Episode 093: Microsoft Identity for Developers | CloudSkills.fm

In this episode I’m catching up with Christos Matskas and J.P. Dandison, both PM Developer Advocates from the Microsoft Identity team, about building apps with the Microsoft Identity Platform.

In this episode, we talk about…

  • COVID has caused an unexpected acceleration in Microsoft’s clients’ Cloud plans
  • Identity struggles that are being seen in the move to Cloud
  • J.P. and Christos work to assist people from as many industries as possible
  • Microsoft has built a protected identity system so that companies don’t have to
  • Developers need not worry because they know that Azure Active Directory is going to scale
  • Breaking down the disconnect for what B2C really is
  • .NET Core has a brand new library that has plenty of exciting features
  • Microsoft is increasing live streaming to developers for identity challenges and beyond
  • Microsoft is actually the largest security company in the world

Resources from this episode:

Don’t forget to subscribe to our mailing list at cloudskills.io/subscribe for weekly updates, exclusive training, and advice on how to amplify your career.

Full Transcript:

Mike Pfeiffer:
All right, Christos and J.P. How you guys doing, man?

Christos Matskas:
We’re good.

J.P. Dandison:
We’re good.

Christos Matskas:
Really good.

Mike Pfeiffer:
Yeah, I’m excited to have you guys on. Yeah, I appreciate you guys being here. It’s a Friday, I know we’re all trying to get out for the weekend, but we got an important conversation to have because security’s paramount. I know you guys are super busy. You guys are moving fast over there at Microsoft. So, really appreciate you taking the time out.

Christos Matskas:
It’s our pleasure to be here and thanks for having us. It is indeed a space that things are moving super fast. We’re trying to catch up. That’s our game here, trying to catch up and educate people about Microsoft’s Identity and what we do.

Mike Pfeiffer:
Cool. So, maybe you could share what you guys have been working on with the listeners. So, we know your background, what you’re doing on the team, but what’s life been like for the last few months for you guys?

J.P. Dandison:
COVID was a big change. It caused a lot of our customers to take their three-year Cloud plans and make them three months, right? Their entire workforce is work from home now. So, that’s caused a real acceleration, and how do I make sure my people who are working from home can access everything they need to securely, from home, from their own devices, from a corporate-owned device? It’s been a huge shift. We’re all working from home now. Granted, I live in North Carolina so I work from home all the time since my whole team is West Coast. But, it’s been a big shift and a lot of our customers, I think, were, I don’t want to say blindsided because that’s probably not very nice, but it was completely unexpected, right, that suddenly we’re all going to be home for an indefinite period of time and how do you keep businesses running, when that happens?

Christos Matskas:
It’s been crazy. But, we also saw a huge shift in the way that we also work in the dev advocacy, or dev relationships, or whatever they call it these days. I don’t know what the politically correct term is. But, our goal is to outreach developers. In the good old days, it was user groups and conferences, and you will travel to places and speak to developers and sometimes go to customer sites. This doesn’t happen anymore. So, we would change the gear and we switched to an old online mode as well. So, for us, these days is about tweets and working with the communities. So, blogging and saying our stories and trying to make people successful. It’s been transformational for us as well, for sure.

Mike Pfeiffer:
Definitely an interesting time. I’ve been a big fan of what you guys have been working on. Before we hit record, we were talking about the complexity of Identity, and security and dealing with that. It can be one of those things where I’ve experienced this where you’re in a workshop trying to teach people and it’s almost deer in the headlights, because it’s pretty complex, right. I know you guys are doing a lot of work to help people with that and I’m excited to have you on the show to hopefully break it down because most of our people listening are moving to Azure, but not all the way in yet, in a lot of cases. So, what do you guys see out there in the community that’s a little bit of a struggle for people to grasp these concepts?

J.P. Dandison:
So, I’ve been doing Identity work for almost a decade and Azure worked for almost a decade, and helped move a lot of companies to Cloud in general via AWS or Azure. Identity is such a foundational part of what we do. If we don’t know who you are, then I can’t show you the right rows in a database, I can’t prevent you from accessing certain parts of my network and everything else. Identity, when you’re on premises and you’re inside of the moat, when you’re in your castle at work, it’s in some ways, especially if you’re a Windows or a .Net shop, it’s a given, you’ve got Active Directory or some other directory service and you sign into Windows with an account and it just magically works, right. All the stuff happens.

