Skip to content

Enterprise Mobility + Security


Hi everyone, happy //build/ week!

First a quick introduction. Here in the Identity Division we’re focusing more than ever on making developers successful on our identity platform. From enterprises to startups to hobbyists, whether the software you’re writing is for sale or for use by your team. To further that focus, I’ve recently joined the team as Director of Program Management for our developer-facing products and programs. I’ve spent my career either as a developer or working on developer technologies, including work in .NET, Xbox LIVE, and Windows, and I’m thrilled to be a part of the Identity Division.

With that in mind, I’m excited to join Alex in blogging about Azure AD and our Identity services. Alex will continue blogging about end-user-facing and IT-facing news and updates while I’ll be blogging about news and updates for developers.

Kicking this off, Vittorio (who quite literally wrote the book on AAD for developers) will walk us through what the team has been up to at the //build/ conference. Stay tuned for more from //build/ in the next few days.

John Justice

Director of Program Management

Microsoft Identity Developer Platform

———-

Hello everybody!

Two days ago it was my honor and privilege to represent in a //build/breakout session the developer experience team for Microsoft identity. You can catch the recording of the session on Channel9; in this post you’ll find pointers to all the new releases we announced, and a list of ways we can catch up and work together – whether you are attending //build/ or you are looking at engaging with us afterwards.

Announcing: MSAL developer preview

On Wednesday we announced the first developer preview of MSAL, the brand-new Microsoft Authentication Library. MSAL is a unified library that helps you to develop applications that work with Microsoft Accounts, Azure AD accounts and Azure AD B2C users indifferently – all in a single, streamlined programming model!

As you know, few weeks ago we announced the GA of the converged Microsoft Account and Azure Active Directory programming model. The new model brings significant advantages, such as the ability to register applications even if you don’t have an Azure subscription and a brand new portal to do so in fewer, easier steps. Another great advantage of the new model, improved protocol compliance, made it incompatible with our in-market versions of ADAL – which, as the name implies, are tailored to work exclusively with AD (Azure AD or ADFS).

During the preview period of the new programming model we offered an experimental version of ADAL, which was modified to accommodate the new protocol. However, we felt that going further in that direction was not going to truly surface the advantages of the new model, while breaking compatibility with existing ADAL-dependent code anyway. Hence, we took all the things that worked well with ADAL, and brought them forward in a new library that is designed to natively support the great new features the new model brings: support for authority-agnostic apps that work just as well with MSA and with any Azure AD tenant, incremental consent, use of standard-defined scopes instead of AD-proprietary resources, and so on. We also took the opportunity to work on the areas that were the source of the most frequent errors in ADAL, such as the difficulty of using the cache in multi-tenant applications, so that the same problems do not arise in MSAL.

I will write more in depth about MSAL in the coming months. For now, here there’s a list of the most salient features.

  • MSAL is a developer library that helps you to obtain tokens from MSA, Azure AD or Azure B2C for accessing protected resources – such as your own API, Microsoft’s API (such as the Microsoft Graph) and any other 3rd party choosing to protect their API with Microsoft identity.
  • MSAL helps you with showing the necessary authentication, multi-factor authentication and consent UX in a platform-appropriate fashion; it takes care of crafting, sending, receiving, validating and interpreting the protocol messages that are required for implementing the authentication flows you need; and it takes care of persisting tokens for you, transparently using all the tricks in the book (such as transparent usage of refresh tokens) to minimize the number of authentication prompts presented to your users.
  • Like ADAL, MSAL is not a protocol library. You don’t need to know OAuth2, OpenId Connect or other protocols in any depth in order to use MSAL; rather, MSAL helps you to implement high level tasks and scenario. Protocol knowledge can come in handy to understand some of the names of the various methods parameters and properties, and when you want to perform advanced customizations – but it is by no means required.
  • The main primitives in MSAL are the PublicClientApplication (for desktop and mobile apps) and the ConfidentialClientApplication (for web and server side apps) classes.
    Everything in ADAL revolved around the AuthenticationContext, a representation of an Azure AD tenant in your code; but in MSAL, PublicClientApplication and ConfidentialClientApplication are representations of your application: they dont’ impose you to specify any authority in advance (though you can do so, if you want to constrain to one) and can fluidly work with any MSA, Azure AD tenant or Azure AD B2C tenant.
  • PublicClientApplication and ConfidentialClientApplication expose the same primitives you learned to use in ADAL: AcquireTokenAsync and AcquireTokenSilentlyAsync. The main difference is that the parameters are now suitable to the converged MSA/Azure AD programming model: for example, you’ll work with scopes instead of resources. A nice side effect of shifting to an application-centric primitive is that the AcquireToken* methods have significantly less parameters and overloads, given that things like ClientID or application credentials are assigned once and for all at construction time.
  • MSAL cannot do more than the endpoints it works with can do: as a result, applications using MSAL will have to deal with the same limitations we listed for the converged programming model. Those limitations will be progressively lifted as we add new features to the service.
  • Today we are releasing the preview for MSAL .NET, which allows you to develop for:
    •  .NET 4.5 and above (desktop app and web apps)
    • Windows universal apps
    • Windows Store apps (Windows 8 and above)
    • iOS (via Xamarin)
    • Android (via Xamarin)
    • .Net Core
  • In the coming months we will release previews of MSAL for other platforms , with the goal of matching and surpassing the platform reach that ADAL offers today. That means that you can expect a native iOS MSAL, a native Android MSAL, a MSAL JS, and so on.

