SlideShare a Scribd company logo

Mastering Modern Authentication and Authorization for SharePoint and Office Applications

Download as POTX, PDF
Eric Shupps
Eric Shupps

In the cloud-first era, application development for SharePoint, Office 365 and Azure AD requires strong working knowledge of modern authentication and authorization techniques across multiple platforms. In this deep-dive session, developers will learn how to create secure, cloud-ready applications using OAuth, ADAL, and Azure AD to communicate with the Microsoft Graph, SharePoint, and other cloud-connected services.

Technology
1 of 30
Eric Shupps Office Servers & Services MVP @eshupps sharepointcowboy slideshare.net/eshupps linkedin.com/in/eshupps github.com/eshupps
Agenda Introduction Authentication Authorization Permissions
Introduction
Full Trust SSO* NTLM/FBA Inherited Add-Ins MSO OAuth Explicit SPFx MSO OAuth Inherited Azure SSO OAuth Multi-Tenant
User authentication on-premises and in the cloud Managing identities across different application types Obtaining, storing and processing authorization tokens Traversing applications within a single tenant context Deploying applications to multiple tenants Supporting mobile devices and apps
Authentication
Wide range of supported authentication types Distributed identity management Instance-based consent framework Multiple contexts
Inherits authentication type from parent Centralized identity management (out of scope) Instance-based consent framework Inherited context
Single sign on across all cloud applications Centralized API-accessible identity management User or tenant consent framework (with optional group assignment) Explicit context per endpoint
Authorization
Open standard for app integration and authorization Authentication independent Token-based scheme for enforcement of explicit trust relationships Permission scopes (grants) define access boundaries Explicit or inherited authorization context
Authorization Endpoint Application Registration User/Admin Consent Authorization Code Access Token Refresh Token User App Provider User requests access App requests Request Token Provider returns Request Token App builds auth link w/ Request Token User requests URL + Request Token Provider returns access token User requests URL + Access Token App validates access token Access token validated User granted access 1 2 3 Reference: https://oauth.net/2/
Authorization Exchange authorization codes for access tokens Refresh tokens enable long-lived sessions Designed for native clients and server- side API’s Client Credential Requires app authorization consent from administrator Shared secrets or certificates used to request tokens Designed for service apps and server-to- server scenarios Implicit Retrieve access tokens directly from single endpoint No refresh tokens (local session management only) Designed for SPA's (requires manifest modification)
Use authorization/request tokens to obtain short-lived access tokens Include access tokens in resource calls Store refresh tokens to obtain new access tokens upon expiration Track tokens by tenant (multi-tenant), app or user Force token expiration to prompt authentication Utilize client secret only in confidential client apps
Property Policy String Affects Default Minimum Maximum Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML 2 tokens 1 hour 10 minutes 1 day Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Single-Factor Session Token Max Age MaxAgeSessionSingle Factor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Multi-Factor Session Token Max Age MaxAgeSessionMulti Factor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Reference: http://bit.ly/2IUuJNo
ADAL.js* AadHttpClient & MSGraphClient Manage permissions in Azure portal via SharePoint Online Client Extensibility app Include scope requests in manifest Tenant-wide admin consent Manageable via O365 admin center BEWARE THE SINGLETON! https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient Reference: http://bit.ly/2wTQok5
Register app in Azure Configure redirect URI Configure manifest with oauth2AllowImplicitFlow = true Assign permission grant Use ADAL.js for authorization Leverage the Authenticator for SSO across applications Reference: http://bit.ly/2rTEzW1
Permissions
Scope URI Available Rights http://sharepoint/content/tenant Read, Write, Manage, FullControl http://sharepoint/content/sitecollection Read, Write, Manage, FullControl http://sharepoint/content/sitecollection/web Read, Write, Manage, FullControl http://sharepoint/content/sitecollection/web/l ist Read, Write, Manage, FullControl http://sharepoint/bcs/connection Read http://sharepoint/search QueryAsUserIgnoreAppPrincipal http://sharepoint/social/tenant Read, Write, Manage, FullControl http://sharepoint/social/core Read, Write, Manage, FullControl http://sharepoint/social/microfeed Read, Write, Manage, FullControl http://sharepoint/taxonomy Read,Write Reference: http://bit.ly/2wW4lOr
Graph Azure AD TENANT SCOPED DOES NOT Reference: http://bit.ly/2IUcqId PS C:> Enable-SPOTenantServicePrincipal
Types Application Delegated Administrative Level Minimum: “Sign in and read user profile” Beware permission level restrictions for consent Resources Exchange Yammer Azure AD SharePoint Online Power BI Azure Management O365 Management Skype Reference: http://bit.ly/2rV8FII
https://www.slideshare.net/eshupps https://www.github.com/eshupps
Mastering Modern Authentication and Authorization for SharePoint and Office Applications

