minor edits

Author: kalyankrishna1

5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1

@@ -122,42 +122,6 @@ Function ReplaceInTextFile([string] $configFilePath, [System.Collections.HashTab
  Set-Content -Path $configFilePath -Value $lines -Force
 }
 
-<#.Description
- This function creates a new Azure AD scope (OAuth2Permission) with default and provided values
-#> 
-Function CreateScope( [string] $value, [string] $userConsentDisplayName, [string] $userConsentDescription, [string] $adminConsentDisplayName, [string] $adminConsentDescription)
-{
- $scope = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphPermissionScope
- $scope.Id = New-Guid
- $scope.Value = $value
- $scope.UserConsentDisplayName = $userConsentDisplayName
- $scope.UserConsentDescription = $userConsentDescription
- $scope.AdminConsentDisplayName = $adminConsentDisplayName
- $scope.AdminConsentDescription = $adminConsentDescription
- $scope.IsEnabled = $true
- $scope.Type = "User"
- return $scope
-}
-
-<#.Description
- This function creates a new Azure AD AppRole with default and provided values
-#> 
-Function CreateAppRole([string] $types, [string] $name, [string] $description)
-{
- $appRole = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole
- $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
- $typesArr = $types.Split(',')
- foreach($type in $typesArr)
- {
- $appRole.AllowedMemberTypes += $type;
- }
- $appRole.DisplayName = $name
- $appRole.Id = New-Guid
- $appRole.IsEnabled = $true
- $appRole.Description = $description
- $appRole.Value = $name;
- return $appRole
-}
 <#.Description
  This function takes a string input as a single line, matches a key value and replaces with the replacement value
 #> 
@@ -338,12 +302,14 @@ Function ConfigureApplications
  -SignInAudience AzureADMyOrg `
  -GroupMembershipClaims "SecurityGroup" `
  #end of command
+
  #add a secret to the application
  $pwdCredential = Add-MgApplicationPassword -ApplicationId $clientAadApplication.Id -PasswordCredential $key
  $clientAppKey = $pwdCredential.SecretText
 
  $clientIdentifierUri = 'api://'+$clientAadApplication.AppId
  Update-MgApplication -ApplicationId $clientAadApplication.Id -IdentifierUris @($clientIdentifierUri)
+
 
  # create the service principal of the newly created application 
  $currentAppId = $clientAadApplication.AppId
@@ -368,10 +334,10 @@ Function ConfigureApplications
 
  $newClaim = CreateOptionalClaim -name "groups" 
  $optionalClaims.IdToken += ($newClaim)
- $newClaim = CreateOptionalClaim -name "groups" 
- $optionalClaims.AccessToken += ($newClaim)
- $newClaim = CreateOptionalClaim -name "groups" 
- $optionalClaims.Saml2Token += ($newClaim)
+ # $newClaim = CreateOptionalClaim -name "groups" 
+ # $optionalClaims.AccessToken += ($newClaim)
+ # $newClaim = CreateOptionalClaim -name "groups" 
+ # $optionalClaims.Saml2Token += ($newClaim)
 
  # Add Optional Claims
 
@@ -399,10 +365,10 @@ Function ConfigureApplications
 
  $scopes = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphPermissionScope]
  $scope = CreateScope -value access_via_group_assignments `
- -userConsentDisplayName "Access 'msal-angular-app' as the signed-in user assigned to group memberships." `
- -userConsentDescription "Allow the app to access the 'msal-angular-app' on your behalf after assignment to one or more security groups." `
- -adminConsentDisplayName "Access 'msal-angular-app' as the signed-in user assigned to group memberships." `
- -adminConsentDescription "Allow the app to access the 'msal-angular-app' as a signed-in user assigned to one or more security groups."
+ -userConsentDisplayName "Access 'msal-angular-app' as the signed-in user assigned to group memberships" `
+ -userConsentDescription "Allow the app to access the 'msal-angular-app' on your behalf after assignment to one or more security groups" `
+ -adminConsentDisplayName "Access 'msal-angular-app' as the signed-in user assigned to group memberships" `
+ -adminConsentDescription "Allow the app to access the 'msal-angular-app' as a signed-in user assigned to one or more security groups"
 
  $scopes.Add($scope)
 
@@ -442,8 +408,7 @@ Function ConfigureApplications
  # $requiredResourcesAccess
 
  Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
- Write-Host "Granted permissions."
- 
+ Write-Host "Granted permissions." 
 
