Minor nits and bits

Author: kalyankrishna1

5-AccessControl/1-call-api-roles/API/TodoListAPI/Startup.cs

@@ -51,7 +51,7 @@ public void ConfigureServices(IServiceCollection services)
 
  options.Events.OnTokenValidated = async context =>
  {
- string[] allowedClientApps = { Configuration["AzureAd:ClientId"] }; // In this scenario, client and service share the same clientId
+ string[] allowedClientApps = { Configuration["AzureAd:ClientId"] }; // In this scenario, client and service share the same clientId and this app's API only allows call from its own SPA
 
  string clientappId = context?.Principal?.Claims
  .FirstOrDefault(x => x.Type == "azp" || x.Type == "appid")?.Value;

5-AccessControl/1-call-api-roles/AppCreationScripts/Cleanup.ps1

@@ -7,6 +7,7 @@ param(
  [string] $azureEnvironmentName
 )
 
+
 Function Cleanup
 {
  if (!$azureEnvironmentName)
@@ -24,11 +25,13 @@ Function Cleanup
 
  # Connect to the Microsoft Graph API
  Write-Host "Connecting to Microsoft Graph"
- if ($tenantId -eq "") {
+ if ($tenantId -eq "") 
+ {
  Connect-MgGraph -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
  $tenantId = (Get-MgContext).TenantId
  }
- else {
+ else 
+ {
  Connect-MgGraph -TenantId $tenantId -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
  }
 
@@ -81,7 +84,17 @@ Import-Module Microsoft.Graph.Applications
 $ErrorActionPreference = "Stop"
 
 
-Cleanup -tenantId $tenantId -environment $azureEnvironmentName
+try
+{
+ Cleanup -tenantId $tenantId -environment $azureEnvironmentName
+}
+catch
+{
+ $_.Exception.ToString() | out-host
+ $message = $_
+ Write-Warning $Error[0] 
+ Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
+}
 
 Write-Host "Disconnecting from tenant"
 Disconnect-MgGraph

5-AccessControl/1-call-api-roles/AppCreationScripts/CleanupUsersAndAssignRoles.ps1

@@ -49,10 +49,16 @@ Function CleanupRolesUsersAndRoleAssignments
  }
  else
  {
- Write-Host "couldn't find application (msal-angular-app)" -BackgroundColor Red
+ Write-Host "Couldn't find application (msal-angular-app)" -BackgroundColor Red
  }
 }
 
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Authentication")) {
+ Install-Module "Microsoft.Graph.Authentication" -Scope CurrentUser 
+}
+
+Import-Module Microsoft.Graph.Authentication
+
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Applications")) {
  Install-Module "Microsoft.Graph.Applications" -Scope CurrentUser 
 }
@@ -65,14 +71,17 @@ if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Users")) {
 
 Import-Module Microsoft.Graph.Users
 
-# Run interactively (will ask you for the tenant ID)
-
-try {
+try
+{
+ # Run interactively (will ask you for the tenant ID)
  CleanupRolesUsersAndRoleAssignments -tenantId $tenantId -environment $azureEnvironmentName
-} catch {
+}
+catch
+{
+ $_.Exception.ToString() | out-host
  $message = $_
- Write-Warning $Error[0]
- Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
+ Write-Warning $Error[0] 
+ Write-Host "Unable to cleanup app roles and assignments. Error is $message." -ForegroundColor White -BackgroundColor Red
 }
 
 Write-Host "Disconnecting from tenant"

5-AccessControl/1-call-api-roles/AppCreationScripts/Configure.ps1

@@ -13,7 +13,7 @@ param(
 
  In case you don't have Microsoft.Graph.Applications already installed, the script will automatically install it for the current user
  
- There are four ways to run this script. For more information, read the AppCreationScripts.md file in the same folder as this script.
+ There are two ways to run this script. For more information, read the AppCreationScripts.md file in the same folder as this script.
 #>
 
 # Adds the requiredAccesses (expressed as a pipe separated string) to the requiredAccess structure
@@ -71,6 +71,9 @@ Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requ
 }
 
 
+<#.Description
+ This function takes a string input as a single line, matches a key value and replaces with the replacement value
+#> 
 Function ReplaceInLine([string] $line, [string] $key, [string] $value)
 {
  $index = $line.IndexOf($key)
@@ -82,6 +85,9 @@ Function ReplaceInLine([string] $line, [string] $key, [string] $value)
  return $line
 }
 
+<#.Description
+ This function takes a dictionary of keys to search and their replacements and replaces the placeholders in a text file
+#> 
 Function ReplaceInTextFile([string] $configFilePath, [System.Collections.HashTable] $dictionary)
 {
  $lines = Get-Content $configFilePath
@@ -101,6 +107,7 @@ Function ReplaceInTextFile([string] $configFilePath, [System.Collections.HashTab
 
