Office365 and AzureAD for Developers
4.6 (39 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
1,348 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Office365 and AzureAD for Developers to your Wishlist.

Add to Wishlist

Office365 and AzureAD for Developers

Understand the fundamental AzureAD concepts necessary for calling Office365 APIs, 3rd party APIs, and custom APIs
4.6 (39 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
1,348 students enrolled
Created by Sahil Malik
Last updated 1/2016
Current price: $10 Original price: $20 Discount: 50% off
5 hours left at this price!
30-Day Money-Back Guarantee
  • 7.5 hours on-demand video
  • 21 Supplemental Resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
What Will I Learn?
  • Write apps for AzureAD
  • Write apps for Office 365
  • Understand all auth related concepts and scenarios
View Curriculum
  • You should have a good grasp on ASP.NET
  • Some understanding of AngularJS is desirable
  • Some understanding of WPF is desirable
Developing for Office365 is figuring out Azure AD, and mostly REST queries. The REST queries are the easy part. But a proper understanding of how Azure AD works from a developer’s perspective is the more important part. Whether you are developing for Office 365 or not, as your organization embraces the cloud, a solid understanding of developer concepts in Azure AD is necessary. This course provides hands on explanations of all the AzureAD scenarios you need to know as a developer, followed by tying that knowledge in Office 365 APIs and the Microsoft Graph. Lots of hands on examples and code in this course.
Who is the target audience?
  • Microsoft developers intending to target Office 365
  • Microsoft developers intending to target Azure AD
  • Microsoft developers who want to learn about security in the cloud
Students Who Viewed This Course Also Viewed
Curriculum For This Course
129 Lectures
3 Lectures 09:46

A brief history of SharePoint explaining how we got where we are.

Preview 03:52

Developing for Office 365 today is full of a perplexing list of choices. Which one of these is the right tool for the right job? And how about on-premises to cloud migration? This module is an introduction to the various choices you as a developer face.

Preview 03:54

Given the various choices, I have chosen to emphasize certain choices over others. Also, I have given a lot of focus to AzureAD since mastering that is key in understanding Office 365 APIs. Here I introduce how I have structured this course, and why.

Preview 02:00
WSPs or Solution Packages
2 Lectures 10:52

A high level introduction to what a solution package is, and the difference between a sandbox solution and a farm solution. If you are quite familiar with SharePoint development, feel free to skip this section.

What are solution packages?

The process of writing a simple solution package, and how much of it applies to Office 365.

Writing and Deploying a solution package
SharePoint Add-ins also known as Apps
11 Lectures 59:48

What are SharePoint apps, now known as SharePoint Addins?

An introduction to Apps

Keeping your custom code outside of SharePoint has unique advantages, and is necessary for Office 365. Here we look at why buying into the App Model can be advantageous for you.

Advantages of the App Model

Apps is a big topic, but Office 365 APIs is a superior architecture. Apps will mature further, but in their current incarnation they have some serious shortcomings. Based on that, what coverage will I give to this topic, and why.

What am I going to talk about

The golden rules or guiding principles of the App Model that are absolutely critical to understand.

SharePoint Apps - Golden Rules

SharePoint apps or addins can be classified in multiple ways based on different criterion. Here I talk about the different kinds of SharePoint apps.

Kinds of Apps

Developing or running apps requires some unique changes to your dev environment. Here I talk about how to setup your environments to run SharePoint apps.

Setting up your environment for Apps

Time to see some code, but apps is not the focus of this course. Still it is worth mentioning for knowledge completion purposes. So what specific scenarios will I show, and how can you learn the rest.

What I will and wont cover as Demos

A SHA runs entirely in SharePoint. Here I demonstrate how to write it, and how to host it. And I mention the limitations too.

Writing a SharePoint hosted app

An AppPart or ClientWebPart is an Iframe that pretends to be a webpart. It has some serious limitations, but solves some scenarios. Here I talk about how to write an AppPart and the various challenges it presents.

Writing an AppPart

PHAs are very powerful, but also more complex to deploy. They have some unique differences between on-premises and Office365, and here I will introduce you to PHAs.

An introduction to Provider Hosted Apps

Here I demonstrate how to write a provider hosted app, and how you can deploy it on-premises and in Office 365

Writing a Provider Hosted App
Introduction to Azure AD and Office 365 APIs
9 Lectures 26:25

Why did we need Office 365 APIs and what is Microsoft Graph and why is it so important.

Preview 06:49

Azure AD is not your dad's on-premises AD. Why did we need a new concept, what does it buy us, and what is it's value?

What is Azure AD

On-Premises AD has some serious limitations, and AzureAD is quite different from it.

Why not just use on-prem AD?

AzureAD is very flexible, and is designed to suit the needs of every enterprise, small, medium or large. What are those scenarios and how does it affect you the developer?

Different ways to setup Azure AD

As a developer, what can you do with Azure AD?