J.P. Dandison:
A lot of that work was done by your assistant administrators or your IT Ops folks, but if you’re a developer, you just never really had to deal with it much on your own. When we look into moving to Cloud, we’re moving to these untrusted areas. We’re moving to a place where you don’t control the machines, for example, or you’re using a higher level service like an AWS Elastic Beanstalk, or Azure app service or one of these platform as a service services where the idea that we could trust the machines is gone.

J.P. Dandison:
So, now we’re asking developers to say, hey, you need to go and understand all this Identity stuff, all these protocols and terms and flows, and a lot of people have just never had to worry about it. Then, the Identity community as a whole, it’s very welcoming and, of course, we certainly feel like it’s welcoming, but there’s a whole lot of esoteric language and vocabulary and a long history that makes it… It’s almost like a whole new world of development skills and of terminology to learn and it’s incredibly intimidating, I think, to anyone who’s new, because they’ve already got everything else they’ve got to worry about of, I’ve got to figure out what an ORM is and I’ve got to figure out which front-end to use for this, and how do I access my API, and how do I do all these things, and now I’ve got to go learn this whole massive Identity piece, and I don’t want to be an expert in Identity, I just want it to work. I’ve got 50 things on my list right now, to get my app out the door and I don’t want to spend twice as long making Identity work as I am making the rest of the app work. Right?

Mike Pfeiffer:
You definitely speaking to me, man, because that’s my biggest thing. It’s so easy to go build a web app now with ASP.NET Core or something, but when I get into the security side, I’m, “Oh, now I’ve got to figure this out.”

J.P. Dandison:
Oh, yeah.

Mike Pfeiffer:
So, you already got my interest, for sure.

Christos Matskas:
This is where we see people going, “Oh, this is too hard. I’m going to stick usernames and passwords in database, why should I care about it?” Then suddenly, your company makes it into the news the next week or a few months down the line, because you haven’t done it right. So, we want to eliminate that kind of fear. I want to eliminate that exclusive knowledge that you need to acquire and want to make it super easy when it comes to working with our platform on Identity. To make it seamless, you add one library, you add a couple of lines of code, you don’t have to understand what tokens you’re using or what’s happening. It’s nicely encapsulated behind you, but you still know that if you add these few lines of code, then it will authenticate the user and store the information in the cache or token and then move on, right, or quickly, and then move on to the next task. That’s the goal. That’s the happy path for us if we can achieve that.

J.P. Dandison:
We’ve talked to people in the JavaScript community, because part of Christo’s and I’s role at Microsoft is to make sure that we represent as many communities as possible. So, not just a traditional Microsoft developer who’s using Windows and .Net and Visual Studio, but someone who’s building an app in JavaScript or building an app with a totally front-end app in Reactor or Angular or something and they’re hosting it on Linux in a container that runs in DigitalOcean. We want to talk to everybody because, of course, Identity’s such a fundamental part.

J.P. Dandison:
But, we talked to some JavaScript advocacy people who were big in the community and we asked them, we said, “What’s your community’s demand for authentication and Identity-related topics?” They said, “There’s a lot of demand, but we tend to just ignore it because we just can’t answer the questions.” It’s a little heartbreaking for me, to be honest, because I know how much I’ve struggled over the years to learn all this sort of stuff and I know how frustrating it can be. It’s just complex. Nobody’s really focused really heavily on the developer experience until just the last couple of years. So, I think there’s lots of good stuff to come and we’re certainly making strides in the right direction. But, as an industry, the Identity industry itself, it’s just a whole new world.

Christos Matskas:
Yeah. To add on top of that is, I think the mistake that we’ve been doing up until this point, is trying to educate by dumping everything into developers, like, talking about everything. What is an OAuth2, what is OpenID Connect? What are tokens? Why do you need them? Developers don’t really care about that, they just say, “Yeah, show me the code that does what I need to do and I want to move on.” A big part of what we do these days with JP, is actually showing that. These are the five lines of code that you need to add into your solution, whether you’re a .Net developer or a JavaScript developer, and then move on. This is how you did securely and this will allow you to do X things.

Christos Matskas:
If you want to do other stuff, then this is where you need to go to see how you do them. Again, with the same kind of pattern, few lines of code to show everything. Now, if you want to go fully 400, 500 level and learn all about these things, we also have the material there, but, for now, we’re hiding them away in the corner so you don’t have to see them in front of you and feel like you have to learn all these things.

