Microsoft Graph API for Windows Azure Active Directory

Shortly before Tech Ed, Microsoft announced their new Graph API for accessing the Windows Azure Active Directory (WAAD). The Windows Azure Active Directory is sometimes referred to as the cloud directory since it is used by Office 365.

The Graph API is a set of RESTful web services that allows you to access the entire identity system that is running in Microsoft's cloud. Optimal IdM has been working with Microsoft under NDA to integrate with, and provide feedback on the API.

Microsoft's Ed Wu did the official unveiling at his Tech Ed session and this is where I also provided a live demonstration of our integration with the Graph API. It should be noted that the API is in preview mode, which is Microsoft speak for public beta. It is also, not quite complete as it currently supports read-only operations. Update capability will be coming shortly, with the final release likely coming in a few months.

As Ed points out in the session, the hope and plan is that all integrations with the cloud directory is performed via this API. The API is particularly interesting as it is a full fidelity interface that will allow anyone (customers/vendors) with an alternative way to provision/de-provision to the cloud other than using their Dirsynch tool. Dirsynch is their Forefront Identity Manager (FIM) product in a locked down configuration. They did have Power shell commandlets, but they did not offer all of the functions that are needed to truly provision/de-provision properly.

For us over here at Optimal IdM, we are particularly keen on leveraging this API for our Office 365 solution. Our VIS for Office 365 solution not only adds additional features and capabilities to Office 365 such as Denial of Service (Dos) detection and prevention, but also completely eliminates barriers that would have otherwise prevented customers from going to Office 365. A few good examples are multi-forest customers, or customers with a mix of user repositories. Leveraging our virtual directory, the synchronization components as well as the Federation components do not have to deal with any of the "ick". As soon as the full API is available, our VIS for Office 365 solution will use the API to manage all of the data in the cloud, without the need for Dirsynch.

In the demo, I showed how we created a new adapter for VIS, that uses the new API. So while new applications can leverage the new RESTful API, we can allow any standard LDAP application to read/write to the cloud directory. That is pretty cool for all of those legacy applications! Keep in mind that this is not just Office 365 but also Azure as a whole. So if you are writing a new app check out and use the API, but if you want to hook up your existing LDAP application (whatever it may be), then leverage our VIS solution.

In case you missed it at TechEd, check out the video here on Channel 9

For any of you Microsoft folks, we are presenting this at the upcoming Microsoft internal event TechReady, so find the session and come see for yourself.