Azure AD for Developers

What is ADAL, why has Microsoft created it, how can you obtain it, and why I highly recommend that you use it?

ADAL or Active Directory Authentication Libraries

AzureAD needs to know about your app for your app to be able to make use of it. What does it mean when I say "registering your app", and what information does AzureAD need and why?

Registering your Apps

What is tenancy, why should you care, and how does AzureAD help you here?

Single Tenant vs Multi Tenant

As a developer interested in AzureAD, there are many dev. scenarios to learn. Here I describe the list of those scenarios, how they apply to Office 365, and then subsequently in rest of the course I will be covering each one of those.

Preview 06:06
Setting up AzureAD
5 Lectures 18:44

Office 365 uses AzureAD, but AzureAD can be used completely independent of Office365. Here I setup the AzureAD tenancy I will be using through rest of the course, you should setup one for yourself too.

Setting up Azure AD without Office 365

Once you have setup AzureAD, what facilities does it offer, and where can you find them?

A royal tour of AzureAD features

Here we add a test non-admin user in our tenancy, which we will use at various places in the course.

Adding a user in Azure AD

PowerShell enables you to script admin AzureAD and exposes numerous facilities not visible through the UI. Here I show how you can manage AzureAD (Office 365 included) using PowerShell

Managing Azure AD using PowerShell

AzureAD and Office365 are joined at the hip. In this course, I will demonstrate concepts using both with and without Office365. So here we learn how to access the AzureAD behind Office365.

Using AzureAD with Office365
Web Browsers accessing Web Applications secured by AzureAD
10 Lectures 34:23

An explanation of what I mean by Web Browser accessing web applications secured using AzureAD

Description of Scenario

Understanding all those redirects and postbacks between browser and web application and AzureAD that make all this possible.

Authentication Protocol Flow

How web applications secured by AzureAD are supposed to handle expiring sessions and tokens.

Token Expiration

Here we dive into a demo, where I write up a simple MVC application that we will protect using AzureAD

Demo: A sample MVC application

For every scenario there are some Nuget packages we will use. Here we add the nuget packages for securing a web application

Demo: Nuget packages for adding AzureAD Authentication

Here we use the OWIN startup.cs to bootstrap authentication in our MVC application

Demo: Setting up Auth using OWIN startup

We add functionality to allow the user to easily sign in and out using a web browser click into our web application.

Demo: Adding OpenIDConnect sign in and sign out

We go through the process of registering our app in AzureAD portal and what information we need to provide.

Demo: Register your web app in AzureAD

We are able to run our web application running on-premises, authenticated by AzureAD and we are able to sign in and out.

Demo: Running our App

Understanding how OpenID authentication works via browser posts, and the various parameters being passed.

Examining OpenID connect parameters
JavaScript SPA (single page app) accessing AzureAD protected APIs
19 Lectures 57:42
An explanation of what I mean by "SPA", and what exactly will I be showing here
Description of scenario

SPA's use a unique authentication protocol flow called OAuth2 Implicit Grant Protocol. Here we understand how that flow works, and it's unique strengths and limitations.

Authentication Protocol Flow

An introduction to the Active Directory Authentication Library for JavaScript


A deeper look into the limitations and strengths of the OAuth2 Implicit Grant Protocol.

OAuth2 Implicit Grant Protocol

SPAs accessing APIs protected by AzureAD do not have the luxury of using refresh tokens.What are refresh tokens? And what is a SPA supposed to do then?

Session management without refresh tokens

How does a SPA using ADAL.js renew access tokens if it has no refresh tokens?

Renewing access tokens

What differences does your application need to consider if it is a SPA accessing WebAPIs and it may need to work under either single tenant or multi tenant setups.

Single Tenant vs. Multi Tenant

Here we dive into building an example demonstrating ADAL.js being used in SPAs accessing WebAPIs secured using AzureAD. The first step, is to build a sample API, without using any authentication to start with.

Demo: Creating our API without authentication

Nnext we use AngularJS to write up a simple application that attempts to access the WebAPI we just wrote. Remember there is no authentication involved yet.

Demo: Creating the SPA, without any authentication

Our SPA when trying to access the WebAPI fails because our WebAPI does not support CORS. Here we add support for CORS.

Demo: Adding support for CORS

Our app should work without authentication at this point, so lets protect our WebAPI using AzureAD.

Demo: Securing our API using AzureAD

After adding AzureAD authentication support in code, lets register our WebAPI in AzureAD so AzureAD secures it.

Demo: Registering our WebAPI in AzureAD

Next we enhance our SPA to secure itself using AzureAD using ADAL.js. It's all about the access token at the end of the day.

Demo: Securing the JavaScript SPA using ADAL.js

Merely writing the code isn't enough, we also need to register it in AzureAD and enable that oAuth2 allow implicit flow thing.

