Service principles and app registration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone on another episode of on.net we have the the kickoff of the microsoft identity series and today i have mathias extra with me today to talk about app registrations and service principles join us [Music] welcome to another show on on.net today i have mathias extra with me to talk about service principles and app registration this is part of our series on identity for developers microsoft identity for developers and we're starting with some of the basics because i think having a good foundation around what opportunization service principles are is very important as you embark into your journey so mathias uh thanks for coming how are you i'm good thanks for having me it's uh it's been a while i've seen you so it's been a while for everyone it's been about five months since i had any human contact outside my family so let's not go there so yeah thanks for having me so we want to talk about today well i did say operation service principles because getting your head around it it's always tricky like when do we use what what is is which right so what what is an operation how does a service principle hang behind that if i'm creating an application what should they care as a developer about and then um how we use them yeah it's it's a good topic um so um and it's a lot it's a it's a source of confusion as well right i don't understand what the difference is between ad registration service principle i know this enterprise app staying so where do i do what and all that stuff so um let me explain a bit of the how i like to think about these these these topics and yeah feel free to ask me any any questions and we can dive into it so i did have bring my simple powerpoint deck i've been using in the past just to get you an idea of what we are doing here so love me some powerpoint i know right so the first thing is that since we are talking about oidc and all modern authentication with the microsoft identity platform but it's the same concept for any identity platform you will use is you have to tell the system about your application it has to know what kind of authentication experience it has to offer the users so the first thing you have to do after you decide which idp you're going to use so let's assume as much as any platform you have to tell the system about your application that's what we do when we start doing an application registration it's nothing else than telling the system about the existence of your app and how to tweet uh users or applications coming in and doing authentication right and in our platform uh and that's that's gonna be the same if you want to build a facebook application you have to register it with facebook same with google and all the other idps so that that's a basic concept which everybody has to do there's stuff we do as microsoft to to enrich that experience for the users but in in the basic stuff it still register your app so you're going to tell us about your application the name it can have a logo and we have to configure some authorization and and security pieces and we're going to talk you through that as well but the end result is going to be one app requisition and that will be an application object these are like azure active directory terms we use right you will find client id app id application id that's just the same thing for an application application registration yeah so if let's just start with that i will cover service principles a little bit later so if you go to the portal which i have here that's the azure id portal inside azure right yeah you go to portal.azure.com and then you go to the the most important page in the in the portal which actually directory and i happen to be a global admin uh but you go to ad registrations here yeah you don't you don't have to be a global admin to create app registration no no you have to be an app administrator there's different roles which you can assign to so you have to do this application registration and if you're a developer uh um either you have your own ad environment where you can play in desk that's what i did this is one of the uh the m365 developer programs i created once for you but otherwise you're gonna be best friends with one of your administrators to help you out this is actually also a reason or a source of confusion because the app folks know they need to set up and then what kind of configuration they need to do the admins might not always understand what they're trying to do so you actually have to start working together to make sure you do it in a proper way it's like i think i think these days there's also a way to programmatically create app registration is that correct yeah i will get to that so anything i'm going to do now is going to be able you're gonna be able to do it through an api stealing your thunder sorry now that's fine that's fine so and especially uh when you start doing automation devops script so yeah let me just show you through what an app registration actually is and then how you as an administrator can can control who can do one right so great the first step is when you click a new application is give the name dot map and unique to the tenant itself right and anything that describes the app so it doesn't have to be globally unique or whatever right it's just a name in the sense right so uh you can do whatever you want here um the first choice you're gonna make is is this application just available for my own company it's like all my use inside of my tenant or directory tenant and active directory is all the same term for for the same thing i can create a application which is available for multiple tenants like offices a multi-tenant application we'll cover a little bit about that later but and you can choose like well i like any account to be able to sign into my application all the different tenants but also personal accounts which i typically use for for skype and xbox so just i leave this one for for default now just create this application and here you will see the application or client id if you build an application or you're down with the sample or whatnot this is the first thing it's asking you to copy and paste inside of your configuration your app id directory or tenant id might be useful as well but the app id is actually the most important piece from from from from this page and here and if you are building i don't know whatever java application et cetera it asks sometimes for endpoints like my token point or the resistance you can get it from this as well because it's going to be unique for your tenant right but i do branding so i get a name i can do a logo home page uri et cetera et cetera i can oh well i can talk about publisher verification in a bit authentication is where you define your security right so think about this i'm gonna send you as a user if i sign in so the new way of authentication right the application is not responsible for signing you anymore we don't have a login name we don't have a password with a submit button we just tell you oh i don't