SDS for C&M infrastructure on Microsoft Azure AD

SDS for C&M runs on mobile phones and computers as a native application, on which users need to authenticate in order to access resources from Microsoft Azure AD-secured web applications.Interactions between Azure AD and SDS for C&M

The four-step process is explained in detail below according to the numbers shown in the diagram.

  1. Authentication:

    • The native application sends an authentication request over https://login.microsoftonline.com/common, keeping the user's authentication data.

    • If the user has not already authenticated or if the native application does not have the authentication data, a browser window will open to enable user authentication,

    • After a successful authentication, an authentication code will be assigned to the native application.

  2. Access token request on Azure AD:

    • The access token request contains the redirect URI of the native application and the identifier of the SDS for C&M API.

    • Azure AD checks and approves the request.

    • An access token is returned over the redirect URI of the native application.

  3. Access to resources:

    • The native application sends a request for resources with the received access token,

    • The SDS for C&M API accepts the access token and returns the desired resources.

  4. Access to APIs that SDS for C&M API uses:

    • After the SDS for C&M API performs all the necessary checks, resources in Office 365 Sharepoint Online, Microsoft Graph and Windows Azure Active Directory can then be accessed.

NOTE
The access token is valid for a limited duration. When it expires, the native application receives an error stating that the user needs to authenticate again. In Step 2, a new access token is sent, while another token that refreshes data is sent to the native application.
Through this technique, the native application obtains a new access token without replaying step 1 or interacting with the user.