News

Microsoft Bolsters Azure AD Dev Tools

• By Kurt Mackie
• 05/22/2020

Microsoft released new tools and resources this week for Azure Active Directory, including more platforms in its Microsoft Authentication Library, a tool to check security best practices and an easier process for onboarding external users.

API Centered on Microsoft Graph
First off, though, Microsoft let developers know that future programmatic access to Azure AD capabilities are going to be made available through the Microsoft Graph service. Here's how that idea was expressed:

Moving forward all Azure AD features and innovations will only be available on Microsoft Graph. With Microsoft Graph, developers can not only access Azure AD APIs, but APIs from Office 365, Microsoft Intune, and more -- all through a single endpoint. We encourage developers to start building new apps on Microsoft Graph and migrate existing apps from Azure AD Graph to Microsoft Graph.

Microsoft is still working to add Azure AD application programming interfaces (APIs) to the Microsoft Graph service. New APIs that reached the "general availability" commercial-release stage in version 1.0 of the Microsoft Graph include:

• Applications registrations with custom roles
• Service principal
• Conditional Access policies
• Password protection
• Identity protection -- sign-in and user risk policies

Authentication Library Additions
Microsoft is continuing to add developer support to its Microsoft Authentication Library (MSAL), with a new Angular addition at general availability, while ASP.NET Core has been added as a preview. MSAL already has support for ".NET, Java, JavaScript, Python, iOS, Android" and other platforms.

MSAL is a replacement for the existing Azure AD Authentication Library when building client applications. Last year, Microsoft explained that it was implementing the new Microsoft Identity Platform 2.0 for developers, and moving away from Azure Active Directory 1.0 resources. To that end, Microsoft was moving Azure AD API capabilities into the Microsoft Graph, but its year-end completion plans apparently got extended into this year.

The Microsoft Identity Platform is supposed to make it easier to use Microsoft accounts and Azure AD accounts, as well as social media identity provider accounts, when developing applications.

Integration Assistant Preview
Developers wondering if their applications work well with the Azure AD identity and access management service can now try an Integration Assistant preview, which is accessible via the Azure Portal.

The Integration Assistant checks an application against Azure AD app registrations and recommends best practices for security.

External Identities Preview
One capability that got highlighted at the Build developer event is External Identities. It's billed as an easier way for "organizations and developers to secure, manage and build apps that connect with different types of users outside an organization."

External Identities is currently at the preview stage. The preview can be accessed via a new "External Identities blade" in the Azure AD Portal.

External Identities lets organizations put their own branding on a customized form, which provides a self-signup process for outside parties seeking access credentials. The form provides a means to grant network access to customers or partners. Microsoft shows how a partner-access scenario might appear to an end user in this Microsoft Build session.

Microsoft credentials can be used to sign up for access under the External Identities scheme, but external users also can use credentials from social media identity providers, such as Facebook and Google.

External Identities can work with Azure AD Premium security features, such as Conditional Access and Identity Protection. It'll work as well with the Azure AD B2B (Business-to-Business) and B2C (Business-to-Consumer) services when used to invite guest users.

Microsoft is planning to add "support for external API connectors" to External Identities in the "coming weeks."

More details can be found at Microsoft's External Identities landing page.

Publisher Verification Preview
Developers can provide additional assurance to application users that their apps are trusted via Microsoft's Publisher Verification scheme, which is currently at the preview stage.

With Publisher Verification-approved apps, end users see a blue badge on the "Azure AD consent prompt and other screens," signifying the applications have undergone a vetting process by Microsoft. Application developers need to be part of the Microsoft Partner Network to get their apps vetted in this way.

"When an application is marked as publisher verified, it means that the publisher has verified their identity through the verification process with the Microsoft Partner Network (MPN) and has associated their MPN account with their application registration," Microsoft explained.

Publisher Verification is also an assurance to IT pros that an app has been vetted by Microsoft. Moreover, Microsoft provides policies that IT pros can use to limit access to unvetted apps by end users, offering additional security control.