update ps scripts

Author: derisen

5-AccessControl/2-call-api-groups/API/TodoListAPI/appsettings.json

@@ -4,7 +4,7 @@
  "TenantId": "Enter the ID of your Azure AD tenant copied from the Azure portal",
  "ClientId": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
  "ClientSecret": "Enter the Client Secret of the 'TodoListAPI' application copied from the Azure portal",
- "Scopes": [ "access_as_user" ],
+ "Scopes": [ "access_via_group_assignment" ],
  "Groups": {
  "GroupAdmin": "Enter the objectID for GroupAdmin group copied from Azure Portal",
  "GroupMember": "Enter the objectID for GroupMember group copied from Azure Portal"

5-AccessControl/2-call-api-groups/AppCreationScripts/BulkCreateGroups.ps1

@@ -57,7 +57,7 @@ Function Cleanup
 
  foreach ($app in $apps) 
  {
- Remove-MgApplication -ApplicationId $app.Id -Debug
+ Remove-MgApplication -ApplicationId $app.Id
  Write-Host "Removed msal-angular-app.."
  }
 
@@ -72,16 +72,6 @@ Function Cleanup
  Write-Warning $Error[0]
  Write-Host "Unable to remove ServicePrincipal 'msal-angular-app'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
  }
- Write-Host "You may want to remove the security group 'GroupAdmin' if it was created to test this sample only."
- #if($null -ne (Get-MgGroup -Filter "DisplayName eq 'GroupAdmin'")) 
- #{
- # Remove-MgGroup -GroupId (Get-MgGroup -Filter "DisplayName eq 'GroupAdmin'").Id
- #}
- Write-Host "You may want to remove the security group 'GroupMember' if it was created to test this sample only."
- #if($null -ne (Get-MgGroup -Filter "DisplayName eq 'GroupMember'")) 
- #{
- # Remove-MgGroup -GroupId (Get-MgGroup -Filter "DisplayName eq 'GroupMember'").Id
- #}
 }
 
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Applications")) { 

5-AccessControl/2-call-api-groups/AppCreationScripts/BulkRemoveGroups.ps1

@@ -214,7 +214,7 @@ Function ConfigureApplications
  }
 
  $scopes = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphPermissionScope]
- $scope = CreateScope -value access_as_user `
+ $scope = CreateScope -value access_via_group_assignment `
  -userConsentDisplayName "Access msal-angular-app" `
  -userConsentDescription "Allow the application to access msal-angular-app on your behalf." `
  -adminConsentDisplayName "Access msal-angular-app" `
@@ -234,19 +234,23 @@ Function ConfigureApplications
 
  # Add Required Resources Access (from 'client' to 'client')
  Write-Host "Getting access from 'client' to 'client'"
- $requiredPermissions = GetRequiredPermissions -applicationDisplayName "msal-angular-app" `
- -requiredDelegatedPermissions "access_as_user" `
- $requiredResourcesAccess.Add($requiredPermissions)
+ $requiredPermission = GetRequiredPermissions -applicationDisplayName "msal-angular-app" `
+ -requiredDelegatedPermissions "access_via_group_assignment" `
+
+ $requiredResourcesAccess.Add($requiredPermission)
 
  # Add Required Resources Access (from 'client' to 'Microsoft Graph')
  Write-Host "Getting access from 'client' to 'Microsoft Graph'"
- $requiredPermissions = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
+ $requiredPermission = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
  -requiredDelegatedPermissions "User.Read|GroupMember.Read.All" `
- $requiredResourcesAccess.Add($requiredPermissions)
+
+ $requiredResourcesAccess.Add($requiredPermission)
  Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
  Write-Host "Granted permissions."
 
  Write-Host "Successfully registered and configured that app registration for 'msal-angular-app' at" -ForegroundColor Green
+
+ # print the registered app portal URL for any further navigation
  $clientPortalUrl
 Function UpdateLine([string] $line, [string] $value)
 {
@@ -288,7 +292,8 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
 
  $dictionary = @{ "Enter the ID of your Azure AD tenant copied from the Azure portal" = $tenantId;"Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal" = $clientAadApplication.AppId;"Enter the Client Secret of the 'TodoListAPI' application copied from the Azure portal" = $clientAppKey };
 
- Write-Host "Updating the sample config '$configFile' with the following config values"
+ Write-Host "Updating the sample config '$configFile' with the following config values:"
+ $dictionary
 
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
 
@@ -298,7 +303,8 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
 
  $dictionary = @{ "Enter_the_Application_Id_Here" = $clientAadApplication.AppId;"Enter_the_Tenant_Info_Here" = $tenantId;"Enter_the_Web_Api_Application_Id_Here" = $clientAadApplication.AppId };
 
- Write-Host "Updating the sample config '$configFile' with the following config values"
+ Write-Host "Updating the sample config '$configFile' with the following config values:"
+ $dictionary
 
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
@@ -307,7 +313,6 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
  Write-Host " - Navigate to $clientPortalUrl"
  Write-Host " - This script has created a group named GroupAdmin for you. On Azure portal, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration." -ForegroundColor Red 
  Write-Host " - This script has created a group named GroupMember for you. On Azure portal, assign some users to it, and configure your ID and Access token to emit GroupID in your app registration." -ForegroundColor Red 
- Write-Host " - Security groups matching the names you provided have been created in this tenant (if not present already). On Azure portal, assign some users to it, and configure ID & Access tokens to emit Group IDs" -ForegroundColor Red 
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
  if($isOpenSSL -eq 'Y')
  {

