrator, I've said, okay, yes, this is the right, these 0:21:52.880000 --> 0:21:54.020000 are the rights that I want. 0:21:54.020000 --> 0:21:55.260000 We're good to go. 0:21:55.260000 --> 0:22:01.640000 All right. Now, that gives me the basis of setting up this application. 0:22:01.640000 --> 0:22:04.020000 I'm going back to the overview, because there's some information that 0:22:04.020000 --> 0:22:06.200000 I'm going to need from the overview. 0:22:06.200000 --> 0:22:16.600000 Now I'm going to flip back to that app settings here. 0:22:16.600000 --> 0:22:22.740000 Notice that it needs a domain, a tenant, a client ID and a call back. 0:22:22.740000 --> 0:22:26.320000 And I've already got the client, the callback, I do need a domain, a tenant 0:22:26.320000 --> 0:22:27.540000 ID and a client. 0:22:27.540000 --> 0:22:30.800000 The instance, unless you're changing this up, that actually gets it over 0:22:30.800000 --> 0:22:33.680000 to the login. Okay. 0:22:33.680000 --> 0:22:39.560000 And so if I go back once again and take a look here, okay, I've got the 0:22:39.560000 --> 0:22:45.820000 application ID, I can copy that and pop that in as client ID. 0:22:45.820000 --> 0:22:51.620000 They're not completely consistent with the way that works. 0:22:51.620000 --> 0:22:55.140000 All right, then I'm going to have my tenant ID. 0:22:55.140000 --> 0:22:58.680000 There we go. I can get my tenant ID. 0:22:58.680000 --> 0:23:09.320000 So grab that, put that back over here. 0:23:09.320000 --> 0:23:14.260000 Then I also need the domain. 0:23:14.260000 --> 0:23:18.260000 So I need the actual domain name that I'm going to use for this. 0:23:18.260000 --> 0:23:27.160000 And again, for that, I'm going to go here, go up to my tenants and go 0:23:27.160000 --> 0:23:28.900000 to my custom domain names. 0:23:28.900000 --> 0:23:32.340000 And I've got ineedemo .almarcelph.com. 0:23:32.340000 --> 0:23:39.180000 That is my tenant name for this application, for this Azure AD tenant. 0:23:39.180000 --> 0:23:47.060000 So we'll put that in there as tenant or as domain. 0:23:47.060000 --> 0:23:54.280000 All right, that is everything that I need for the application. 0:23:54.280000 --> 0:23:58.400000 So the next thing that I am going to do is actually run the application. 0:23:58.400000 --> 0:24:00.200000 So I could have done from there. 0:24:00.200000 --> 0:24:06.280000 Okay, we'll go .NET run should be good. 0:24:06.280000 --> 0:24:08.640000 Now again, this is brand new application. 0:24:08.640000 --> 0:24:15.720000 All I've done is a little bit application, essentially, with that single 0:24:15.720000 --> 0:24:17.880000 org. Okay, and now I'm running it. 0:24:17.880000 --> 0:24:21.940000 You'll notice that it tells me it's listening on HTTPS and on HTTP. 0:24:21.940000 --> 0:24:28.840000 So now what I want to do is actually want to go ahead and let's open up 0:24:28.840000 --> 0:24:32.980000 another tab here. 0:24:32.980000 --> 0:24:41.840000 Oh, HTTPS. And because I do this a lot. 0:24:41.840000 --> 0:24:46.900000 So I go to law to 50 ,000 and one, right? 0:24:46.900000 --> 0:24:48.940000 So I put in that URL. 0:24:48.940000 --> 0:24:52.960000 As soon as I put that URL and it pops me over here to this Microsoft screen. 0:24:52.960000 --> 0:24:54.240000 Say, all right, cool. 0:24:54.240000 --> 0:24:58.280000 Let me go ahead and I know that this user is in there. 0:24:58.280000 --> 0:24:58.940000 So it should be good. 0:24:58.940000 --> 0:25:00.400000 And there we go. 0:25:00.400000 --> 0:25:02.000000 Okay, notice I get this greeting. 0:25:02.000000 --> 0:25:05.120000 Hello, Tracy, well, I said, I need training dot on Microsoft dot com. 0:25:05.120000 --> 0:25:07.260000 Okay, that's built in the application. 0:25:07.260000 --> 0:25:11.300000 So I've now authenticated into this application. 0:25:11.300000 --> 0:25:15.980000 Right. And so I started out by creating this identity within Azure AD 0:25:15.980000 --> 0:25:17.660000 for my application. 0:25:17.660000 --> 0:25:22.220000 I then went through and configured the necessary items, the necessary 0:25:22.220000 --> 0:25:26.660000 attributes, such as the callback URL, which I always forget to do, right? 0:25:26.660000 --> 0:25:30.340000 So that's why I went little sideways on that one to make sure I got that. 0:25:30.340000 --> 0:25:35.060000 And then also things really critical, the permissions, right? 0:25:35.060000 --> 0:25:36.680000 What does this application need to do? 0:25:36.680000 --> 0:25:41.060000 And furthermore, how do we want to go ahead and grant those? 0:25:41.060000 --> 0:25:44.600000 Do we want to make those administrator grants, which I did, right? 0:25:44.600000 --> 0:25:46.740000 And then, okay, so I've got all that set up. 0:25:46.740000 --> 0:25:50.360000 I had to go into an application and configure the application to actually 0:25:50.360000 --> 0:25:53.240000 use Azure AD. But that's the process. 0:25:53.240000 --> 0:25:55.160000 Again, it's very bare minimum. 0:25:55.160000 --> 0:25:58.440000 It's not a developer class, but those are the key points you would need 0:25:58.440000 --> 0:26:03.640000 in order to implement Azure AD authentication for an application.