|
1 | 1 | --- |
2 | 2 | page_type: sample |
3 | | -level: 300 |
4 | 3 | languages: |
5 | 4 | - typescript |
6 | 5 | - csharp |
@@ -172,7 +171,7 @@ To manually register the apps, as a first step you'll need to: |
172 | 171 | 1. The generated key value will be displayed when you select the **Add** button. Copy and save the generated value for use in later steps. |
173 | 172 | 1. You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Azure portal before navigating to any other screen or blade. |
174 | 173 | > :bulb: For enhanced security, instead of using client secrets, consider [using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Certificates) and [Azure KeyVault](https://azure.microsoft.com/services/key-vault/#product-overview). |
175 | | - 1. In the app's registration screen, select the **Expose an API** blade to the left to open the page where you can publish the permission as an API for which client applications can obtain [access tokens](https://aka.ms/access-tokens) for. The first thing that we need to do is to declare the unique [resource](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) URI that the clients will be using to obtain access tokens for this API. To declare an resource URI(Application ID URI), follow the following steps: |
| 174 | +1. In the app's registration screen, select the **Expose an API** blade to the left to open the page where you can publish the permission as an API for which client applications can obtain [access tokens](https://aka.ms/access-tokens) for. The first thing that we need to do is to declare the unique [resource](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) URI that the clients will be using to obtain access tokens for this API. To declare an resource URI(Application ID URI), follow the following steps: |
176 | 175 | 1. Select **Set** next to the **Application ID URI** to generate a URI that is unique for this app. |
177 | 176 | 1. For this sample, accept the proposed Application ID URI (`api://{clientId}`) by selecting **Save**. Read more about Application ID URI at [Validation differences by supported account types \(signInAudience\)](https://docs.microsoft.com/azure/active-directory/develop/supported-accounts-validation). |
178 | 177 | |
@@ -201,16 +200,18 @@ To manually register the apps, as a first step you'll need to: |
201 | 200 | 1. Select the **Add a permission** button and then: |
202 | 201 | 1. Ensure that the **My APIs** tab is selected. |
203 | 202 | 1. In the list of APIs, select the API `msal-angular-app`. |
204 | | - * Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is requested by apps when signing-in users. |
205 | | - 1. In the **Delegated permissions** section, select **access_via_group_assignments** in the list. Use the search box if necessary. |
| 203 | + 1. Select **delegated permissions**, which is is requested by apps when signing-in users. |
| 204 | + 1. In the **Delegated permissions** section, select **access_via_group_assignments** in the list. Use the search box if necessary. |
206 | 205 | 1. Select the **Add permissions** button at the bottom. |
207 | 206 | 1. Select the **Add a permission** button and then: |
208 | 207 | 1. Ensure that the **Microsoft APIs** tab is selected. |
209 | 208 | 1. In the *Commonly used Microsoft APIs* section, select **Microsoft Graph** |
210 | | - * Since this app signs-in users, we will now proceed to select **delegated permissions**, which is is requested by apps when signing-in users. |
211 | | - 1. In the **Delegated permissions** section, select **User.Read**, **GroupMember.Read.All** in the list. Use the search box if necessary. |
| 209 | + 1. Select **delegated permissions**, which is is requested by apps when signing-in users. |
| 210 | + 1. In the **Delegated permissions** section, select **User.Read**, **GroupMember.Read.All** in the list. Use the search box if necessary. |
212 | 211 | 1. Select the **Add permissions** button at the bottom. |
213 | 212 |
|
| 213 | +> :warning: For the overage scenario, make sure you have granted **Admin Consent** for the MS Graph API's **GroupMember.Read.All** scope (see the **App Registration** steps above). |
| 214 | +
|
214 | 215 | ##### Configure Optional Claims |
215 | 216 |
|
216 | 217 | 1. Still on the same app registration, select the **Token configuration** blade to the left. |
|
0 commit comments