  Set-Content -Path $configFilePath -Value $lines -Force
 }
+
 <#.Description
  This function creates a new Azure AD scope (OAuth2Permission) with default and provided values
 #> 
@@ -137,6 +144,49 @@ Function CreateAppRole([string] $types, [string] $name, [string] $description)
  $appRole.Value = $name;
  return $appRole
 }
+<#.Description
+ This function takes a string input as a single line, matches a key value and replaces with the replacement value
+#> 
+Function UpdateLine([string] $line, [string] $value)
+{
+ $index = $line.IndexOf(':')
+ $lineEnd = ''
+
+ if($line[$line.Length - 1] -eq ','){ $lineEnd = ',' }
+ 
+ if ($index -ige 0)
+ {
+ $line = $line.Substring(0, $index+1) + " " + '"' + $value+ '"' + $lineEnd
+ }
+ return $line
+}
+
+<#.Description
+ This function takes a dictionary of keys to search and their replacements and replaces the placeholders in a text file
+#> 
+Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable] $dictionary)
+{
+ $lines = Get-Content $configFilePath
+ $index = 0
+ while($index -lt $lines.Length)
+ {
+ $line = $lines[$index]
+ foreach($key in $dictionary.Keys)
+ {
+ if ($line.Contains($key))
+ {
+ $lines[$index] = UpdateLine $line $dictionary[$key]
+ }
+ }
+ $index++
+ }
+
+ Set-Content -Path $configFilePath -Value $lines -Force
+}
+
+<#.Description
+ This function takes a string as input and creates an instance of an Optional claim object
+#> 
 Function CreateOptionalClaim([string] $name)
 {
  <#.Description
@@ -151,6 +201,9 @@ Function CreateOptionalClaim([string] $name)
  return $appClaim
 }
 
+<#.Description
+ Primary entry method to create and configure app registrations
+#> 
 Function ConfigureApplications
 {
  $isOpenSSl = 'N' #temporary disable open certificate creation 
@@ -192,8 +245,10 @@ Function ConfigureApplications
  } `
  -SignInAudience AzureADMyOrg `
  #end of command
+
  $clientIdentifierUri = 'api://'+$clientAadApplication.AppId
  Update-MgApplication -ApplicationId $clientAadApplication.Id -IdentifierUris @($clientIdentifierUri)
+
 
  # create the service principal of the newly created application 
  $currentAppId = $clientAadApplication.AppId
@@ -214,14 +269,13 @@ Function ConfigureApplications
  $optionalClaims.IdToken = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaim]
  $optionalClaims.Saml2Token = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaim]
 
-
  # Add Optional Claims
 
  $newClaim = CreateOptionalClaim -name "acct" 
  $optionalClaims.IdToken += ($newClaim)
  Update-MgApplication -ApplicationId $clientAadApplication.Id -OptionalClaims $optionalClaims
 
- # Add application Roles
+ # Add application Roles for users and groups
  $appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
  $newRole = CreateAppRole -types "User" -name "TaskAdmin" -description "Admins can read any user's todo list"
  $appRoles.Add($newRole)
@@ -232,6 +286,7 @@ Function ConfigureApplications
  # rename the user_impersonation scope if it exists to match the readme steps or add a new scope
 
  # delete default scope i.e. User_impersonation
+ # Alex: the scope deletion doesn't work - see open issue - https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1054
  $scopes = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphPermissionScope]
  $scope = $clientAadApplication.Api.Oauth2PermissionScopes | Where-Object { $_.Value -eq "User_impersonation" }
 
@@ -248,10 +303,10 @@ Function ConfigureApplications
 
  $scopes = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphPermissionScope]
  $scope = CreateScope -value access_via_approle_assignments `
- -userConsentDisplayName "Access msal-angular-app" `
- -userConsentDescription "Allow the application to access msal-angular-app on your behalf." `
- -adminConsentDisplayName "Access msal-angular-app" `
- -adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of an admin."
+  -userConsentDisplayName "Access 'msal-angular-app' as the signed-in user assigned to App role" `
+  -userConsentDescription "Allow the app to access the 'msal-angular-app' on your behalf after assignment to one or more App roles" `
+  -adminConsentDisplayName "Access 'msal-angular-app' as the signed-in user assigned to App role" `
+  -adminConsentDescription "Allow the app to access the 'msal-angular-app' as a signed-in user assigned to one or more App roles"
 
  $scopes.Add($scope)
 