Mike Pfeiffer:
I like that, because we need abstractions to make life easier, but there are people that need to go deep and want to know the inner workings so it’s good that you guys are continue to do that. I’ve got to admit, you guys are doing an amazing job of putting that stuff out, even last several years, just so many code samples and great documentation. So, hats off to everybody at Microsoft.

J.P. Dandison:
So, we work in the Identity division so our division’s responsible for all the Identity systems that are at Microsoft, and there’s been a big push and a big focus recently in the last few years on getting better developer documentation, making the platform’s easier for someone to fall into the pit of success. It’s probably a cliched term, but, we want you to interact with us as little as possible, and if we’ve done that, then we’ve done our job because now you’ve used our platform, you’ve gotten your app secure, you’ve got confidence that your app is securely authenticating users and then you go back to what it was you were doing before, right? If that means you interact with us for five minutes, because the API’s and the new surfaces that have been built are enough or easy enough to grok in five minutes, then that we’ve done our job successfully.

Mike Pfeiffer:
So, if I’m a developer, and regardless of whether I’m coming from a .Net background, or maybe I’m a Node.JS developer, whatever the case may be, high level, what’s the basic idea? I’m trying to find some Identity framework, so I can plug into Azure AD and outsource the Identity? Is that how it works?

J.P. Dandison:
Yeah, that’s the short version. We build an Identity system, and so we hold your user data, be it their first names, and last names, or their email addresses or whatever pieces of information you want to store about them. In some cases, we already have a lot of that data by virtue of, if you work at a big corporation, or even a small corporation, you’re using something like Office 365 or Azure already, then we likely already have some bit of data about a user. Rather than you as the developer being responsible to have this database that’s got a username and password in it, that you now have to maintain and store and update and keep away from prying eyes, instead, we handle the physical hosting of that database, and it lives in one of our data centers so you pick up all of the nice rich security that we have on our data center in total. It lets you focus on what do you need your app to actually do.

J.P. Dandison:
So, integrate a library… We’re all standards compliant so you can choose whichever library you would like. Of course, we ship libraries for the main languages for .Net, and Java, Node, PHP, Python. We’ve got wrappers for things like Angular, to integrate with our Identity system specifically. But, since it’s all standards based, if you’ve already got a library that you prefer, or library that you used in an earlier project, or there’s a community library out there, we will work with those as well. A good example is the Passport with Express and Node. So, there’s a specific plugin for Passport called Passport Azure AD. Actually, some of our folks maintain that library, but it’s an open source library. It’s out on GitHub, and it is not a Microsoft branded library that we own as an all out product, it’s just an open source library that’s available. That’s how, if you want to get authentication in Node, and you’re using Express as your web server in Node, you can include that library, and then everything just works. You plug the right values into the right place and then everything works and you don’t have to take any dependency onto our specific library or anything like that.

J.P. Dandison:
So, if your download standards are really into them, or if you’ve got an existing project that’s already using a different OpenID Connect or OAuth provider, moving it over to user Azure AD is a relatively painless event. In some cases, it’s as simple as just changing over some configuration settings.

Christos Matskas:
Yeah, and the nice thing is that you have a huge division within Microsoft that everyone is concerned about security and safeguarding personal information. So, as a developer, all you care about is integrating with that system, right? That’s what delegate authentication is, your app is not responsible for holding any of that information. All it does is, points the user to a URL, it’s either Azure AD or B2C, depending on what kind of audience you’re dealing with and then the user authenticates in that system, i.e. our system, and then what they get back in their application, as a developer, is a token.

Christos Matskas:
So, that token pulls the information, but it’s all encrypted, it’s all secured. It has a limited lifespan so we protect against replay and other attacks. We’re adding proof of possession and other things that, as a developer, you don’t really care about. What you care about is, a token with claims and permissions that tell your app, what the user can do with that token within your application. So, it frees you up from all that responsibility of maintaining that. It will scale with your application, whether you have one user, or whether you have billions of users. We do 1.2 billion authentications per month. The scale of our platform is insane.

Christos Matskas:
So, as a developer, we don’t have to worry about how many connections am I going to send to my database to validate my users, that’s never going to happen. All you care about is, sending some token and you know that the platform is going to scale. Your users, if they’re not organizational users, if you’re not in a big organization, you’re just creating a website for your friend, then with B2C, you also get a bunch of free accounts and what have you, so you don’t have to pay for that, it’s a free service up to 50,000 logins per month.

Christos Matskas:
So, people are like, “Ah, I don’t want to pay for Azure, I don’t have to do these things.” You don’t pay. If you hit 50,000 users as an app, then that’s a good problem to have. I think, you can afford a couple of payments sent to go over that and pay for the next 10,000. So, from my perspective, it’s an awesome solution for developers.