Recommended

Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015n|u - The Open Security Community
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAMLClément OUDOT
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleClément OUDOT
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoatZakaria SMAHI
 

Recommended

Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015n|u - The Open Security Community
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAMLClément OUDOT
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleClément OUDOT
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoatZakaria SMAHI
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Spring Security
Spring SecuritySpring Security
Spring SecurityManish Sharma
 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and MobileForgeRock
 
Certificate pinning v certificate transparency
Certificate pinning v certificate transparencyCertificate pinning v certificate transparency
Certificate pinning v certificate transparencyDianaKhersonskaia
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 aSelectedPresentations
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Introduction to Azure Web Applications
Introduction to Azure Web ApplicationsIntroduction to Azure Web Applications
Introduction to Azure Web ApplicationsJoAnna Cheshire
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAMPascal Flamand
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Dragonwaf
DragonwafDragonwaf
Dragonwafbeckygill
 
Mastering Modern Authentication and Authorization Techniques for SharePoint, ...
Mastering Modern Authentication and Authorization Techniques for SharePoint, ...Mastering Modern Authentication and Authorization Techniques for SharePoint, ...
Mastering Modern Authentication and Authorization Techniques for SharePoint, ...Eric Shupps
 
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...European Collaboration Summit
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsEric Shupps
 
SPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsSPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsNCCOMMS
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security AvalancheMichele Leroux Bustamante
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsShrivatsa Upadhye
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
 

More Related Content

What's hot

Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and MobileForgeRock
 
Certificate pinning v certificate transparency
Certificate pinning v certificate transparencyCertificate pinning v certificate transparency
Certificate pinning v certificate transparencyDianaKhersonskaia
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Introduction to Azure Web Applications
Introduction to Azure Web ApplicationsIntroduction to Azure Web Applications
Introduction to Azure Web ApplicationsJoAnna Cheshire
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 

What's hot (14)

Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and Mobile
 
Certificate pinning v certificate transparency
Certificate pinning v certificate transparencyCertificate pinning v certificate transparency
Certificate pinning v certificate transparency
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
Introduction to Azure Web Applications
Introduction to Azure Web ApplicationsIntroduction to Azure Web Applications
Introduction to Azure Web Applications
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Dragonwaf
DragonwafDragonwaf
Dragonwaf
 

Similar to Mastering Modern Authentication and Authorization for SharePoint and Office Applications

Mastering Modern Authentication and Authorization Techniques for SharePoint, ...
Mastering Modern Authentication and Authorization Techniques for SharePoint, ...Mastering Modern Authentication and Authorization Techniques for SharePoint, ...
Mastering Modern Authentication and Authorization Techniques for SharePoint, ...Eric Shupps
 
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...European Collaboration Summit
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsEric Shupps
 
SPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsSPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsNCCOMMS
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsShrivatsa Upadhye
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointCA API Management
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 
Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...
Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...
Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...Eric Shupps
 
Creating cloud ready enterprise applications with the sharepoint 2013 app model
Creating cloud ready enterprise applications with the sharepoint 2013 app modelCreating cloud ready enterprise applications with the sharepoint 2013 app model
Creating cloud ready enterprise applications with the sharepoint 2013 app modelInnoTech
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
Integration step up session
Integration step up sessionIntegration step up session
Integration step up sessionAmit Behere
 

Similar to Mastering Modern Authentication and Authorization for SharePoint and Office Applications (20)

Mastering Modern Authentication and Authorization Techniques for SharePoint, ...
Mastering Modern Authentication and Authorization Techniques for SharePoint, ...Mastering Modern Authentication and Authorization Techniques for SharePoint, ...
Mastering Modern Authentication and Authorization Techniques for SharePoint, ...
 