know who you are you go to the idp in this case azure active directory figured out with that idp who you are once it's done just give me back my id token i need right that's how modern application work and you're probably going to cover that in another session about tokens yes but the one thing we do if we actually sign you in is we send you to idp with your client id so as your academy knows oh this is about this application this is about on.net application once we figured out the cbdu i do a sign in maybe i have to do multi-factor authentication it's gonna check if my device is compliant you know all that all that stuff we can do on applications from administrator site then we're gonna get sent you back to the so-called reply uri right and since the tokens are kind of important we don't want people to send be sent back to any random uri and people stealing tokens right needs to be just for the ones you control you have to tell us which uris those are so for example say i create a web application i gonna tell you what https.com page yeah what you could do is like my domain as your websites.net yes we do https yeah what we don't want to do is wildcards wildcards because let me show what it is if i would log in to a website i'm gonna take project central because they integrated with our environment there you go look at the uri yes saying client id is cbh5 liblar so it's telling us this is the application and there's a redirect uri as well right what if i just change this redirect uri to myevilwebsite.com yep we don't want aed to return any sensitive information like tokens to that website so it happens if you do you have registration you're gonna tell the system you can only send information back to this or these uris right so what we do first is if you start doing this like we're going to check if these uris are actually in that list i just shown to make sure we can actually turn that information to a trusted environment awesome that also means that if you would allow wild cards [Music] hey maybe i probably don't own all the websites under azurewebsites.net you don't no not yet so this is insecure so we removed the capability this is going to be your website and if i add this i can configure this and i can have multiple ones typically like i don't know yeah you have a test one you have a qa one can have a production one and then it allows you to test i think it's only ac i think localhost is the only one that allows you http am i correct correct yeah we uh we require https now and this will be the same so if you do native apps it's a bit different right so let's just do an android app you have to do your package phone.contoso app and your hash i don't know i mean right out of my head what it tells this is on mobile what we do we spin up a web view you do your system browser but we have to know when you're when you're done so when the redirect goes back to this uh to this unique web address we know it's done it closes the web view and it can pick up the id token from the from the return address right and advance you in so native is done a bit differently but we still have to tell the system about what to watch for when when this other stuff is happening but web is simple it's just a redirect et cetera so we we support single page apps like javascript etc so that's dbs and if i in fact recently announced the amsoil js 2.0 right and it's also so here's where the confusion start typically for developers how do i know what configuration i need to make what i need to do etcetera etcetera so i always recommend just forget about doing this for now the first thing i do is i go to the quick starts so we're gonna help you go through uh this works so you know what i'm i'm gonna build a web application and it's gonna be a [Music] well we're gonna do let's do java i don't know you know you know everything about java now i know everything about java because i have already four hours of java exactly so it tells you what to do but it can actually change so you can download the sample but you can also change the converge i can make the congregation for you click on this button it will tell you not i'm going to add these redirect uris yeah and create a client secret i did make the updates i'm done and i download the code sample um and i can run the sample anyway and right now go back to authentication you will see it added these configuration steps for me so i don't have to think about it anyway very nice there you go quick start i'll go back i come back to this one the quick starts is a really good way to start and get your app to run sure so how how does this relate to service principles or enterprise apps correct so right now we have a one-to-one mapping between my app or the app that you just created and the app registration am i correct yeah you just create an app registration tell the system about your app and how people can actually sign into your app that's it right typically an administrator needs something to configure security conditional access policies uh require mfa things like that and especially if the application is going to be available for all the organizations they want to have their own way of configuring that right so they're just right they don't want the developer to decide who can access the app they want an administrator in their own environment to do that yep so we need something for that and that's called a enterprise app or a service principle those are the same things so whenever you hear server principle or you can oh you see enterprise apps it's exactly the same thing right and how i like to explain is like the app registration is that the definition for your class and a service principle is the instantiation of that class i use the same metaphor it's exactly like for people that use development or development i think it makes sense when you define it like this so if we have a single tenant application what happens is that once you use the app or if the administrator sets it up it creates a single service principle which points back to the application registration so it knows about your application registration but it can store information like security settings policies etc so in a single tenant app as soon as i create my operating system also creates a service principle behind the scenes but i don't have to worry about that right yeah typically it does it for you automatically um but the second choice was multi-tenant i want to be but i want this application to be available for all the different azure x directories so what we do we still have a single app registration but we're going to create a service principle in all the directories they're all pointing back to that one single app registration in the home directory but the service principles will be unique per directory ah and then you apply your settings on the service principle itself yeah for your company right so springs the permissions is gonna be different per customer right the the policies might be different as well so this is typically how multi-tenancy uh works right and the good thing is an administrator can