  # Create any security groups that this app requires.
 
@@ -484,8 +449,9 @@ Function ConfigureApplications
  Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":
  Write-Host "- For client"
  Write-Host " - Navigate to $clientPortalUrl"
- Write-Host " - This script has created a group named GroupAdmin for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." -ForegroundColor Red 
- Write-Host " - This script has created a group named GroupMember for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." -ForegroundColor Red
+ Write-Host " - This script has created a group named 'GroupAdmin' for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." -ForegroundColor Red 
+ Write-Host " - This script has created a group named 'GroupMember' for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." -ForegroundColor Red 
+ Write-Host " - Security groups matching the names you provided have been created in this tenant (if not present already). On Azure portal, assign some users to it, and configure ID & Access tokens to emit Group IDs" -ForegroundColor Red 
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
 
 if($isOpenSSL -eq 'Y')

5-AccessControl/2-call-api-groups/AppCreationScripts/sample.json

@@ -1,133 +1,137 @@
 {
- "Sample": {
- "Title": "Angular single-page application calling a protected AspNet Core web API and using Security Groups to implement Role-Based Access Control",
- "Level": 300,
- "Client": "Angular SPA",
- "Service": ".NET Core web API",
- "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
- "Endpoint": "AAD v2.0",
- "platform": "javascript",
- "Languages": [
- "typescript",
- "csharp",
- "javascript"
- ],
- "Description": "Angular single-page application calling a protected AspNet web API and using Security Groups to implement Role-Based Access Control (RBAC)",
- "products": [
- "azure-active-directory",
- "ms-graph",
- "msal-js",
- "msal-angular",
- "microsoft-identity-web"
+ "Sample": {
+ "Title": "Angular single-page application calling a protected ASP.NET Core web API and using Security Groups to implement Role-Based Access Control",
+ "Level": 300,
+ "Client": "Angular SPA",
+ "Service": ".NET Core web API",
+ "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
+ "Endpoint": "AAD v2.0",
+ "platform": "javascript",
+ "Languages": [
+ "typescript",
+ "csharp",
+ "javascript"
+ ],
+ "Description": "An Angular single-page application calling a protected AspNet web API and using Security Groups to implement Role-Based Access Control (RBAC)",
+ "products": [
+ "azure-active-directory",
+ "ms-graph",
+ "msal-js",
+ "msal-angular",
+ "microsoft-identity-web"
+ ]
+ },
+ "AADApps": [
+ {
+ "Id": "client",
+ "Name": "msal-angular-app",
+ "Kind": "SinglePageApplication",
+ "Audience": "AzureADMyOrg",
+ "HomePage": "http://localhost:4200/",
+ "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
+ "GroupMembershipClaims": "SecurityGroup",
+ "PasswordCredentials": "Auto",
+ "Scopes": [
+ "access_via_group_assignments"
+ ],
+ "Sample": {
+ "SampleSubPath": "5-AccessControl\\2-call-api-groups\\SPA",
+ "ProjectDirectory": "\\2-call-api-groups\\SPA"
+ },
+ "SecurityGroups": [
+ {
+ "Name": "GroupAdmin",
+ "Description": "Admin Security Group"
+ },
+ {
+ "Name": "GroupMember",
+ "Description": "User Security Group"
+ }
+ ],
+ "RequiredResourcesAccess": [
+ {
+ "Resource": "client",
+ "DelegatedPermissions": [
+ "access_via_group_assignments"
+ ]
+ },
+ {
+ "Resource": "Microsoft Graph",
+ "DelegatedPermissions": [
+ "User.Read",
+ "GroupMember.Read.All"
+ ]
+ }
+ ],
+ "OptionalClaims": {
+ "IdTokenClaims": [
+ "acct"
  ]
- },
- "AADApps": [
- {
- "Id": "client",
- "Name": "msal-angular-app",
- "Kind": "SinglePageApplication",
- "Audience": "AzureADMyOrg",
- "HomePage": "http://localhost:4200/",
- "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
- "GroupMembershipClaims": "SecurityGroup",
- "PasswordCredentials": "Auto",
- "Scopes": [