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...
[Shupps] Introduction to Azure Web Applications for Office and SharePoint Dev...
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web Applications
 
SPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web ApplicationsSPUnite17 Introduction to Azure Web Applications
SPUnite17 Introduction to Azure Web Applications
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern Apps
 
Enable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePointEnable Secure Mobile & Web Access to Microsoft SharePoint
Enable Secure Mobile & Web Access to Microsoft SharePoint
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
 
Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...
Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...
Creating Cloud-Ready Enterprise Applications with the SharePoint 2013 Add-In ...
 
Creating cloud ready enterprise applications with the sharepoint 2013 app model
Creating cloud ready enterprise applications with the sharepoint 2013 app modelCreating cloud ready enterprise applications with the sharepoint 2013 app model
Creating cloud ready enterprise applications with the sharepoint 2013 app model
 
Api security
Api security Api security
Api security
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Multi tenancy for docker
Multi tenancy for dockerMulti tenancy for docker
Multi tenancy for docker
 
Multi tenancy for docker
Multi tenancy for dockerMulti tenancy for docker
Multi tenancy for docker
 
Multi tenancy for docker
Multi tenancy for dockerMulti tenancy for docker
Multi tenancy for docker
 
Integration step up session
Integration step up sessionIntegration step up session
Integration step up session
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 

More from Eric Shupps

Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...
Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...
Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...Eric Shupps
 
Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....
Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....
Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....Eric Shupps
 
A Beginners Guide to Custom Connectors for Power Apps and Power Automate
A Beginners Guide to Custom Connectors for Power Apps and Power AutomateA Beginners Guide to Custom Connectors for Power Apps and Power Automate
A Beginners Guide to Custom Connectors for Power Apps and Power AutomateEric Shupps
 
App to AppExchange - A Journey from Idea to Market for Salesforce Developers
App to AppExchange - A Journey from Idea to Market for Salesforce DevelopersApp to AppExchange - A Journey from Idea to Market for Salesforce Developers
App to AppExchange - A Journey from Idea to Market for Salesforce DevelopersEric Shupps
 
Beginners Guide to Custom Connectors for Power Apps and Power Automate
Beginners Guide to Custom Connectors for Power Apps and Power AutomateBeginners Guide to Custom Connectors for Power Apps and Power Automate
Beginners Guide to Custom Connectors for Power Apps and Power AutomateEric Shupps
 
OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...
OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...
OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...Eric Shupps
 
OSH01 - Developing SharePoint Framework Solutions for the Enterprise
OSH01 - Developing SharePoint Framework Solutions for the EnterpriseOSH01 - Developing SharePoint Framework Solutions for the Enterprise
OSH01 - Developing SharePoint Framework Solutions for the EnterpriseEric Shupps
 
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)Eric Shupps
 
Developing SharePoint Framework Solutions for the Enterprise - SEF 2019
Developing SharePoint Framework Solutions for the Enterprise - SEF 2019Developing SharePoint Framework Solutions for the Enterprise - SEF 2019
Developing SharePoint Framework Solutions for the Enterprise - SEF 2019Eric Shupps
 
SharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development WorkshopSharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development WorkshopEric Shupps
 
SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...
SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...
SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...Eric Shupps
 
Overcoming Gender Imbalance in the Technical Field
Overcoming Gender Imbalance in the Technical FieldOvercoming Gender Imbalance in the Technical Field
Overcoming Gender Imbalance in the Technical FieldEric Shupps
 
Enterprise Content Management Solutions in SharePoint and Office 365
Enterprise Content Management Solutions in SharePoint and Office 365Enterprise Content Management Solutions in SharePoint and Office 365
Enterprise Content Management Solutions in SharePoint and Office 365Eric Shupps
 
Introduction to the Office Dev PnP Core Libraries
Introduction to the Office Dev PnP Core LibrariesIntroduction to the Office Dev PnP Core Libraries
Introduction to the Office Dev PnP Core LibrariesEric Shupps
 
SharePoint and Office Development Workshop
SharePoint and Office Development WorkshopSharePoint and Office Development Workshop
SharePoint and Office Development WorkshopEric Shupps
 
From Zero to Hero: A Real World Guide to Building High Availability SharePoin...
From Zero to Hero: A Real World Guide to Building High Availability SharePoin...From Zero to Hero: A Real World Guide to Building High Availability SharePoin...
From Zero to Hero: A Real World Guide to Building High Availability SharePoin...Eric Shupps
 
SharePoint and Office 365 Performance Best Practices
SharePoint and Office 365 Performance Best PracticesSharePoint and Office 365 Performance Best Practices
SharePoint and Office 365 Performance Best PracticesEric Shupps
 
Introduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint DevelopersIntroduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint DevelopersEric Shupps
 
Introduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint DevelopersIntroduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint DevelopersEric Shupps
 
Rev Your Engines - SharePoint Performance Best Practices
Rev Your Engines - SharePoint Performance Best PracticesRev Your Engines - SharePoint Performance Best Practices
Rev Your Engines - SharePoint Performance Best PracticesEric Shupps
 

More from Eric Shupps (20)

Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...
Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...
Microsoft Ignite 2022 - Scaling, Securing, Managing, and Publishing Power Pla...
 
Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....
Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....
Scaling, Securing, Managing, and Publishing Power Platform Custom Connectors....
 
A Beginners Guide to Custom Connectors for Power Apps and Power Automate
A Beginners Guide to Custom Connectors for Power Apps and Power AutomateA Beginners Guide to Custom Connectors for Power Apps and Power Automate
A Beginners Guide to Custom Connectors for Power Apps and Power Automate
 
App to AppExchange - A Journey from Idea to Market for Salesforce Developers
App to AppExchange - A Journey from Idea to Market for Salesforce DevelopersApp to AppExchange - A Journey from Idea to Market for Salesforce Developers
App to AppExchange - A Journey from Idea to Market for Salesforce Developers
 
Beginners Guide to Custom Connectors for Power Apps and Power Automate
Beginners Guide to Custom Connectors for Power Apps and Power AutomateBeginners Guide to Custom Connectors for Power Apps and Power Automate
Beginners Guide to Custom Connectors for Power Apps and Power Automate
 
OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...
OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...
OSW06 - A Real World Guide to Building Highly Available Fault Tolerant ShareP...
 
OSH01 - Developing SharePoint Framework Solutions for the Enterprise
OSH01 - Developing SharePoint Framework Solutions for the EnterpriseOSH01 - Developing SharePoint Framework Solutions for the Enterprise
OSH01 - Developing SharePoint Framework Solutions for the Enterprise
 
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
Developing SharePoint Framework Solutions for the Enterprise (SPC 2019)
 
Developing SharePoint Framework Solutions for the Enterprise - SEF 2019
Developing SharePoint Framework Solutions for the Enterprise - SEF 2019Developing SharePoint Framework Solutions for the Enterprise - SEF 2019
Developing SharePoint Framework Solutions for the Enterprise - SEF 2019
 
SharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development WorkshopSharePoint and Office 365 Development Workshop
SharePoint and Office 365 Development Workshop
 
SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...
SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...
SharePoint 24x7x365 Architecting for High Availability, Fault Tolerance and D...
 
Overcoming Gender Imbalance in the Technical Field
Overcoming Gender Imbalance in the Technical FieldOvercoming Gender Imbalance in the Technical Field
Overcoming Gender Imbalance in the Technical Field
 
Enterprise Content Management Solutions in SharePoint and Office 365
Enterprise Content Management Solutions in SharePoint and Office 365Enterprise Content Management Solutions in SharePoint and Office 365
Enterprise Content Management Solutions in SharePoint and Office 365
 
Introduction to the Office Dev PnP Core Libraries
Introduction to the Office Dev PnP Core LibrariesIntroduction to the Office Dev PnP Core Libraries
Introduction to the Office Dev PnP Core Libraries
 
SharePoint and Office Development Workshop
SharePoint and Office Development WorkshopSharePoint and Office Development Workshop
SharePoint and Office Development Workshop
 
From Zero to Hero: A Real World Guide to Building High Availability SharePoin...
From Zero to Hero: A Real World Guide to Building High Availability SharePoin...From Zero to Hero: A Real World Guide to Building High Availability SharePoin...
From Zero to Hero: A Real World Guide to Building High Availability SharePoin...
 