@@ -262,73 +317,50 @@ Function ConfigureApplications
  # URL of the AAD application in the Azure portal
  # Future? $clientPortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.Id+"/isMSAApp/"
  $clientPortalUrl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.Id+"/isMSAApp/"
+
  Add-Content -Value "<tr><td>client</td><td>$currentAppId</td><td><a href='$clientPortalUrl'>msal-angular-app</a></td></tr>" -Path createdApps.html
+ # Declare a list to hold RRA items 
  $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]
- 
+
  # Add Required Resources Access (from 'client' to 'client')
  Write-Host "Getting access from 'client' to 'client'"
- $requiredPermission = GetRequiredPermissions -applicationDisplayName "msal-angular-app" `
- -requiredDelegatedPermissions "access_via_approle_assignments" `
+ $requiredPermission = GetRequiredPermissions -applicationDisplayName "msal-angular-app"`
+ -requiredDelegatedPermissions "access_via_approle_assignments"
 
  $requiredResourcesAccess.Add($requiredPermission)
+ Write-Host "Added 'client' to the RRA list."
+ # Useful for RRA additions troubleshooting
+ # $requiredResourcesAccess.Count
+ # $requiredResourcesAccess
+ 
  Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
- Write-Host "Granted permissions."
-
- Write-Host "Successfully registered and configured that app registration for 'msal-angular-app' at" -ForegroundColor Green
-
- # print the registered app portal URL for any further navigation
- $clientPortalUrl
-Function UpdateLine([string] $line, [string] $value)
-{
- $index = $line.IndexOf(':')
- $lineEnd = ''
-
- if($line[$line.Length - 1] -eq ','){ $lineEnd = ',' }
+ Write-Host "Granted permissions." 
 
- if ($index -ige 0)
- {
- $line = $line.Substring(0, $index+1) + " " + '"' + $value+ '"' + $lineEnd
- }
- return $line
-}
 
-Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable] $dictionary)
-{
- $lines = Get-Content $configFilePath
- $index = 0
- while($index -lt $lines.Length)
- {
- $line = $lines[$index]
- foreach($key in $dictionary.Keys)
- {
- if ($line.Contains($key))
- {
- $lines[$index] = UpdateLine $line $dictionary[$key]
- }
- }
- $index++
- }
-
- Set-Content -Path $configFilePath -Value $lines -Force
-}
+ # print the registered app portal URL for any further navigation
+ Write-Host "Successfully registered and configured that app registration for 'msal-angular-app' at `n $clientPortalUrl" -ForegroundColor Red 
 
  # Update config file for 'client'
+ # $configFile = $pwd.Path + "\..\API\TodoListAPI\appsettings.json"
  $configFile = $(Resolve-Path ($pwd.Path + "\..\API\TodoListAPI\appsettings.json"))
 
  $dictionary = @{ "Enter the ID of your Azure AD tenant copied from the Azure portal" = $tenantId;"Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal" = $clientAadApplication.AppId };
 
- Write-Host "Updating the sample config '$configFile' with the following config values:"
+ Write-Host "Updating the sample config '$configFile' with the following config values:" -ForegroundColor Green 
  $dictionary
+ Write-Host "-----------------"
 
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
 
  # Update config file for 'client'
+ # $configFile = $pwd.Path + "\..\SPA\src\app\auth-config.ts"
  $configFile = $(Resolve-Path ($pwd.Path + "\..\SPA\src\app\auth-config.ts"))
 
  $dictionary = @{ "Enter_the_Application_Id_Here" = $clientAadApplication.AppId;"Enter_the_Tenant_Info_Here" = $tenantId;"Enter_the_Web_Api_Application_Id_Here" = $clientAadApplication.AppId };
 
- Write-Host "Updating the sample config '$configFile' with the following config values:"
+ Write-Host "Updating the sample config '$configFile' with the following config values:" -ForegroundColor Green 
  $dictionary
+ Write-Host "-----------------"
 
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
@@ -339,14 +371,15 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
  Write-Host " - Or you can run the .\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app." -ForegroundColor Red 
  Write-Host " - Application 'client' publishes app roles . Do remember to navigate to the app registration in the app portal and assign users to these app roles" -ForegroundColor Red 
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
- if($isOpenSSL -eq 'Y')
- {
- Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
- Write-Host "You have generated certificate using OpenSSL so follow below steps: "
- Write-Host "Install the certificate on your system from current folder."
- Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
- }
- Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html 
+ 
+if($isOpenSSL -eq 'Y')
+{
+ Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+ Write-Host "You have generated certificate using OpenSSL so follow below steps: "
+ Write-Host "Install the certificate on your system from current folder."
+ Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+}
+Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html 
 } # end of ConfigureApplications function
 
 # Pre-requisites
@@ -369,8 +402,9 @@ try
 }
 catch
 {
+ $_.Exception.ToString() | out-host
  $message = $_
- Write-Warning $Error[0]
+ Write-Warning $Error[0] 
  Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
 }
 Write-Host "Disconnecting from tenant"