merged

Author: kalyankrishna1

5-AccessControl/2-call-api-groups/AppCreationScripts/BulkCreateGroups.ps1

@@ -71,11 +71,11 @@ Function ConfigureApplications {
 
  Write-Host "Connecting to Microsoft Graph"
  if ($tenantId -eq "") {
- Connect-MgGraph -Scopes "Group.ReadWrite.All GroupMember.ReadWrite.All" -Environment $azureEnvironmentName
+ Connect-MgGraph -Scopes "User.Read Group.ReadWrite.All GroupMember.ReadWrite.All" -Environment $azureEnvironmentName
  $tenantId = (Get-MgContext).TenantId
  }
  else {
- Connect-MgGraph -TenantId $tenantId -Scopes "Group.ReadWrite.All GroupMember.ReadWrite.All" -Environment $azureEnvironmentName
+ Connect-MgGraph -TenantId $tenantId -Scopes "User.Read Group.ReadWrite.All GroupMember.ReadWrite.All" -Environment $azureEnvironmentName
  }
 
  # Add user object Id here
@@ -86,14 +86,21 @@ Function ConfigureApplications {
  CreateGroupsAndAssignUser -user $user
 }
 
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Authentication")) {
+ Install-Module "Microsoft.Graph.Authentication" -Scope CurrentUser
+ Write-Host "Installed Microsoft.Graph.Authentication module. If you are having issues, please create a new PowerShell session and try again."
+}
+
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Groups")) {
- Install-Module "Microsoft.Graph.Groups" -Scope CurrentUser 
+ Install-Module "Microsoft.Graph.Groups" -Scope CurrentUser
+ Write-Host "Installed Microsoft.Graph.Groups module. If you are having issues, please create a new PowerShell session and try again."
 }
 
 Import-Module Microsoft.Graph.Groups
 
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Users")) {
- Install-Module "Microsoft.Graph.Users" -Scope CurrentUser 
+ Install-Module "Microsoft.Graph.Users" -Scope CurrentUser
+ Write-Host "Installed Microsoft.Graph.Users module. If you are having issues, please create a new PowerShell session and try again."
 }
 
 Import-Module Microsoft.Graph.Users

5-AccessControl/2-call-api-groups/AppCreationScripts/BulkRemoveGroups.ps1

@@ -72,6 +72,11 @@ Function ConfigureApplications {
 
 $ErrorActionPreference = "Stop"
 
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Authentication")) {
+ Install-Module "Microsoft.Graph.Authentication" -Scope CurrentUser
+ Write-Host "Installed Microsoft.Graph.Authentication module. If you are having issues, please create a new PowerShell session and try again."
+}
+
 if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Groups")) {
  Install-Module "Microsoft.Graph.Groups" -Scope CurrentUser 
 }

5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1

@@ -327,8 +327,8 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
  Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":
  Write-Host "- For client"
  Write-Host " - Navigate to $clientPortalUrl"
- Write-Host " - On Azure portal, create a group named GroupAdmin and assign some users to it, then configure your ID and Access token to emit GroupID in your app registration." -ForegroundColor Red 
- Write-Host " - On Azure portal, create a group named GroupMember and assign some users to it, then configure your ID and Access token to emit GroupID in your app registration." -ForegroundColor Red 
+ Write-Host " - On Azure portal, create a security group named GroupAdmin and assign some users to it, then configure your ID and Access token to emit GroupID in your app registration." -ForegroundColor Red 
+ Write-Host " - On Azure portal, create a security group named GroupMember and assign some users to it, then configure your ID and Access token to emit GroupID in your app registration." -ForegroundColor Red 
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
  if($isOpenSSL -eq 'Y')
  {

5-AccessControl/2-call-api-groups/AppCreationScripts/sample.json

@@ -59,10 +59,10 @@
  },
  "ManualSteps": [
  {
- "Comment": "On Azure portal, create a group named 'GroupAdmin' and assign some users to it, then configure your ID and Access token to emit GroupID in your app registration."
+ "Comment": "On Azure portal, create a security group named GroupAdmin and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created."
  },
  {
- "Comment": "On Azure portal, create a group named 'GroupMember' and assign some users to it, then configure your ID and Access token to emit GroupID in your app registration."
+ "Comment": "On Azure portal, create a security group named GroupMember and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created."
  }
  ]
  }

5-AccessControl/2-call-api-groups/README.md

@@ -228,7 +228,7 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi
 1. Find the key `Enter_the_Tenant_Info_Here` and replace the existing value with your Azure AD tenant/directory ID.
 1. Find the key `Enter_the_Web_Api_Application_Id_Here` and replace the existing value with the application ID (clientId) of `msal-angular-app` app copied from the Azure portal.
 
-### Create Security Groups
+#### Create Security Groups
 
 > :warning: You may already have security groups with the names below defined in your tenant and/or you may not have permissions to create new security groups. In that case, skip the steps below and update the configuration files in your project(s) with the desired names/IDs of the groups.
 
@@ -249,7 +249,7 @@ Open the project in your IDE (like Visual Studio or Visual Studio Code) to confi
 
 For more information, visit: [Create a basic group and add members using Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
 
-### Configure Security Groups
+#### Configure Security Groups
 
 You have two different options available to you on how you can further configure your application to receive the `groups` claim.
 