Mike Pfeiffer:
That’s a really good point. JP also mentioned DigitalOcean earlier. So, the Identity piece, the Azure AD, the B2C, right, that’s something that somebody can leverage regardless of where their app is running. They don’t have to run their app in Azure, necessarily, right?

Christos Matskas:
Right.

J.P. Dandison:
It could be on on-prem, it could be in another Cloud, it could be on a Raspberry Pi running in your basement. In fact, I happen to have a couple of Raspberry Pi’s running in my basement that are using Azure AD. So, it’s funny because it’s called Azure AD and it’s really neither Azure nor AD. So, it’s not the AD that you’re familiar with from On Prem, but it’s also not really Azure. B2C is built through Azure, but Azure AD itself is really independent of Azure. So, if you’re using Azure AD, for example, you actually don’t need an Azure subscription at all. It’s just available as a standalone service.

J.P. Dandison:
Of course, Microsoft marketing isn’t really known for being super clear about what every product does and why it’s named the way it is. But, at any rate, it’s easy to get started with it and cheap and free. In fact, you can get a free developer instance yourself and go try it out without any sort of credit card or anything like that.

Christos Matskas:
Yeah, perpetual M365 developer account that gives you access to not just Azure AD to play with and see how it works, but also graph data [cer 00:16:37] point and sample data so you can pull emails if you want using graph. If you have an M365 in your company, so you might say, "Well, we’re not using early Azure, but we just have M365 for Office, then you also have an Azure AD, as virtue. So, as a developer, you can start leveraging that without having to, again, spin up an Azure account, per se. So, something that many people don’t realize is that.

Mike Pfeiffer:
It also seems like, in my experience of just talking to people, there’s a little bit of a disconnect, or maybe a misunderstanding of what B2C really is. If you look at the acronym and the documentation, business consumer, so it starts to make a little sense, “Okay, this is for consumer facing apps.” You guys run into that?

J.P. Dandison:
Oh, yeah.

Mike Pfeiffer:
It’s confusion point.

J.P. Dandison:
Oh, yeah. In fact, we’ve talked about this a lot internally, which is, when we’re talking to developers, how do we guide them to the right path, and a lot of it depends on what kind of app you’re building. Microsoft’s in a unique position, because not only do we have an Identity system, as a service in Azure AD, but we also provide a lot of services, so Office and Azure, and Dynamics and everything that goes into those. So, when we talk about Identity, it gets really blurry, really quickly, because it’s, I need to do something that manipulates my Azure subscription, maybe it deletes resources or manages resources, or I want to send an email from my Office 365 account. Well, those are both Identity considerations, but they’re pretty different from I’m building an internal line of business app that uses AD On Prem so we get all the automatic single sign on that we have On Prem, and I need to move it to Azure, what do I do? Because, that maybe doesn’t have any dependencies on any sort of external service like Office, but it does need to authenticate users.

J.P. Dandison:
Then, there’s the third bucket that you mentioned, which is, I’m a startup, I’m an individual developer, I’m building something on the side, I just need to sign people in from Facebook, Twitter, Google or just a username and password. That’s where B2C comes up. B2C, historically, you’ll hear the marketing around you, it does everything, it does anything, it’s super customizable, and it does, which is great, but what it does without getting into the super ultra custom complex stuff is, it lets you sign in users with us with a social account or with just a brand new username and password. I think when you need the complexity, it’s there, but I think that because it’s there, it scares a lot of folks off because they go look at B2C and they’re like, whoa, it does all these things, and there’s so many knobs and dials. It’s super complex and confusing. In reality, there is a part of B2C that can be very complex and very confusing, but it’s one of those things that you don’t need that complexity until you know you need it, right. If you don’t know you need it, and you don’t think you need it today, then you probably don’t need it because you’re not in one of those scenarios where you’d have to have it.

Christos Matskas:
Yeah, we’re overselling the platform, right? So, if you see our PowerPoints, they’re insane. You’re rolling through the PowerPoint and you start going through the decks and people are like, whoa.

Mike Pfeiffer:
So, nothing’s changed since I’ve worked there is what you’re saying?

