One year since “Modern Authentication with Azure Active Directory for Web Applications” came out

About one year ago, I was all excited to finally hold in my hands the thing that swallowed most of the weekends and vacation days of 2015: a paper copy of my latest book, “Modern Authentication with Azure Active Directory for web Applications”. And I just realized I never wrote an “announcement” post, so here it is!

What is the book about, and why I wrote it

The TL;DR is that I wanted to fill a gap in the Azure AD content. Most of our docs were either aimed at helping you to quickly accomplish a task, without worrying too much about the general concepts behind it, or bite-size topic focusing on a individual topics. We had nothing meant to help a motivated developer to become an expert in the use of Azure AD, regardless of how much or how little he or she knew about identity already. So I wrote a book about it

Things worked out pretty well; lots of people claim that the book helped them, which is really the best reward an author can hope for. Icing on the cake, my bosses liked it – to the point that they got a paper copy for each and everyone in our team (that’s several hundreds people), and it is now part of the new hire package (BTW, did you know we are hiring? hit me if you are interested!).

Want more details? Here there’s the introduction, pasted verbatim from the book’s manuscript.

Introduction

It’s never a good idea to use the word “modern” in the title of a book.
Growing up, one of the centerpieces of my family’s bookshelf was a 15-tomes-strong encyclopedia titled Nuovissima Enciclopedia (Very new encyclopedia), and I always had a hard time reconciling the title with the fact that it was 10 years older than me.
I guarantee that the content in this book will get old faster than those old volumes—cloud and development technologies evolve at a crazy pace—and yet I could not resist referring to the main subject of the book as “modern authentication.”
The practices and technologies used to take care of authentication in business solutions have changed radically nearly overnight, by a perfect storm of companies moving their assets to the cloud, software vendors starting to sell their products via subscriptions, the explosive growth of social networks with the nascent awareness of consumers of their own digital identity, ubiquitous APIs offering programmatic access to everything, and the astonishing adoption rate of Internet-connected smartphones.
“Modern authentication” is a catch-all term meant to capture how today’s practices address challenges differently from their recent ancestors: JSON instead of XML, REST instead of SOAP, user consent and individual freedom alongside traditional admin-only processes, an emphasis on APIs and delegated access, explicit representation of clients, and so on. And if it is true that those practices will eventually stop appearing to be new—they are already mainstream at this point—the break with traditional approaches is so significant that I feel it’s important to signal it with a strong title, even if your kids make fun of it a few years from now.
As the landscape evolves, Active Directory evolves with it. When Microsoft itself introduced one of the most important SaaS products on the planet, Office 365, it felt firsthand how cloud-based workloads call for new ways of managing user access and application portfolios. To confront that challenge Microsoft developed Azure Active Directory (Azure AD), a reimagined Active Directory that takes advantage of all the new protocols, artifacts, and practices that I’ve grouped under the modern authentication umbrella. Once it was clear that Azure AD was a Good Thing, it went on to become the main authentication service for all of Microsoft’s cloud services, including Intune, Power BI, and Azure itself. But the real raison d’etre of this book is that Microsoft opened Azure AD to every developer and organization so that it could be used for obtaining tokens to invoke Microsoft APIs and to handle authentication for your own web applications and web APIs.

Modern Authentication with Azure Active Directory for Web Applications is an in-depth exploration of modern authentication protocols and techniques used to implement sign-on for web applications and to protect web API calls. Although the protocols and pattern descriptions are applicable to any platform, my focus is on how Azure AD, the latest version of Active Directory Federation Services (ADFS), and the OpenID Connect and OAuth2 components in ASP.NET implement those approaches to handle authentication in real applications.
The text is meant to help you achieve expert-level understanding of the protocols and technologies involved in implementing modern authentication for a web app. Substantial space is reserved for architectural pattern descriptions, protocol considerations, and other abstract concerns that are necessary for correctly contextualizing the more hands-on advice that follows.
Most of the practical content in this book is about cloud and hybrid scenarios addressed via Azure AD. At the time of writing, the version of ADFS supporting modern authentication for web apps is still in technical preview; however, on-premises-only scenarios are covered whenever the relevant features are already available in the preview.

