OpenID Connect and OAuth 2.0 support in Azure Active Directory has GA’d!

First published on CloudBlogs on Sep, 09 2014
Howdy folks, Today Azure AD reaches an important milestone. I am excited to announce that OpenID Connect and OAuth 2.0 support in Azure Active Directory reached general availability! Industry-standard protocol support is at the very heart of any Identity as a Service solution. We invested a lot of time and energy to ensure we would offer you a world-class experience end to end, from the endpoints performance, manageability and compliance to the usability of our developer libraries. Here there is what we are making available for you today:

• The general availability of our OpenID Connect and OAuth 2.0 support. These protocols provide a rich set of capabilities that will continue to build up to enable an ever increase set of use cases. This release adds:
  • Protocol support for:
    • Signing in to front end web applications
    • Mobile apps securely calling Web APIs
    • AAD authenticated service to service calls
  • Administrators granting consent for all users to use web and mobile applications
  • Individual users can consent to web and mobile applications on their behalf
  • A new JSON configuration document, following the OpenID Connect Discovery specification
  • OpenID Connect session management , providing sign out and the check session endpoint, which allows a highly performant way to check if the current user session active
• Just a few days ago we announced on the ASP.NET team blog the GA of the new components in ASP.NET for supporting claims-based identity . The new programming model makes it super easy to use OpenID Connect with Azure AD from your ASP.NET application    .
• The v2 of our Active Directory Authentication Library (ADAL) for Microsoft platforms . This new version offers numerous improvements over its already successful predecessor:
  • Support in a unified NuGet package for .NET, Windows Store (tablet/pc) and Windows Phone apps
  • Full async programming support
  • Support for new authentication flows, including Windows Integrated auth and direct username/password
  • Many overall improvements ( token cache support on middle tier apps , better control over the experience, etc.)
  • Source code of the library fully available on GitHub , for you to study and contribute if you so choose!

ADAL v2 for the Microsoft platforms follows closely the GA of the 1.0 versions of ADAL for iOS, Android and OSX – announced from this blog in July . Microsoft has been deeply involved in the standards work for both OAuth 2.0 and OpenID Connect . In AAD we take this participation in the standards community seriously and have worked hard to ensure interoperability. We have been very pleased with the results we have seen interoperating with other implementations, this success was an important criteria for declaring general availability. This is an important moment for Azure Active Directory and for the development community. OpenID Connect represents the state of the art in modern authentication protocols, and we are excited to do our part to help fulfil its promises in the world of real applications. You will now be able to leverage OpenID Connect in your production apps to take advantage of all the features that our service provides: Azure AD authentication, Directory Graph API, Office 365 API, Azure API, Intune API and all the resources that customers and partners such as yourself are adding every day to the Azure AD ecosystem. The fact that we reached GA does not mean that we no longer need feedback! As always, we look forward to your feedback and suggestions on what we released today and anything else you'd like us to include in our offering.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons )

Director of PM

Active Directory Team

P.S. If you are an admin and you want to turn off user consent for applications, you can do so using PowerShell. Go here to learn more: http://technet.microsoft.com/en-us/library/dn194127.aspx The switch you want to use is:     - UsersPermissionToUserConsentToAppEnabled <Boolean>         Indicates whether to allow users to consent to apps that require access to their cloud user data, such as directory user profile or Office 365 mail and OneDrive for business.         This setting is applied company-wide. Set to False to disable users' ability to grant consent to applications.           Required?                    false         Position?                    named         Default value                true         Accept pipeline input?       false         Accept wildcard characters?  false