Christos Matskas:
It is a username and password database. That’s what it is. You can bring your social media account [inaudible 00:20:00] authentication to your app. So, if you are creating a mobile app today, if you’re creating a forum for your friends, if you’re creating something that you want to securely log in users, that’s what you do, you add B2C. It works very similarly, most of the [inaudible 00:20:17] are interchangeable between AD and B2C. You point people to that. It adds customization so it makes it nice and consistent. So, if you’re creating a mobile app, when your users don’t feel like they’re moving out from the app to go somewhere else, that’s indicating comeback.

Christos Matskas:
So, there are some nice bits there, but for 90% of the cases, we don’t need to talk about customization, we don’t need to talk about anything that extends beyond the, bring your social media account and your username and password and we’ll sign you in. That’s it.

Mike Pfeiffer:
Yeah. So, it sounds like it’s a great way for me to separate my enterprise accounts and separate consumer accounts if I’m building some app that is internet facing, right? That’s a really nice approach. Very cool. So, what are you guys working on that’s new? Is anything recently come out that you guys have been building and working on or is it just the stuff that’s been out there for the last year or so?

Christos Matskas:
I think the highlight of our last couple of months has been the brand new library that we have for .Net Core. It works on top of the MSAL8 Library, which is the Microsoft Authentication Library, but it removes everything and obstructs everything to the point that you just do a one liner in your .Net Core app and add just authentication. I was actually showing that yesterday on the other user group and people were like, “Here’s my money, I want it now. Does it work with other OpenID providers? Does it work with other providers? How can I use it today?” It’s so exciting to be able to roll into a group of developers and show them that it’s super powerful.

Christos Matskas:
Again, it starts with a one line, and then you can customize as much as you want. But, the beauty of that is, that at the very high level, as a developer, I don’t need to care about anything else, just a couple of configuration options to point to the right Azure AD tenant or B2C. One line of code in the startup in my middleware to say that everything needs to be authenticated. Then, inside my API’s, or inside my controllers, or whatever you’re using, it’s just simple as that. The beauty is, that works with everything on .Net Core 3.1 and upwards. So, gRPC, Blazer, all the newest and goodness, that comes with .Net and .Net Phi was about to roll out, it’s there. Our team is working internally to bring that to other languages as well so we want the same experience for Node and Python and Ruby, everything. Make it simple for developers to use the platform and allow them to do it securely.

Christos Matskas:
So for us, it’s super exciting. We can stop talking about it because it bring smiles to developers faces, makes it super easy. It also uses best practices so the team has worked in a way that it collaborate with the .Net team. The API’s are consistent, it doesn’t feel foreign to .Net Core developers and it’s idiomatic to the language. Hopefully, it will be the same for the other frameworks. But, it’s, again, super exciting for us. So, that’s the biggest one from a developer focus, but there are so many things on the platform, that it will take a day to just sit here and numerate them.

J.P. Dandison:
One of the things are around some of the libraries is, of course, the standards change a lot, right. So, if you’re familiar at all with OpenID or OAuth, the implicit flow is one of the flows that’s used to sign users in a lot. Implicit is the least secure. The most right for exploitation of all the different ways that you can sign users into your app. There have been a lot of industry changes and pushes to get rid of Implicit or to change the security posture of it. Some of the newer versions of the libraries are incorporating new mechanisms for getting tokens and for authenticating users, and they’re already out. So, they’re already available, and you can start using them today.

J.P. Dandison:
But, the nice part for you, as a developer, is that, even though hundreds or thousands of people have postulated on newsgroups, and discussed and argued about these protocol changes over the past 12, 18, 24 months, you, as a developer, you pick up that work by virtue of using our library because you’re not exposed to any of it. So, as long as you use the library the way that we say to use it in the docs, as those changes happen, and the new versions of the library get rolled out, your app will automatically pick those up, which is super cool.

J.P. Dandison:
We just moved an app from an earlier version of MSAL, which is our authentication library… We just moved in that in JavaScript, it was a React app, from an older version of MSAL to the new 2.0 version of MSAL.js and that switches from using the old and secure flow to the new, more secure flow. My code didn’t change. I did an NPMI and installed the new version. I didn’t have to go and actually change anything about the code because all of the protocol changes were underneath that. In some ways, it’s cool, but it’s like, well, what Christos’ saying and talking about, because we don’t have to explain how any of it works to anybody anymore because nobody needs to know how it works anymore. They just need to know how to use it.

Mike Pfeiffer:
That’s funny. Yeah. So well, I guess, we always think we might be working ourselves out of a job at some point, but then something else comes up, right so I’m sure we’ll find a way to keep you guys busy. So, if I’m a developer listening to this right now, licking my chops, it’s middle of September 2020, where will I go to find this stuff that you guys are working on?