control all these so they control who can create applications they control who can create enterprise apps or search principles right so if you go to the enterprise apps please um i probably have let me just do the new one on here's here's my ad i just created ah there you go here's where i sign uses for example right okay only crystal scan i can use this app i can actually define um oh it's it's an a it's enabled but also i can only use this app if i'm assigned to the app it's not just available for everybody it might be invisible or invisible so for example i want to show it on my my apps application that those kind of settings are done on the enterprise app or service principle sweet is this also where we define roles or are there all defined inside the upper registration only good question no so app roles and and user roles are configured on the application side but i was trying uses two roles on on this page so for example let me see if i got my an example and that's probably salesforce that's always a good example and salesforce is a good example of a multi-talented app right see i got roles assigned a chatter free user or system administrator yep yep lovely so that's that's that's where you do the assignment uh um so going back to so this is an administrative page you as a developer will probably never use this space but you have to be aware that the administrator is going to use this page to set up things about your application like who can use the application yeah maybe there's some provisioning you have to do like in the in the case of salesforce i'm automatically provisioning users salesforce if i assign them to to my application here in um in azure active directory right what i also can do is from an administrator so this is maybe not that they're not relevant for developers but i can choose to add an application for my users from a gallery so i'm now going to create a service principle manually so there's two ways to get in oh there's a few ways to get a search principle in your environment an api you're going to create it right from online or an app to the ui like i'm doing now or a user just using the application for the first time and if they have the permissions they bring in the service principle automatically as well right but here i can just add a any application uh um i'll just filter on open id connect because that's what i like okay i have no clue what kind of applications these are so i'm just clicking randomly right there's always a risk when very i just add this uh uh app to my environment we will create another principle i go to the uh to the app as an administrator and i can assign the users and the first thing when you use a sign in they will see the application on the my apps page nice so interesting to know still the most important page for me as a developer is the application page yes because this is where i do all my registrations uh this works my own [Music] that demo i can follow around here so another one um i don't know if you saw that when i did the uh authentication they got the uh go away where's my um was that branding it's running purification so one of the things we see is that people start like the name you mentioned it already yeah you can create an on.net application too how do i know it's coming from the right one from the right person my own sales force and become a millionaire right everybody will be using my app subscribing there you go that's it going back to the signing page for project central you can see this the name and the little check marks next to it ah if i click on it show you this app the publisher is actually verified that's that piece of ui you saw on the screen and there's a process right you had submit for for being approved as a as a trusted vendor or whatever yeah the good thing is we already do that because we have the microsoft part network if you just use that ide okay that's the easy one to do so this actually helps your users trust your app more yes so my dreams of becoming a millionaire through uh salesforce uh are not going to happen right so we talked a little bit authentication this is the place where you can create secrets and certificates uh um and you know how secrets work right to create one on video and then the secret anymore i always ask developers which one do you choose here one year two years or never expires everybody goes for never of course so don't don't want my app to stop working randomly because i i forgot that i had a one-year expiration policy right but and it always happens that the day before it works and a day a day during your presentation it just fails right or when you go holiday and then people have to figure out why the application stopped working while you're away right so please please use certificates uh another one you can do here on appreciation is change the way how your tokens look like that's also something a developer has to do i can for example say well i got my id tokens they're fairly small but i like my email my given name and i don't know whatever here the tenant country i don't know i just make something up so now when i do this i'm sure if people sign in these claims will be part of the id though but that's something a developer can do as well very nice are you going to talk about the limits as well if i remember correctly you were testing some limits the other day you know i'm trying to so b2c is actually an and a functionality which we now have in external identities is where you can call a rest api during sign in and transform information from the rest api inside of your tokens and trying to find how big those tokens can get before the the the application stops working so yeah we'll see how far we can go but it's important for people to know that there are some limitations with the groups and roles and how much information you bring down with the tokens so always be aware of that you can customize them but there is a limitation right yeah for example i can ask to well i'm on security groups or directory roles or all the groups or only the groups assigned to the application be part of the id token so i can use that information to make authorization decisions this is also where as an application developer you specify what kind of permissions you're going to use so for example if this application is going to call microsoft graph which you should because it's a great api to use you can ask well you know what this api of this application is going to use know just what's gonna make up something and what's a good one calendar calendar yeah what happens here now is that once people sign in remember this screen it's gonna actually tell you what permissions it needs right administrator can consent for you or use a user can if you have the permissions but if you do this in your in your app registration you can actually ask an administrator to consent all these permissions so the users don't have to do it but we can only do that if you as a developer specify whatever permissions your app can at one time start using yeah also important here to clarify that some of the permissions