Azure-Samples
diff --git a/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1‎
Lines changed: 0 additions & 39 deletions b/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1‎
Lines changed: 0 additions & 39 deletions
diff --git a/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1‎
Lines changed: 6 additions & 8 deletions b/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1‎
Lines changed: 6 additions & 8 deletions
diff --git a/‎5-AccessControl/2-call-api-groups/README.md‎
Lines changed: 7 additions & 5 deletions b/‎5-AccessControl/2-call-api-groups/README.md‎
Lines changed: 7 additions & 5 deletions
@@ -13,45 +13,6 @@ if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Groups")) {
 
 Import-Module Microsoft.Graph.Groups
 
-<#.Description
- This function creates a new Azure AD Security Group with provided values
-#> 
-Function CreateSecurityGroup([string] $name, [string] $description)
-{
- Write-Host "Creating a security group by the name '$name'."
- $newGroup = New-MgGroup -Description $description -DisplayName $name -MailEnabled:$false -SecurityEnabled:$true -MailNickName $name
- return Get-MgGroup -Filter "DisplayName eq '$name'" 
-}
-
-<#.Description
- This function first checks and then creates a new Azure AD Security Group with provided values, if required
-#> 
-Function CreateIfNotExistsSecurityGroup([string] $name, [string] $description, [switch] $promptBeforeCreate)
-{
-
- # check if Group exists
- $group = Get-MgGroup -Filter "DisplayName eq '$name'" 
- 
- if( $group -eq $null)
- {
- if ($promptBeforeCreate) 
- {
- $confirmation = Read-Host "Proceed to create a new security group named '$name' in the tenant ? (Y/N)"
-
- if($confirmation -eq 'y')
- {
- $group = CreateSecurityGroup -name $name -description $description
- }
- }
- else
- {
- Write-Host "No Security Group created!"
- } 
- }
- 
- return $group 
-}
-
 <#.Description
  This function first checks and then deletes an existing Azure AD Security Group, if required
 #> 
 
@@ -347,10 +347,9 @@ Function ConfigureApplications
 
  # rename the user_impersonation scope if it exists to match the readme steps or add a new scope
 
- # delete default scope i.e. User_impersonation
- # Alex: the scope deletion doesn't work - see open issue - https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1054
+ # delete default scope i.e. user_impersonation
  $scopes = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphPermissionScope]
- $scope = $clientAadApplication.Api.Oauth2PermissionScopes | Where-Object { $_.Value -eq "User_impersonation" }
+ $scope = $clientAadApplication.Api.Oauth2PermissionScopes | Where-Object { $_.Value -eq "user_impersonation" }
 
  if($scope -ne $null)
  { 
@@ -412,12 +411,11 @@ Function ConfigureApplications
 
  # Create any security groups that this app requires.
 
- $newGroup = CreateIfNotExistsSecurityGroup -name 'GroupAdmin' -description 'Admin Security Group' -promptBeforeCreate 'Y'
+ $GroupAdmin = CreateIfNotExistsSecurityGroup -name 'GroupAdmin' -description 'Admin Security Group' -promptBeforeCreate 'Y'
  Write-Host "group id of 'GroupAdmin'" -> $newGroup.Id -ForegroundColor Green 
 
- $newGroup = CreateIfNotExistsSecurityGroup -name 'GroupMember' -description 'User Security Group' -promptBeforeCreate 'Y'
- Write-Host "group id of 'GroupMember'" -> $newGroup.Id -ForegroundColor Green 
- Write-Host "Don't forget to assign the users you wish to work with to the newly created security groups !" -ForegroundColor Red 
+ $GroupMember = CreateIfNotExistsSecurityGroup -name 'GroupMember' -description 'User Security Group' -promptBeforeCreate 'Y'
+ Write-Host "group id of 'GroupMember'" -> $newGroup.Id -ForegroundColor Green
 
  # print the registered app portal URL for any further navigation
  Write-Host "Successfully registered and configured that app registration for 'msal-angular-app' at `n $clientPortalUrl" -ForegroundColor Red 
@@ -438,7 +436,7 @@ Function ConfigureApplications
  # $configFile = $pwd.Path + "\..\SPA\src\app\auth-config.ts"
  $configFile = $(Resolve-Path ($pwd.Path + "\..\SPA\src\app\auth-config.ts"))
 