Christos Matskas:
We stream every week, twice a week on Tuesdays and Thursdays, on tweets. So, if you search for the four to five show, then that’s where you’ll find this. We’re also on Twitter, super active. We do have so many ways to reach out to us. We have blogs, we’re on YouTube, as well. So again, four to five show on YouTube. Super consistent. We managed to get the name and then make it super consistent. We’re in the process of setting up our website. So, very soon, there will be a fourtofiveshow.com, where you’ll be able to not only find what we’re doing, but also help you get started with the platform. There’ll be a way for you to interactively say, “I’m building an app with this framework and I wanted to authenticate users or I wanted to speak to Azure,” and we’ll provide you with the resources that you need. So, that’s that’s a big focus for us these days. Empowering developers and onboarding developers on the platform, in the least friction possible.

Mike Pfeiffer:
Very cool. So, that’s going to be a consistent… Did you say, it’s going to be a weekly show?

Christos Matskas:
It is a weekly show, we’ve been streaming for two months now. We got about what 20 episodes. It’s a lot of work but we have a lot of people from the community, MDP’s and internal people from different product groups jumping on the calls and streams with us and coming to show what they’re building, which is fantastic. We encourage people to come to us and say what they’re building [inaudible 00:26:55] and then help them be successful. We also have other streamers that we collaborate with. So, they do streams, or we jump on their streams as well, so we have fun playing around and spreading the word.

Mike Pfeiffer:
I’ve got to admit, after doing so many pre-recorded videos, I really like live streaming. So, it’s so easy to jump on there and just go, and, just, here’s the video replay. It’s so much better. This has been really an interesting journey for you guys. I know a lot of people are looking at live streaming. To your point, there’s a lot that goes into that, right. Is that something that Microsoft’s doubling down on in other areas as well? You think that other teams that are doing Developer Relations and other areas are going to be doing that a lot?

J.P. Dandison:
Yeah, there are people like Jeff Fritz. He’s probably one of the original Microsoft FTE, full-time streamers. But, we’re certainly seeing, especially with Dev Rel being sidelined from sitting in airplanes and traveling around, the world user groups… we’re certainly seeing a renewed interest in live streaming. I think, last time, we saw there were about 30 to 35 live streamers at Microsoft across different groups. We are doing ours because we feel like Identity is in somewhat of a unique place, in that you can’t work with us, you can’t transact with Microsoft without hitting one of our Identity systems. So, there’s something for everybody.

J.P. Dandison:
There’s a Visual Studio channel that’s talking about a lot of things in Visual Studio and VS Code and all sorts of different scenarios that happen over there. Then, of course, there are different channels for M365 development. They’re starting different channels in different sort of content streams of things around teams development, Power Apps, all that sort of stuff. So, we feel like we fall in line with that, is that, people are seeing this as being this new way to reach people especially from our basements when we can’t reach to the person. It’s been a lot of fun. We’ve been doing it since July. I think the one thing about it is, it’s a train, every Tuesday and Thursday we’re streaming and for usually two or three hours. Anything else that’s happening, the stream is going to happen. So, we’ve got to make sure all the other ducks are in a row before Tuesday at 7 AM Pacific for poor Christos, and me for 10 AM because I’m on the East Coast… Before the stream starts. But, it’s fun. It’s a lot of work, but it’s fun.

Christos Matskas:
Word of advice, know your time zones, people, because when we’re discussing about doing the show… Funny story, J.P. or John was, “Hey, let’s do it at 10 AM.” I was, “That’s perfect, I love it.” Then, I didn’t realize, he was talking 10 AM Eastern Time, which is 7 AM my time, so I committed to that and I was, man, it’s too early. It’s too early, but it’s fun. Getting early and connecting with our audience and talking about Identity. In fact, we talk about a lot of other stuff. Even though the focus is Identity, we do a lot of exciting things. We bring people that… especially quite a few of our CSA’s, the Cloud Solution Architects, that work with customers directly. They’re bringing some of their stories.

Christos Matskas:
So, even though Identity is the main point, we also cover other things like super cool stuff with machine learning and AI, that uses an element of Identity there to authenticate against some data. But, other than that, it’s the other exciting stuff. We have quite a few adventures and exciting stuff in our backlog, like using Alexa to sat down resources on Azure. That sounds awesome, right? It gives us a little bit of Identity there to allow you to identify which subscription and which resources you need to use. But, the biggest work is around the effort, the scenario, not Identity. We just want to make sure that people understand that Identity is a major component or underpins everything, but other than that the sky’s the limit when it comes to streaming and having fun on air.