Who should read this book

I wrote this book to fill a void of expert-level content for modern authentication, Azure AD, and ADFS. Microsoft offers great online quick starts, samples, and reference documentation—check out http://aka.ms/aaddev—that are perfect for helping you fulfil the most common tasks as easily as possible. That content covers many scenarios and addresses the needs of the vast majority of developers, who can be extremely successful with their apps without ever knowing what actually goes on the wire, or why. I like to think of that level of operation as the automatic mode for handheld and smartphone cameras—their defaults work great for nearly everybody, nearly all the time. But what happens if you want to take a picture of a lunar eclipse or any other challenging subject? That’s when the point-and-click facade is no longer sufficient and knowing about aperture and exposure times becomes important. You can think of this book as a handbook for when you want to switch from automatic to manual settings. Doing so is useful for developers who work on solutions for which authentication requirements depart from the norm and for the devops who run such solutions.
Developers who worked with Windows Identity Foundation will find the text useful for transferring their skills to the new platform, and they’ll pick up some new tricks along the way. The coverage of how the OWIN middleware works is deeper than anything I’ve found on the Internet at this time: if you are interested in an in-depth case study of ASP.NET’s Katana libraries, you’ll find one here.
This book also comes in handy for security experts coming from a classic background and looking to understand modern protocols and approaches to authentication—the principles and protocols I describe can be applied well beyond Active Directory and ASP.NET. Security architects considering Azure AD for their solutions can use this book to understand how Azure AD operates. Protocol experts who want to understand how Azure AD and ADFS use OpenID Connect and OAuth2 will find plenty to mull over as well.

Assumptions

This book is for senior professionals well versed in development, distributed architectures, and web-based solutions. You need to be familiar with HTTP trappings and have at least a basic understanding of networking concepts. All sample code is presented in C#, and all walk-throughs are based on Visual Studio. Azure AD and ADFS can be made use of from any programming stack and operating system; however, if you don’t understand C# syntax and basic constructs (LINQ, etc.), it will be difficult for you to apply the coding advice in this book to your platform of choice. For good background, I’d recommend John Sharp’s Microsoft Visual C# Step by Step, Eighth Edition (Microsoft Press, 2015).
Above all, this book assumes that you are strongly motivated to become an expert in modern authentication techniques and Azure AD development. The text does not take any shortcuts: you should not expect a light read; most chapters require significant focus and time investment.

This book might not be for you if…

This book might not be for you if you just want to learn how to use Azure AD or ADFS for common development tasks. You don’t have to buy a book for that: the documentation and the samples available at http://aka.ms/aaddev will get you up and running in no time, thanks to crisp step-by-step instructions. If there are tasks you’d like to see covered by the Azure AD docs, please use the feedback tools provided at that address: the Azure AD team is always looking for feedback for improving its documentation.
This book is also not especially good as a lookup reference. The text covers a lot of ground, including information that isn’t included in the documentation at this time, but the information is unveiled progressively, building on the reader’s growing understanding of the topic. The book is optimized as a long lesson, not for looking things up.
Finally, this book won’t be of much help if you are developing mobile, native, and rich-client applications. I originally intended to cover those types of applications, too, but the size of the book would have nearly doubled, so I had to cut them from this edition.

Organization of this book

This book is meant to be read cover to cover. That’s not what most people like to do, I know: bite-size and independent modules is the way to go today. I believe there are media more conducive to that approach, like video courses or the online documentation at http://aka.ms/aaddev. I chose to write a book because to achieve my goal—helping you understand modern authentication principles and how to take advantage of them with Azure AD—I cannot feed you only factlets and recipes. I have to present you with a significant amount of information, highlight relationships and implications for you, and then often ask you to tuck that knowledge away for a chapter or two before you actually end up using it. That’s where I believe a book can still deliver value: by giving me the chance to hold your attention for a significant amount of time, I can afford a depth and breadth that I cannot achieve in a blog post. (By the way, did I mention that I do blog a lot as well? See www.cloudidentity.com and www.twitter.com/vibronet.)
If this book has a natural fault line in its organization, it lies between the first four chapters and the last six. The first group provides context, and the later chapters dive deeply into the protocols, code, libraries, and features of Active Directory. Here’s a quick description of each chapter’s focus:
■■
Chapter 1, “Your first Active Directory app,” is a soft introduction to the topic, giving you a brief glimpse of what you can achieve with Azure AD. It mostly provides instructions on how to use Visual Studio tools to create a web app that’s integrated with Azure AD. Instant gratification.
■■
Chapter 2, “Identity protocols and application types,” is a detailed history of identity protocols. It introduces terminology, topologies, and relationships between standards and helps you understand how modern authentication
came to be and why identity is managed the way it is today.