- "access_via_group_assignments"
- ],
- "Sample": {
- "SampleSubPath": "5-AccessControl\\2-call-api-groups\\SPA",
- "ProjectDirectory": "\\2-call-api-groups\\SPA"
- },
- "SecurityGroups": [
- {
- "Name": "GroupAdmin",
- "Description": "Admin Security Group"
- },
- {
- "Name": "GroupMember",
- "Description": "User Security Group"
- }
- ],
- "RequiredResourcesAccess": [
- {
- "Resource": "client",
- "DelegatedPermissions": [
- "access_via_group_assignments"
- ]
- },
- {
- "Resource": "Microsoft Graph",
- "DelegatedPermissions": [
- "User.Read",
- "GroupMember.Read.All"
- ]
- }
- ],
- "OptionalClaims": {
- "IdTokenClaims": [
- "acct"
- ]
- },
- "ManualSteps": [
- { "Comment": "This script has created a group named GroupAdmin for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." },
- { "Comment": "This script has created a group named GroupMember for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it." }
- ] 
+ },
+ "ManualSteps": [
+ {
+ "Comment": "This script has created a group named 'GroupAdmin' for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it."
+ },
+ {
+ "Comment": "This script has created a group named 'GroupMember' for you. On Azure portal, navigate to Azure AD > Groups blade and assign some users to it."
  }
- ],
- "CodeConfiguration": [
- {
- "App": "client",
- "SettingKind": "Replace",
- "SettingFile": "\\..\\API\\TodoListAPI\\appsettings.json",
- "Mappings": [
- {
- "key": "Enter the ID of your Azure AD tenant copied from the Azure portal",
- "value": "$tenantId"
- },
- {
- "key": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
- "value": "client.AppId"
- },
- {
- "key": "Enter the Client Secret of the 'TodoListAPI' application copied from the Azure portal",
- "value": "client.AppKey"
- },
- {
- "key": "Enter the object ID for GroupAdmin group copied from Azure Portal",
- "value": "$GroupAdmin.objectId"
- },
- {
- "key": "Enter the object ID for GroupMember group copied from Azure Portal",
- "value": "$GroupMember.objectId"
- }
- ]
+ ]
+ }
+ ],
+ "CodeConfiguration": [
+ {
+ "App": "client",
+ "SettingKind": "Replace",
+ "SettingFile": "\\..\\API\\TodoListAPI\\appsettings.json",
+ "Mappings": [
+ {
+ "key": "Enter the ID of your Azure AD tenant copied from the Azure portal",
+ "value": "$tenantId"
+ },
+ {
+ "key": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
+ "value": "client.AppId"
+ },
+ {
+ "key": "Enter the Client Secret of the 'TodoListAPI' application copied from the Azure portal",
+ "value": "client.AppKey"
+ },
+ {
+ "key": "Enter the object ID for GroupAdmin group copied from Azure Portal",
+ "value": "$GroupAdmin.Id"
  },
  {
- "App": "client",
- "SettingKind": "Replace",
- "SettingFile": "\\..\\SPA\\src\\app\\auth-config.ts",
- "Mappings": [
- {
- "key": "Enter_the_Application_Id_Here",
- "value": "client.AppId"
- },
- {
- "key": "Enter_the_Tenant_Info_Here",
- "value": "$tenantId"
- },
- {
- "key": "Enter_the_Web_Api_Application_Id_Here",
- "value": "client.AppId"
- },
- {
- "key": "Enter the object ID for GroupAdmin group copied from Azure Portal",
- "value": "$GroupAdmin.objectId"
- },
- {
- "key": "Enter the object ID for GroupMember group copied from Azure Portal",
- "value": "$GroupMember.objectId"
- }
- ]
+ "key": "Enter the object ID for GroupMember group copied from Azure Portal",
+ "value": "$GroupMember.Id"
  }
- ]
+ ]
+ },
+ {
+ "App": "client",
+ "SettingKind": "Replace",
+ "SettingFile": "\\..\\SPA\\src\\app\\auth-config.ts",
+ "Mappings": [
+ {
+ "key": "Enter_the_Application_Id_Here",
+ "value": "client.AppId"
+ },
+ {
+ "key": "Enter_the_Tenant_Info_Here",
+ "value": "$tenantId"
+ },
+ {
+ "key": "Enter_the_Web_Api_Application_Id_Here",
+ "value": "client.AppId"
+ },
+ {
+ "key": "Enter the object ID for GroupAdmin group copied from Azure Portal",
+ "value": "$GroupAdmin.Id"
+ },
+ {
+ "key": "Enter the object ID for GroupMember group copied from Azure Portal",
+ "value": "$GroupMember.Id"
+ }
+ ]
+ }
+ ]
 }