Mike Pfeiffer:
That’s a good opportunity for anybody listening to go check out the show. Sounds like an amazing learning opportunity. I might have to check one of those out, actually, and I’m thinking about it.

Christos Matskas:
Alexa shut down my VMs, please.

J.P. Dandison:
We figured most developers are not saying, “Okay, I’m going to go sign a user in,” and then saying, “Okay, I’m done with my app, I’m going to move on.” Most of the sample apps that we have, of course, do that because it’s a sample app, it’s intended to show how to use the library or to use a certain part of the platform. But, that’s missing a whole extra component that the vast majority of developers are going to need, which is, I’ve signed a user in, now what do I do? How do I prevent them from calling API’s that they shouldn’t? Or, how do I then call another API like the graph or the Alexa API? How do I do that in a secure way? So, we try to be very end-to-end scenario focused, rather than, this is the Identity component, we’re going to Zoom in on it for the next three hours, and you’re on your own for getting there and then also for what to do afterwards. So, we try to really focus on the full suite of what do I do and why is Identity important as a part of it?

Mike Pfeiffer:
Yeah, super important. One of the things I’d like to circle back to, Christos said earlier, billions of requests every day and stuff like that. For people that are really old school, we get this, right, where it’s, I’m afraid of the Cloud because of the security. I’m always like, are you kidding me? They got the most brilliant security people in a world going over here defending against billions of attacks. You don’t think that they’ve got a better security team than you do? Could you guys share a little bit of, what really goes on behind the scenes? I know you can’t say everything, but I don’t know if people really appreciate the amount of work you’re doing on the security Identity front to protect the platform.

Christos Matskas:
Well, I used to work with a security expert, Phil Winstanley. He was one of the leading experts in Europe and in the world and a very close friend. So, he was on my team, I was fortunate to work with him for two years. One of the things that he would roll in to customers and say is, that Microsoft is the biggest security company in the world. We don’t sell products, we don’t sell software, but we actually safeguard your data day in, day out. I don’t know if you’ve seen them movies from launch control rooms and stuff like that? There are actually rooms like that within Microsoft that monitors everything that goes in real-time. They’ve got millions of malicious requests coming in. In fact, we recently rolled out a feature called, “It wasn’t me”. Is that the right name? “It wasn’t me,” rolling [inaudible 00:33:32]. But, it actually provided a facility now that for any company, or for any user, they can go and check their logins and see where their logins are coming from. So, automatically.

Christos Matskas:
A very simple example, as an IT pro in my company, I can go and quickly check, how did Christos Matskas log in from Germany while he works in Seattle, right? And, have AI and machine learning in the background feeding that and creating alerts and stuff. So, my data is secure. My company feels comfortable using that. That’s just one of the million examples of safeguards that we have there.

Mike Pfeiffer:
Yeah, because you can take that for granted, right? That is a really interesting capability to have that. That ability to say, “Hey, you just signed in from Europe, but five minutes ago, you were in California,” right?

J.P. Dandison:
Yeah, they call it the Superman problem.

Mike Pfeiffer:
Yeah.

J.P. Dandison:
How did you do this? The advantage to having an Identity system this size with, we do billions of authentications a day… The advantage of that size is, there are a ton of signals so that you can really get precise and see when something is abnormal, either down to a specific user even, to, say, alert an administrator to say, “Yeah, this user just signed in from 4000 miles apart and they are within the last five minutes. We’re pretty sure that wasn’t them.” But, all sorts of new attacks that happen. There’s an integrated suite that goes all the way down to like hardware on your phone, of using the authenticator app and getting SSO on your cell phone to access specific apps, but only if your phone meets certain criteria. Only if your computer meets certain criteria, and only if you’re coming from a trusted device. All sorts of different rules and things like that, that administrators can set. All those are available to you as a developer. So, if your IT admins, for example, have configured all of this, or even if you feel like configuring it on your own, your apps, your line of business things, can pick up all of that holistic security that goes into it.

J.P. Dandison:
Then, a lot of the systems that we have for things like, we think this account may be compromised, because the behavior is abnormal. That’s just a function of the kinds of signatures that we see by having Windows PCs all around the world and by having servers that are running all over the world and seeing all sorts of different attacks. Seeing those anomalies earlier, lets us say to administrators, “Hey, we think something’s wrong with one of your users or one of your accounts.” This is not something you can build on your own. It’s just not feasible to build that on your own.