Demo: Registering the SPA in AzureAD

The SPA won't be able to access the API unless it has permissions to do so. Here we set the permissions in AzureAD.

Demo: Setting permissions for our SPA

With our SPA registered and permissions granted, lets enhance our application to use ADAL.js to sign in/sign out and make authenticated calls.

Demo: Enhancing the application using ADAL.js

With our application written, lets run it and examine how it works and how ADAL.js behaves at runtime.

Demo: Running the application

The access token is just a JWT token. What information does it contain and how can we decrypt it? Do we need to validate it?

Demo: Decrypting JWT tokens

A behind the scenes look of how ADAL.js stores and manages sessions and access tokens etc.

Demo: ADAL local resources
JavaScript SPA (single page app) accessing Microsoft Graph
7 Lectures 30:21

What is the Microsoft Graph and what is it capable of?

An overview of Microsoft Graph

We start by modifying the previous SPA we wrote in the previous section to instead target the Microsoft Graph.

Demo: Creating a Microsoft Graph SPA

We have written our SPA, but Office 365 needs to know about it, and maybe even trust it, plus there are those pesky permissions we need to worry about.

Demo: Registering your SPA in Office365 AzureAD

Just like our non-Office365 counterpart, we need to enable implicit flow here too.

Demo: Enabling OAuth2 Implicit Flow

Your app cannot call Microsoft graph unless you give it the rights to do so.

Demo: Granting Permissions to access Microsoft Graph

Our application running as a JavaScript SPA website successfully being able to call Microsoft Graph.

Demo: Running and Debugging your SPA

Why bother with AppParts when your pages can work as SPAs? We take the same SPA we wrote, and run it as a SharePoint page instead. Now I don't want to hear complaints about Office 365 doesn't have a good dev story.

Demo: Office 365 SharePoint pages as Microsoft Graph SPAs
Native apps accessing AzureAD protected APIs
14 Lectures 49:30

An explanation of what exactly do I mean by "Native app" and how is that different from what we have seen so far.

Description of scenario

Native Apps use the OAuth 2.0 authorization code grant. So naturally we need to start by introducing this important player.

OAuth 2.0 Authorization Code Grant

How do Native apps use the OAuth2.0 authorization code grant, and how is it uniquely different from JavaScript SPAs

Authentication Protocol Flow

Native app specific considerations when it comes to tenancy.

Single Tenant vs. Multi Tenant

Lets start writing the native app talking to the web api, but we are going to need an Azure protected web api first. Lets get that out of the way first. This is shockingly simple as you'll see.

Demo: Setting up the Web API

Next we add a native app into the project and set it's overall structure up. No authentication or AzureAD tie up yet.

Demo: Writing the Native App

Here we add some nuget packages that make it possible for our native WPF app to work with AzureAD

Demo: Nuget packages for the native app

We also need some framework libraries to make https calls from a WPF app, so lets add references for those.

Demo: Adding references

We reference the basic details we are going to get from AzureAD in our Native app

Demo: Adding authentication logic

We are not using a browser, or are we? Why are redirect URIs important for native apps, and unique considerations for windows store apps.

Demo: Redirect URIs for native apps

Native Apps are unique that they are able to manage long term tokens (refresh tokens) securely using encrypted storage. What hooks does ADAL provide to allow us to manage tokens?

Demo: Managing and Securing tokens in native apps

How do we make a sign in request, and how do we ensure that a signout is a full and secure signout?

Demo: Adding sign in and sign out logic

After a successfull sign in, how do we get a hold of the access token, and how can we make an authenticated call to the service.

Demo: Making an authenticated call to the service

Demonstration of the application running with the sign in/sign out and authenticated call in action

Demo: Running and debugging the application
Native apps calling Office 365 Mail API
5 Lectures 09:15

An explanation of what we are about to build here.

Description of the scenario

Hunting for interesting APIs and registering apps on We look for the mail api.

Demo: your source for APIs

For those not familiar with AzureAD, you can register various apps right on

Demo: Registering your app on

Registering your native app in the AzureAD of Office365

Demo: Registering your app in Office365

Here we grant permissions to our app to read our mails, and run the app first without permissions, and second with permissions.

Demo: Giving permissions to read mail and native app reading mail
6 More Sections
About the Instructor
Sahil Malik
4.3 Average rating
76 Reviews
1,569 Students
2 Courses
Developer, Trainer, Consultant, Author

Sahil Malik is a developer and instructor who has been teaching developers for over 15 years and has worked in 17 countries and 5 continents. As an author of more than 20 books, recipient of the Microsoft MVP award for more than 10 years, and a consultant and trainer he knows how to make tough concepts easy to grasp and apply.

Sahil founded Winsmarts, LLC which provides consulting and training services on Web technologies such as JavaScript, Angular, ASP.NET, SharePoint, Office 365 and iOS. Sahil speaks at conferences around the world and writes columns for various technical magazines. Follow Sahil on twitter at @sahilmalik