Creating Enterprise Applications by Using Windows Azure AD Graph
[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]
Scenario
In this scenario you have purchased an Office 365 subscription. As part of the subscription you have purchased the capability to manage users using Windows Azure AD, which is part of Windows Azure. You want to build an application that can access users’ information such as user names and group membership.
The following challenges are associated with this scenario:
-
Which account should be used when accessing Windows Azure AD objects?
-
Which programming model should be used to query user information?
-
How can the account that’s used to access Windows Azure AD objects be managed?
-
How can access be restricted for the account that’s used to access Windows Azure AD objects?
Solution
This scenario’s solution involves using Windows Azure AD Graph REST API.
This is how the challenges are addressed:
-
Use a service principal when accessing Windows Azure AD objects. Read more in Windows Azure AD Graph Authentication.
-
Graph API exposes REST endpoints based on OData v3 protocol. Read more in Windows Azure AD Graph Common Queries
-
The service principal is managed using Office 365 Windows PowerShell scripts. Read more in Windows Azure AD Graph Authentication
-
The service principal’s permissions are role-based and are managed using Office 365 Windows PowerShell scripts. Read more in Windows Azure AD Graph and Role-Based Access Control.
Consider the following resources when implementing this scenario:
- How-To: Authenticate To Windows Azure AD Graph Using Windows Azure AD Access Control
- How-To: Manage Role-Based Access Control When Using Windows Azure AD Graph
- How-To: Read Windows Azure Active Directory Entities Using Windows Azure AD Graph
- Code Sample: Listing Users and Groups From Windows Azure Active Directory Using Windows Azure AD Graph
See Also
