Azure-Samples
diff --git a/‎5-AccessControl/2-call-api-groups/API/TodoListAPI/Startup.cs‎
Lines changed: 3 additions & 3 deletions b/‎5-AccessControl/2-call-api-groups/API/TodoListAPI/Startup.cs‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1‎
Lines changed: 83 additions & 12 deletions b/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1‎
Lines changed: 83 additions & 12 deletions
@@ -52,14 +52,14 @@ public void ConfigureServices(IServiceCollection services)
 
  options.Events.OnTokenValidated = async context =>
  {
- string[] allowedClientApps = { Configuration["AzureAd:ClientId"] }; // In this scenario, client and service share the same clientId
+ string[] allowedClientApps = { Configuration["AzureAd:ClientId"] }; // In this scenario, client and service share the same clientId and we disallow all calls to this API, except from the SPA
 
  string clientappId = context?.Principal?.Claims
  .FirstOrDefault(x => x.Type == "azp" || x.Type == "appid")?.Value;
 
  if (!allowedClientApps.Contains(clientappId))
  {
- throw new System.Exception("This client is not authorized");
+ throw new System.Exception("This client is not authorized to call this Api");
  }
 
  // calls method to process groups overage claim.
@@ -69,7 +69,7 @@ public void ConfigureServices(IServiceCollection services)
  };
  }, options => { Configuration.Bind("AzureAd", options); })
  .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options))
- .AddMicrosoftGraph(Configuration.GetSection("MsGraph"))
+ .AddMicrosoftGraph(Configuration.GetSection("MSGraph"))
  .AddInMemoryTokenCaches();
 
  // The following lines code instruct the asp.net core middleware to use the data in the "roles" claim in the Authorize attribute and User.IsInrole()
 
@@ -7,6 +7,81 @@ param(
  [string] $azureEnvironmentName
 )
 
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Groups")) {
+ Install-Module "Microsoft.Graph.Groups" -Scope CurrentUser 
+}
+
+Import-Module Microsoft.Graph.Groups
+
+<#.Description
+ This function creates a new Azure AD Security Group with provided values
+#> 
+Function CreateSecurityGroup([string] $name, [string] $description)
+{
+ Write-Host "Creating a security group by the name '$name'."
+ $newGroup = New-MgGroup -Description $description -DisplayName $name -MailEnabled:$false -SecurityEnabled:$true -MailNickName $name
+ return Get-MgGroup -Filter "DisplayName eq '$name'" 
+}
+
+<#.Description
+ This function first checks and then creates a new Azure AD Security Group with provided values, if required
+#> 
+Function CreateIfNotExistsSecurityGroup([string] $name, [string] $description, [switch] $promptBeforeCreate)
+{
+
+ # check if Group exists
+ $group = Get-MgGroup -Filter "DisplayName eq '$name'" 
+ 
+ if( $group -eq $null)
+ {
+ if ($promptBeforeCreate) 
+ {
+ $confirmation = Read-Host "Proceed to create a new security group named '$name' in the tenant ? (Y/N)"
+
+ if($confirmation -eq 'y')
+ {
+ $group = CreateSecurityGroup -name $name -description $description
+ }
+ }
+ else
+ {
+ Write-Host "No Security Group created!"
+ } 
+ }
+ 
+ return $group 
+}
+
+<#.Description
+ This function first checks and then deletes an existing Azure AD Security Group, if required
+#> 
+Function RemoveSecurityGroup([string] $name, [switch] $promptBeforeDelete)
+{
+
+ # check if Group exists
+ $group = Get-MgGroup -Filter "DisplayName eq '$name'"
+ 
+ if( $group -ne $null)
+ {
+ if ($promptBeforeDelete) 
+ {
+ $confirmation = Read-Host "Proceed to delete an existing group named '$name' in the tenant ?(Y/N)"
+
+ if($confirmation -eq 'y')
+ {
+ Remove-MgGroup -GroupId $group.Id
+ Write-Host "Security group '$name' successfully deleted"
+ }
+ }
+ else
+ {
+ Write-Host "No Security group by name '$name' exists in the tenant, no deletion needed."
+ } 
+ }
+ 
+ return $group.Id 
+}
+
 Function Cleanup
 {
  if (!$azureEnvironmentName)
@@ -24,11 +99,13 @@ Function Cleanup
 
  # Connect to the Microsoft Graph API
  Write-Host "Connecting to Microsoft Graph"
- if ($tenantId -eq "") {
+ if ($tenantId -eq "") 
+ {
  Connect-MgGraph -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
  $tenantId = (Get-MgContext).TenantId
  }
- else {
+ else 
+ {
  Connect-MgGraph -TenantId $tenantId -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
  }
 
@@ -72,16 +149,10 @@ Function Cleanup
  Write-Warning $Error[0]
  Write-Host "Unable to remove ServicePrincipal 'msal-angular-app'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
  }
- Write-Host "You may want to remove the security group 'GroupAdmin' if it was created to test this sample only."
- #if($null -ne (Get-MgGroup -Filter "DisplayName eq 'GroupAdmin'")) 
- #{
- # Remove-MgGroup -GroupId (Get-MgGroup -Filter "DisplayName eq 'GroupAdmin'").Id
- #}
- Write-Host "You may want to remove the security group 'GroupMember' if it was created to test this sample only."
- #if($null -ne (Get-MgGroup -Filter "DisplayName eq 'GroupMember'")) 
- #{
- # Remove-MgGroup -GroupId (Get-MgGroup -Filter "DisplayName eq 'GroupMember'").Id
- #}
+
+ # remove security groups, if relevant to the sample
+ RemoveSecurityGroup -name 'GroupAdmin' -promptBeforeDelete 'Y'
+ RemoveSecurityGroup -name 'GroupMember' -promptBeforeDelete 'Y'
 }
 
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Applications")) {