J.P. Dandison:
I had the privilege of going to one of our data centers years ago. They’re in the middle of nowhere, of course, because land is cheap and you’re going to stick a bunch of servers out there, doesn’t really matter what the view is. I remember, we all had to meet at a Cracker Barrel. I live sort of South… I call it Mid-Atlantic because North Carolina’s in the middle of the Atlantic, but some people call it the south, but whatever. The data center is in Virginia. So, we all meet at this Cracker Barrel and a van… Not like a van, but like a mini bus that you would use to go to your wedding reception, right? It shows up, the windows are blacked out and we were told to get on. There’re no markings on the bus at all. There’s 14 of us, and they said, “Get on the bus, we’re going to the data center.” So, you take a step back and think, are we actually going to the data center or are all this going to end on the side of the road somewhere. But, we did end up at the data center. So, it’s a 45-minute drive. They don’t want you to know where it is exactly, or how to get there. So, it’s a long drive. He could have just been driving in circles for half an hour, I have no idea.

J.P. Dandison:
So, we get there, and the experience at the data center is simultaneously underwhelming and completely overwhelming, because the size it, of course, is immense. But, then you walk in, and it’s literally rooms full of servers. If you ever have the opportunity to go, though, I would say don’t carry anything with you, because there are metal detectors that… virtually every 20 feet. So, you have to empty your pockets and go through and be wanded and everybody check you out. But, seeing this sort of technology they have for keeping people in and out and making sure they know who’s where in the data center and seeing, really, I think, what surprised me so much, was just how little personnel is really required to keep those going. It was pretty fascinating to see.

J.P. Dandison:
The thought of somebody trolling through the hallways with a USB stick, downloading your data, there’s just no way that can happen, just by virtue of how they’re set up. It’s pretty cool to see.

Mike Pfeiffer:
Yeah, I’m glad you mentioned that, because it’s easy to, like I said before, just take all this stuff for granted. You don’t really appreciate all the time, really what’s going on behind the scenes. So, that’s an awesome story. I love that. I have a similar experience with Microsoft. But, there’s also another time where I was in Hayward, California. This is actually while I was working at Microsoft and I was with the customer, we were doing some kind of analysis or whatever. We went to lunch and we’re in this parking lot and he’s pointing over at this warehouse. He’s like, “See that building?” This nondescript building, right? He’s like, “That’s one of the AWS availability zones, our data center right there.” Just, the last thing you would expect, just sitting right there in Northern California. But, nobody knew what it was, right? But, that’s really cool, man.

Mike Pfeiffer:
So, as we wrap this episode up, we know that you guys got the show, we’ll put that in the show notes. Any place else you guys want to send developers to go do a Hello World and get going with this new library that you’re working on?

J.P. Dandison:
Yeah. So, we’ve got the microsoft.idenity.web library on GitHub. It has multiple samples for creating a web API, creating an MVC app, for checking scopes. All the sort of things that you need to do. There are sample apps out there, of course, the library itself is out there. There’s a really comprehensive wiki around migrating old apps to it and creating new apps with it. So. if you’re doing .Net, that’s absolutely a great place to start, and we’ll make sure there’s a link to that. But, the Identity Doc’s pages on doc’s.microsoft.com, there’s been a real effort to have scenario-based documentation. So, you’ll see some of that already. Of course, there’s still a lot that’s in the pipeline. But, there’s already more and more in that scenario-driven documentation that’s coming out. That’s all out on Doc’s. Of course, we’ll share a link to that too. But, in the main Doc’s place, it’s just under Identity for developers.

Christos Matskas:
The one last thing is, that we have a fantastic support team that has an insane amount of people looking at… I’m talking about developer support. So, we will share a link to that as well. So, if you get stuck, if you have issues with Identity, using it, you can obviously reach out to us, we’re more than happy to help you out. But, we also have a massive support team that helps with developer queries across all the languages and frameworks. So, for us, it’s important for you to know that there is a vast network of specialists that can help you out at anytime.

Mike Pfeiffer:
There it is, everybody, go to the show notes, get the links, go follow Christos and JP. Thanks so much, guys. Appreciate you being on the show.

Christos Matskas:
Likewise, thank you for having us.

J.P. Dandison:
It was great. Thanks. Thanks a lot.

Subscribe to the CloudSkills Weekly Newletter

Get exclusive access to special trainings, updates on industry trends, and tips on how to advance your career in the tech industry.