5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1

@@ -30,7 +30,7 @@
  "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
  "GroupMembershipClaims": "SecurityGroup",
  "Scopes": [
- "access_as_user"
+ "access_via_group_assignment"
  ],
  "Sample": {
  "SampleSubPath": "5-AccessControl\\2-call-api-groups\\SPA",
@@ -40,7 +40,7 @@
  {
  "Resource": "client",
  "DelegatedPermissions": [
- "access_as_user"
+ "access_via_group_assignment"
  ]
  },
  {
@@ -51,16 +51,6 @@
  ]
  }
  ],
- "SecurityGroups": [
- {
- "Name": "GroupAdmin",
- "Description": "Admin Security Group"
- },
- {
- "Name": "GroupMember",
- "Description": "User Security Group"
- }
- ],
  "OptionalClaims": {
  "IdTokenClaims": [
  "acct"

5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1

@@ -34,14 +34,14 @@ This sample demonstrates a cross-platform application suite involving an Angular
 
 Access control in Azure AD can also be done with **App Roles**, as shown in the [previous tutorial](../1-call-api-roles/README.md). **Security Groups** and **App Roles** in Azure AD are by no means mutually exclusive - they can be used in tandem to provide even finer grained access control.
 
+In the sample, a dashboard component allows signed-in users to see the tasks assigned to them or other users based on their memberships to one of the two security groups, **GroupAdmin** and **GroupMember**.
+
 > :information_source: See the community call: [Implement authorization in your applications with the Microsoft identity platform](https://www.youtube.com/watch?v=LRoc-na27l0)
 
 > :information_source: See the community call: [Deep dive on using MSAL.js to integrate Angular single-page applications with Azure Active Directory](https://www.youtube.com/watch?v=EJey9KP1dZA)
 
 ## Scenario
 
-In the sample, a dashboard component allows signed-in users to see the tasks assigned to them or other users based on their memberships to one of the two security groups, **GroupAdmin** and **GroupMember**.
-
 - The **TodoListSPA** uses [MSAL Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular) to authenticate a user with the Microsoft identity platform.
 - The app then obtains an [access token](https://docs.microsoft.com/azure/active-directory/develop/access-tokens) from Azure Active Directory (Azure AD) on behalf of the authenticated user for the **TodoListAPI**.
 - **TodoListAPI** uses [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) to protect its endpoint and accept only authorized calls.
@@ -107,9 +107,9 @@ For more information and potential issues, see: [HTTPS in .NET Core](https://doc
 
 ### Step 5: Register the sample application(s) in your tenant
 
-While there are multiple project in this sample, we'd register just one app with Azure AD and use the registered app's *client id* in both apps. This reuse of app ids (client ids) is used when the apps themselves are just components of one larger app topology. 
+> :information_source: While there are multiple project in this sample, we'd register just one app with Azure AD and use the registered app's *client id* in both apps. This reuse of app ids (client ids) is used when the apps themselves are just components of one larger app topology. 
 
-There is one project in this sample. To register it, you can:
+There are two projects in this sample. To register it, you can:
 
 - follow the steps below for manually register your apps
 - or use PowerShell scripts that:
@@ -172,7 +172,7 @@ To manually register the apps, as a first step you'll need to:
 
 1. All APIs must publish a minimum of one [scope](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code), also called [Delegated Permission](https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#permission-types), for the client apps to obtain an access token for a *user* successfully. To publish a scope, follow these steps:
 1. Select **Add a scope** button open the **Add a scope** screen and Enter the values as indicated below:
- 1. For **Scope name**, use `access_as_user`.
+ 1. For **Scope name**, use `access_via_group_assignment`.
  1. Select **Admins and users** options for **Who can consent?**.
  1. For **Admin consent display name** type in *Access 'msal-angular-app' as the signed-in user.*.
  1. For **Admin consent description** type in *Allow the app to access the 'msal-angular-app' as a signed-in user.*.
@@ -304,8 +304,8 @@ You have two different options available to you on how you can further configure
 1. Find the app key `groups.groupMember` and replace the existing value with the **object ID** of the **GroupMember** group copied from the Azure portal.
 
 1. Open the `API\TodoListAPI\appsettings.json` file.
-2. Find the app key `Groups.GroupAdmin` and replace the existing value with the object ID of the **GroupAdmin** group copied from the Azure portal.
-3. Find the app key `Groups.GroupMember` and replace the existing value with the object ID of the **GroupMember** group copied from the Azure portal.
+2. Find the app key `Groups.GroupAdmin` and replace the existing value with the **object ID** of the **GroupAdmin** group copied from the Azure portal.
+3. Find the app key `Groups.GroupMember` and replace the existing value with the **object ID** of the **GroupMember** group copied from the Azure portal.
 
 ### Step 6: Running the sample
 

5-AccessControl/2-call-api-groups/AppCreationScripts/sample.json

@@ -48,7 +48,7 @@ export const msalConfig: Configuration = {
 export const protectedResources = {
  apiTodoList: {
  endpoint: "https://localhost:44351/api/todolist",
- scopes: ["api://Enter_the_Web_Api_Application_Id_Here/access_as_user"]
+ scopes: ["api://Enter_the_Web_Api_Application_Id_Here/access_via_group_assignment"]
  },
  apiGraph: {
  endpoint: "https://graph.microsoft.com/v1.0/me/memberOf",