- $dictionary = @{ "Enter_the_Application_Id_Here" = $clientAadApplication.AppId;"Enter_the_Tenant_Info_Here" = $tenantId;"Enter_the_Web_Api_Application_Id_Here" = $clientAadApplication.AppId;"Enter the object ID for GroupAdmin group copied from Azure Portal" = $GroupAdmin.objectId;"Enter the object ID for GroupMember group copied from Azure Portal" = $GroupMember.objectId };
+ $dictionary = @{ "Enter_the_Application_Id_Here" = $clientAadApplication.AppId;"Enter_the_Tenant_Info_Here" = $tenantId;"Enter_the_Web_Api_Application_Id_Here" = $clientAadApplication.AppId;"Enter the object ID for GroupAdmin group copied from Azure Portal" = $GroupAdmin.Id;"Enter the object ID for GroupMember group copied from Azure Portal" = $GroupMember.Id };
 
  Write-Host "Updating the sample config '$configFile' with the following config values:" -ForegroundColor Green 
  $dictionary
 
@@ -177,7 +177,7 @@ To manually register the apps, as a first step you'll need to:
  1. The generated key value will be displayed when you select the **Add** button. Copy and save the generated value for use in later steps.
  1. You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Azure portal before navigating to any other screen or blade.
  > :bulb: For enhanced security, instead of using client secrets, consider [using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Certificates) and [Azure KeyVault](https://azure.microsoft.com/services/key-vault/#product-overview).
- 1. In the app's registration screen, select the **Expose an API** blade to the left to open the page where you can publish the permission as an API for which client applications can obtain [access tokens](https://aka.ms/access-tokens) for. The first thing that we need to do is to declare the unique [resource](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) URI that the clients will be using to obtain access tokens for this API. To declare an resource URI(Application ID URI), follow the following steps:
+1. In the app's registration screen, select the **Expose an API** blade to the left to open the page where you can publish the permission as an API for which client applications can obtain [access tokens](https://aka.ms/access-tokens) for. The first thing that we need to do is to declare the unique [resource](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) URI that the clients will be using to obtain access tokens for this API. To declare an resource URI(Application ID URI), follow the following steps:
  1. Select **Set** next to the **Application ID URI** to generate a URI that is unique for this app.
  1. For this sample, accept the proposed Application ID URI (`api://{clientId}`) by selecting **Save**. Read more about Application ID URI at [Validation differences by supported account types \(signInAudience\)](https://docs.microsoft.com/azure/active-directory/develop/supported-accounts-validation).
  
@@ -206,16 +206,18 @@ To manually register the apps, as a first step you'll need to:
  1. Select the **Add a permission** button and then:
  1. Ensure that the **My APIs** tab is selected.
  1. In the list of APIs, select the API `msal-angular-app`.
- * Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is requested by apps when signing-in users.
-  1. In the **Delegated permissions** section, select **access_via_group_assignments** in the list. Use the search box if necessary.
+  1. Select **delegated permissions**, which is is requested by apps when signing-in users.
+ 1. In the **Delegated permissions** section, select **access_via_group_assignments** in the list. Use the search box if necessary.
  1. Select the **Add permissions** button at the bottom.
  1. Select the **Add a permission** button and then:
  1. Ensure that the **Microsoft APIs** tab is selected.
  1. In the *Commonly used Microsoft APIs* section, select **Microsoft Graph**
- * Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is requested by apps when signing-in users.
-  1. In the **Delegated permissions** section, select **User.Read**, **GroupMember.Read.All** in the list. Use the search box if necessary.
+  1. Select **delegated permissions**, which is is requested by apps when signing-in users.
+ 1. In the **Delegated permissions** section, select **User.Read**, **GroupMember.Read.All** in the list. Use the search box if necessary.
  1. Select the **Add permissions** button at the bottom.
 
+> :warning: For the overage scenario, make sure you have granted **Admin Consent** for the MS Graph API's **GroupMember.Read.All** scope (see the **App Registration** steps above).
+
 ##### Configure Optional Claims
 
 1. Still on the same app registration, select the **Token configuration** blade to the left.