@@ -258,22 +258,22 @@ You have two different options available to you on how you can further configure
 
 > To get the on-premise group's `samAccountName` or `On Premises Group Security Identifier` instead of Group ID, please refer to the document [Configure group claims for applications with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-group-claims#prerequisites-for-using-group-attributes-synchronized-from-active-directory).
 
-#### Configure your application to receive **all the groups** the signed-in user is assigned to, including nested groups
+##### Configure your application to receive **all the groups** the signed-in user is assigned to, including nested groups
 
 1. In the app's registration screen, select the **Token Configuration** blade in the left to open the page where you can configure the claims provided tokens issued to your application.
 1. Select the **Add groups claim** button on top to open the **Edit Groups Claim** screen.
 1. Select `Security groups` **or** the `All groups (includes distribution lists but not groups assigned to the application)` option. Choosing both negates the effect of `Security Groups` option.
 1. Under the **ID** section, select `Group ID`. This will result in Azure AD sending the [object id](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0) of the groups the user is assigned to in the **groups** claim of the [ID Token](https://docs.microsoft.com/azure/active-directory/develop/id-tokens) that your app receives after signing-in a user.
 
-#### Configure your application to receive the `groups` claim values from a **filtered set of groups** a user may be assigned to
+##### Configure your application to receive the `groups` claim values from a **filtered set of groups** a user may be assigned to
 
-##### Prerequisites, benefits and limitations of using this option
+###### Prerequisites, benefits and limitations of using this option
 
 1. This option is useful when your application is interested in a selected set of groups that a signing-in user may be assigned to and not every security group this user is assigned to in the tenant. This option also saves your application from running into the [overage](#groups-overage-claim) issue.
 1. This feature is not available in the [Azure AD Free edition](https://azure.microsoft.com/pricing/details/active-directory/).
 1. **Nested group assignments** are not available when this option is utilized.
 
-##### Steps to enable this option in your app
+###### Steps to enable this option in your app
 
 1. In the app's registration screen, select the **Token Configuration** blade in the left to open the page where you can configure the claims provided tokens issued to your application.
 1. Select the **Add groups claim** button on top to open the **Edit Groups Claim** screen.
@@ -295,17 +295,17 @@ You have two different options available to you on how you can further configure
 >
 > When you set **User assignment required?** to **Yes**, Azure AD will check that only users assigned to your application in the **Users and groups** blade are able to sign-in to your app. You can assign users directly or by assigning security groups they belong to.
 
-### Configure the app to recognize Group IDs
+#### Configure the app to recognize Group IDs
 
 > :warning: During **Token Configuration**, if you have chosen any other option except **groupID** (e.g. like **DNSDomain\sAMAccountName**) you should enter the **group name** (for example `contoso.com\Test Group`) instead of the **object ID** below:
 
-1. Open the `SPA\src\app\app-config.ts` file.
-1. Find the app key `groups.groupAdmin` and replace the existing value with the **object ID** of the **GroupAdmin** group copied from the Azure portal.
-1. Find the app key `groups.groupMember` and replace the existing value with the **object ID** of the **GroupMember** group copied from the Azure portal.
+1. Open the `SPA\src\app\auth-config.ts` file.
+1. Find the key `Enter the objectID for GroupAdmin group copied from Azure Portal` and replace the existing value with the **object ID** of the **GroupAdmin** group copied from the Azure portal.
+1. Find the key `Enter the objectID for GroupMember group copied from Azure Portal` and replace the existing value with the **object ID** of the **GroupMember** group copied from the Azure portal.
 
 1. Open the `API\TodoListAPI\appsettings.json` file.
-2. Find the app key `Groups.GroupAdmin` and replace the existing value with the **object ID** of the **GroupAdmin** group copied from the Azure portal.
-3. Find the app key `Groups.GroupMember` and replace the existing value with the **object ID** of the **GroupMember** group copied from the Azure portal.
+2. Find the key `Enter the objectID for GroupAdmin group copied from Azure Portal` and replace the existing value with the **object ID** of the **GroupAdmin** group copied from the Azure portal.
+3. Find the key `Enter the objectID for GroupMember group copied from Azure Portal` and replace the existing value with the **object ID** of the **GroupMember** group copied from the Azure portal.
 
 ### Step 6: Running the sample
 
@@ -377,7 +377,7 @@ If a user is member of more groups than the overage limit (**150 for SAML tokens
 
 #### Create the Overage scenario for testing
 
-1. You can use the `BulkCreateGroups.ps1` provided in the [App Creation Scripts](./AppCreationScripts/) folder to create a large number of groups and assign users to them. This will help test overage scenarios during development. Remember to change the user's **objectId** provided in the `BulkCreateGroups.ps1` script.
+1. You can use the `BulkCreateGroups.ps1` provided in the [App Creation Scripts](./AppCreationScripts/) folder to create a large number of groups and assign users to them. This will help test overage scenarios during development. You'll need to enter a user Object ID when prompted by the `BulkCreateGroups.ps1` script.
 
 When attending to overage scenarios, which requires a call to [Microsoft Graph](https://graph.microsoft.com) to read the signed-in user's group memberships, your app will need to have the [User.Read](https://docs.microsoft.com/graph/permissions-reference#user-permissions) and [GroupMember.Read.All](https://docs.microsoft.com/graph/permissions-reference#group-permissions) for the [getMemberGroups](https://docs.microsoft.com/graph/api/user-getmembergroups) API to execute successfully.