As we make additional previews of MSAL available, we will retire the experimental versions of ADAL you’ve been using to play with the new model. Please note that this does not mean that we are retiring the in-market, released versions of ADAL! Quite the contrary, in fact – as you will see in the next section.

To make it easy for you to learn the ropes of MSAL and the new programing model, today we are also releasing three new samples:

  • A web app sample, demonstrating how to sign in via OpenId Connect with the MSA/Azure AD converged endpoint – and how to use MSAL to obtain tokens to invoke the Microsoft Graph, handle incremental consent, and more
  • A Xamarin forms sample showing how to write a portable application that uses MSAL to get tokens for calling the MS Graph – and run largely as is on iOS, Android and UWP (big Windows and Windows Mobile).
  • A Xamarin forms sample showing how to write a portable application that uses MSAL to get tokens for calling a Web API protected by an Azure AD B2C application – and run largely as is on iOS, Android and UWP (big Windows and Windows Mobile).

Are you excited yet? We are!

ADAL .NET 3.0  is about to GA

Now, I hope that all this talk about MSAL didn’t make you think that we are abandoning ADAL – we aren’t!

ADAL is and remains the main means   you have to work with the original Azure AD and with ADFS, which aren’t supported by MSAL. If you need a token for a service that today accepts only tokens from the original Azure AD, such as the Azure ARM API, you’ll want to keep using ADAL.

Not only is ADAL fully supported: we are about to release ADAL .NET v3 to general availability! That means that in few days you’ll be able to use ADAL v3 in production to build apps that work on

  • .NET 4.5 and above (desktop app and web apps)
  • Windows universal apps
  • Windows Store apps (Windows 8 and above)
  • iOS (via Xamarin)
  • Android (via Xamarin)

Note: the ADAL v3 NuGet supports developing for .NET core, but that part of the library should not be considered part of the imminent GA release. Once .NET Core itself will reach GA, we will work on updating ADAL accordingly: but until now, you should treat any  .NET core related features as preview quality, not eligible for production use.

Our ever vigilant Danny has been updating ALL Azure AD samples that use ADAL to use ADAL v3. We’ll provide all the links to the samples when we will announce GA. Almost there!

How to engage with us at //build/

I am sure those announcements filled you with the intense desire to discuss identity matters with some like-minded expert, or to get your hands dirty with some code. If you happen to be attending //build/, you are in luck! This year the identity team sent a substantial delegation of people all eager to chat with you, hear your feedback and help you with any question you might have. There are tons of ways you can engage with us while at the conference.

  • Come to our booth! We are in the expo area, and our station is unmissable – it simply says “identity”, right by the Azure marketplace guys.
  • Check out this great session showcasing the Microsoft Graph:
    • B820 Build Smarter Apps by Connecting to Office Services
  • Get your hands dirty with
    • L720 Office 365 Development 1: Mobile Development and the Microsoft Graph
    • L721 Office 365 Development 2: Web Development and the Microsoft Graph
    • L726 UWP Development 3: Building Connected Mobile Experiences: Cloud and App to App
    • L729 Web Development 3: Deployment and Azure with ASP.Net Core 1.0
    • AZR01 Use Azure Active Directory B2C to add consumer sign-up & sign-in to your .NET MVC app
  • If you are participating to the hackathon, you’ll find for Gerardo Saca and myself there to help – we’re all in!

How to engage with us every day of the year

If you are not at //build/, bummer – but don’t worry! You can get in touch with us through the usual channels:

 

As always, we look forward for your feedback!

Best,

Vittorio Bertocci (Twitter: @vibronet – Blog: http://www.cloudidentity.com/)

Principal Program Manager

Microsoft Identity Division