Chapter 3, “Introducing Azure Active Directory and Active Directory Federation Services,” presents basic concepts, terminology, and a list of developer-relevant features for Azure AD and ADFS. The hands-on chapters (Chapters 6-10) provide detailed descriptions of the features of both services that come into play in the scenarios of interest for the book.
■■
Chapter 4, “Introducing the identity developer libraries,” covers basic concepts, terminology, and the features of the Active Directory Authentication Library (ADAL) and ASP.NET OWIN middleware.
■■
Chapter 5, “Getting started with web sign-on and Active Directory,” provides a walk-through of how to create from scratch a web app that can sign in with Azure AD. Starting with the vanilla MVC templates, you learn about the NuGets packages you need to add, what app provisioning steps you need to follow in the Azure portal, and what code you need to write to perform key authentication tasks.
■■
Chapter 6, “OpenID Connect and Azure AD web sign-on,” provides a very detailed description of OpenID Connect and related standards, grounded on network traces of the actual traffic generated by the sample app. This is a very practical way of understanding the underlying protocol and why it operates the way it does. The descriptions of the constellation of ancillary specifications for OpenID Connect and OAuth2 will help you to navigate this rather crowded space, even if you are not planning to use Azure AD at the moment.
■■
Chapter 7, “The OWIN OpenID Connect middleware,” is a detailed analysis of how the authentication pipeline in ASP.NET works—with an emphasis on the OpenID Connect middleware, its extensibility points, and what scenarios these are meant to address.
■■
Chapter 8, “Azure Active Directory application model,” is a deep dive into the Azure AD application model: how Azure AD represents apps and handles consent, and how it deals with app provisioning, multitenancy, app roles, groups, app permissions, and the like.
■■
Chapter 9, “Consuming and exposing a web API protected by Azure Active Directory,” does for web APIs what Chapters 6 and 7 do for web apps—it explains the protocol flows used by web apps for gaining access to a protected API and describes how to use ADAL and the OAuth2 middleware for securely invoking and protecting a web API. This chapter also briefly introduces the Directory Graph API and discusses advanced scenarios such as exposing and securing both the user experience and an API from the same web project

.■■

Chapter 10, “Active Directory Federation Services in Windows Server 2016 Technical Preview 3,” discusses the new modern authentication features in ADFS, showing how to adapt web sign-on, web API invocation, and code protection covered in the earlier chapters to on-premises-only scenarios.
■■
The appendix, “Further reading,” provides you with pointers to online content describing ancillary topics and offerings that are still too new to be fully fleshed out in the book but are interesting and relevant to the subject of modern authentication.

Free chapters

As it is tradition for Microsoft Press titles, we put out two sample chapters that can be freely downloaded or read online.

I chose the chapter on the Azure AD app model and the deep dive on the OpenId Connect middleware – I thought those were the topics that could benefit the most from a deep, comprehensive coverage and that also happened to be mostly absent from our reference docs at the time.

Japanese translation

There’s an excellent Japanese version of the book, available here – courtesy of the excellent translation efforts of mr. @junichia and mr. @phr_eidentity. I can’t tell you how happy I was to get my hands on it, and how honored I am that they decided the text was worth their work – such a proud moment

What changed in a year

Despite my boundless love for paper books, I have to acknowledge that they have shortcomings: for example, it’s pretty hard to update them as their content slides in obsolescence so, what changed since the book came out of the printers?

• Azure AD showed up in the new portal. I knew that it was coming, hence I avoided placing portal screenshots in the text. I do have some textual instructions, but unless you are a screenscraping script you should be able to map the instructions to the new portal UX. If enough people will have a hard time, I will blog an “errata” to update things accordingly
• ADFS shipped! The text was referring to TP3 – there are some differences in the RTM version, but again, the instructions should still largely work if applied with a  grain of salt

Thanks

I did have some fun writing the book, and I believe it surfaces in its pages; however it was also SO MUCH work, and a pretty crazy time commitment. I was lucky to have the help of amazing people, which are mostly listed in the acknowledgement section of the book.
I am very happy about how the book is doing – it appears to be achieving the goals I had in mind when I wrote it, which is fantastic.
If you are among the people who already read it – thanks! Please know that I treasure any thought you might have about it, and I am glad to provide any clarification you need.
If you didn’t read the book and you are interested in developing on Azure AD: before spending any money on it, check out https://aka.ms/aaddev – almost certainly, you’ll find what you need readily available there. And if you do end up picking up the book, please let me now what think about it!