SharePoint and Office 365 Performance Best Practices
SharePoint and Office 365 Performance Best PracticesSharePoint and Office 365 Performance Best Practices
SharePoint and Office 365 Performance Best Practices
 
Introduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint DevelopersIntroduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint Developers
 
Introduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint DevelopersIntroduction to Azure Web Applications for Office and SharePoint Developers
Introduction to Azure Web Applications for Office and SharePoint Developers
 
Rev Your Engines - SharePoint Performance Best Practices
Rev Your Engines - SharePoint Performance Best PracticesRev Your Engines - SharePoint Performance Best Practices
Rev Your Engines - SharePoint Performance Best Practices
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

Mastering Modern Authentication and Authorization for SharePoint and Office Applications

  • 1.
  • 2.
  • 3. Eric Shupps Office Servers & Services MVP @eshupps sharepointcowboy slideshare.net/eshupps linkedin.com/in/eshupps github.com/eshupps
  • 7. User authentication on-premises and in the cloud Managing identities across different application types Obtaining, storing and processing authorization tokens Traversing applications within a single tenant context Deploying applications to multiple tenants Supporting mobile devices and apps
  • 9. Wide range of supported authentication types Distributed identity management Instance-based consent framework Multiple contexts
  • 10. Inherits authentication type from parent Centralized identity management (out of scope) Instance-based consent framework Inherited context
  • 11. Single sign on across all cloud applications Centralized API-accessible identity management User or tenant consent framework (with optional group assignment) Explicit context per endpoint
  • 12.
  • 14. Open standard for app integration and authorization Authentication independent Token-based scheme for enforcement of explicit trust relationships Permission scopes (grants) define access boundaries Explicit or inherited authorization context
  • 15. Authorization Endpoint Application Registration User/Admin Consent Authorization Code Access Token Refresh Token User App Provider User requests access App requests Request Token Provider returns Request Token App builds auth link w/ Request Token User requests URL + Request Token Provider returns access token User requests URL + Access Token App validates access token Access token validated User granted access 1 2 3 Reference: https://oauth.net/2/
  • 16. Authorization Exchange authorization codes for access tokens Refresh tokens enable long-lived sessions Designed for native clients and server- side API’s Client Credential Requires app authorization consent from administrator Shared secrets or certificates used to request tokens Designed for service apps and server-to- server scenarios Implicit Retrieve access tokens directly from single endpoint No refresh tokens (local session management only) Designed for SPA's (requires manifest modification)
  • 17. Use authorization/request tokens to obtain short-lived access tokens Include access tokens in resource calls Store refresh tokens to obtain new access tokens upon expiration Track tokens by tenant (multi-tenant), app or user Force token expiration to prompt authentication Utilize client secret only in confidential client apps
  • 18. Property Policy String Affects Default Minimum Maximum Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML 2 tokens 1 hour 10 minutes 1 day Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until revoked 10 minutes Until revoked Single-Factor Session Token Max Age MaxAgeSessionSingle Factor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Multi-Factor Session Token Max Age MaxAgeSessionMulti Factor Session tokens (persistent and non- persistent) Until revoked 10 minutes Until revoked Reference: http://bit.ly/2IUuJNo
  • 19.
  • 20. ADAL.js* AadHttpClient & MSGraphClient Manage permissions in Azure portal via SharePoint Online Client Extensibility app Include scope requests in manifest Tenant-wide admin consent Manageable via O365 admin center BEWARE THE SINGLETON! https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient Reference: http://bit.ly/2wTQok5
  • 21. Register app in Azure Configure redirect URI Configure manifest with oauth2AllowImplicitFlow = true Assign permission grant Use ADAL.js for authorization Leverage the Authenticator for SSO across applications Reference: http://bit.ly/2rTEzW1
  • 22.
  • 24. Scope URI Available Rights http://sharepoint/content/tenant Read, Write, Manage, FullControl http://sharepoint/content/sitecollection Read, Write, Manage, FullControl http://sharepoint/content/sitecollection/web Read, Write, Manage, FullControl http://sharepoint/content/sitecollection/web/l ist Read, Write, Manage, FullControl http://sharepoint/bcs/connection Read http://sharepoint/search QueryAsUserIgnoreAppPrincipal http://sharepoint/social/tenant Read, Write, Manage, FullControl http://sharepoint/social/core Read, Write, Manage, FullControl http://sharepoint/social/microfeed Read, Write, Manage, FullControl http://sharepoint/taxonomy Read,Write Reference: http://bit.ly/2wW4lOr
  • 25.
  • 26. Graph Azure AD TENANT SCOPED DOES NOT Reference: http://bit.ly/2IUcqId PS C:> Enable-SPOTenantServicePrincipal
  • 27. Types Application Delegated Administrative Level Minimum: “Sign in and read user profile” Beware permission level restrictions for consent Resources Exchange Yammer Azure AD SharePoint Online Power BI Azure Management O365 Management Skype Reference: http://bit.ly/2rV8FII
  • 28.