may require admin consent oh yeah so was it oh you could request access to specific data but sometimes it becomes um necessary for the it admin or the the azure id admin to come and uh authorize your consent to these because it gives you access to a lot of information that we need to make sure they usually have so for us working with the max of tenant becomes really hard to uh to test some of this functionality because uh yeah we don't you're not allowed to have access to everybody's email a global admin so typically the all permissions are admin consent uh the interesting thing is that this this is this model is changing where administrators of the portal or of the the directory can actually override these settings so they say no what i don't care that user read is not acting consentable i will never allow any user to be able to consent for it themselves that's something i always have to approve gotcha cool by defining this here you're going to tell the administrator by the way these are the application permissions that is our application need so they can consent or not if you're going to build apis that's what you're going to configure here as well so there's a lot of oh and there's void there's a rules ui now as well cool what yeah nice you're dropping oh that's pretty administrative so yeah and we have the manifest so if you're uh if you want to change things which are not available through the ui uh you can do it here or you can use the api so this this is just the raw format of everything we just did to the to the ui i think this effort to surface as much functionality as possible from the manifest into the ui so you don't have to come and mess with the actual json data there but i have an api so if you like the ultimate thing so we have a this is the graph explorer um so we have a graph api where you can retrieve all the applications or you can just retrieve a specific one a specific one like all the properties there's always the one-on-one so let me just run the query you can create applications you can update applications you can retrieve a list of owners etc so if you want for example automate in devops your build of your application you can create it you can switch when you apply your eyes you can start testing yeah and then remove it again after the build is correct um so those things are available to the ui and the same is for the for the service principles i don't know if they have here i don't see them here now yeah i think they're not part of the template but you can always do the manual calls from the api so in in and i think there's two features we don't support for the apis yet the the claims transformation so i showed you how you can change the id token registration right that was the token configuration yeah you can also do something on the enterprise app or the service principle where you can do for example transformations whenever we had one example where the customer had always the format employee id at domain name and they want to have the employee id as a token as a name inside of the token so they created a custom transformation that's done on the service principle because let's be honest as an app developer i have no clue what the setup is from any of my customers so they the the customer themselves they can on the service principle with the bioshell script or the api on the the browser scriptory uh create the transformation so anytime a user signs into that app that that employee id would be stripped off of the email address and put in the in the token as a claim as well nice so much information today honestly i'm learning new stuff again after after using it day in day out there's always something that i learned with regards to operating stations and service principles so just just again just see the app registration as the definition of your app that the class definition in a sense and the service principles are the instantiation of that class our customers and administrators can use to to modify some of the settings they are which are unique to their uh environment cool there you have it people up registrations your class definition service principles your instances and you're down there simple so for for singleton apps you don't really have to care about service principles as much and then for multi-tenant apps it becomes a little more important because uh you know the the it admins will be dealing with the service principles but from your perspective when it comes to developing against these especially.net we we saw the the quick starts there that was fantastic because you can actually configure the app then download the sample code that allows you to uh kick start your project very quickly or see how it's set up and then move the code along yeah and the last tip the integration assistant um if you do an app registration you got your application running this actually will help you test if your settings are correctly done so say well i'm going to build a single page app and a web app all right apis evaluate and it will tell you oh by the way there's there's some action required here oh this one's complete blah blah to make sure that your settings are correct because let's be honest as an administrator as developer i just want to get this thing over with especially security i always make the joke it's like spinach you know it's good for you but nobody likes it let's get past this and get back to my app because that's the thing i like but make sure you you either an administrator or you're a developer check those different settings it will actually help you how you can develop test release it's like a really good checklist for you and especially since it knows it's a single page app and a web app if you add more of a mobile app it will add the list of things you have to check uh it has links to the documentation so this is like this is like everything i talked about all the best tracks you will ever hear in any session will be listed in this single uh page for you as an administrator or developer nice you know what i haven't even touched that part of the blade anymore like yeah i'm not gonna use your apps man i always troublesome the hard way in production you know i pushed everything in production and i tried troublesome see what happened i know that was like compressed information so much stuff there uh so much goodness around azure id and app registrations and service principles uh mathias i want to thank you for coming the show and helping us navigate through the the maze that it is microsoft identity and i hope everyone that watches the show gets a better idea if you have questions reach out to us either matthias or me on twitter we're always there to ask answer questions so thank you thanks everyone you

Info

Channel: dotNET

Views: 5,045

Rating: 4.939394 out of 5

Keywords: Azure, Azure AD, Active Directory, Security, Identity, Microsoft, Windows, Service Principals, Applications, Apps, App Registration, Registration, OAuth, OpenID, OpenID Connect

Id: 2s0vS3RyaVw

Channel Id: undefined

Length: 30min 53sec (1853 seconds)

Published: Tue Sep 22 2020