mtrilbybassett
diff --git a/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1‎
Lines changed: 1 addition & 11 deletions b/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Cleanup.ps1‎
Lines changed: 1 addition & 11 deletions
diff --git a/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1‎
Lines changed: 13 additions & 46 deletions b/‎5-AccessControl/2-call-api-groups/AppCreationScripts/Configure.ps1‎
Lines changed: 13 additions & 46 deletions
diff --git a/‎5-AccessControl/2-call-api-groups/AppCreationScripts/sample.json‎
Lines changed: 55 additions & 55 deletions b/‎5-AccessControl/2-call-api-groups/AppCreationScripts/sample.json‎
Lines changed: 55 additions & 55 deletions
diff --git a/‎5-AccessControl/2-call-api-groups/README.md‎
Lines changed: 8 additions & 12 deletions b/‎5-AccessControl/2-call-api-groups/README.md‎
Lines changed: 8 additions & 12 deletions
@@ -91,17 +91,7 @@ Import-Module Microsoft.Graph.Applications
 $ErrorActionPreference = "Stop"
 
 
-try
-{
- Cleanup -tenantId $tenantId -environment $azureEnvironmentName
-}
-catch
-{
- $_.Exception.ToString() | out-host
- $message = $_
- Write-Warning $Error[0] 
- Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
-}
+Cleanup -tenantId $tenantId -environment $azureEnvironmentName
 
 Write-Host "Disconnecting from tenant"
 Disconnect-MgGraph
@@ -115,6 +115,7 @@ Function ReplaceInTextFile([string] $configFilePath, [System.Collections.HashTab
 
  Set-Content -Path $configFilePath -Value $lines -Force
 }
+
 <#.Description
  This function creates a new Azure AD scope (OAuth2Permission) with default and provided values
 #> 
@@ -132,25 +133,6 @@ Function CreateScope( [string] $value, [string] $userConsentDisplayName, [string
  return $scope
 }
 
-<#.Description
- This function creates a new Azure AD AppRole with default and provided values
-#> 
-Function CreateAppRole([string] $types, [string] $name, [string] $description)
-{
- $appRole = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole
- $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
- $typesArr = $types.Split(',')
- foreach($type in $typesArr)
- {
- $appRole.AllowedMemberTypes += $type;
- }
- $appRole.DisplayName = $name
- $appRole.Id = New-Guid
- $appRole.IsEnabled = $true
- $appRole.Description = $description
- $appRole.Value = $name;
- return $appRole
-}
 Function CreateOptionalClaim([string] $name)
 {
  <#.Description
@@ -287,40 +269,29 @@ Function ConfigureApplications
  # URL of the AAD application in the Azure portal
  # Future? $clientPortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.Id+"/isMSAApp/"
  $clientPortalUrl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.Id+"/isMSAApp/"
-
  Add-Content -Value "<tr><td>client</td><td>$currentAppId</td><td><a href='$clientPortalUrl'>msal-angular-app</a></td></tr>" -Path createdApps.html
- # Declare a list to hold RRA items 
-
+ $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]
+ 
  # Add Required Resources Access (from 'client' to 'client')
  Write-Host "Getting access from 'client' to 'client'"
- $requiredPermission = GetRequiredPermissions -applicationDisplayName "msal-angular-app"`
- -requiredDelegatedPermissions "access_via_group_assignments"
- $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]
+ $requiredPermission = GetRequiredPermissions -applicationDisplayName "msal-angular-app" `
+ -requiredDelegatedPermissions "access_via_group_assignments" `
+
  $requiredResourcesAccess.Add($requiredPermission)
- Write-Host "Added 'client' to the RRA list."
- # Useful for RRA troubleshooting
- # $requiredResourcesAccess.Count
- # $requiredResourcesAccess
 
-
  # Add Required Resources Access (from 'client' to 'Microsoft Graph')
  Write-Host "Getting access from 'client' to 'Microsoft Graph'"
- $requiredPermission = GetRequiredPermissions -applicationDisplayName "Microsoft Graph"`
- -requiredDelegatedPermissions "User.Read|GroupMember.Read.All"
- $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]
+ $requiredPermission = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
+ -requiredDelegatedPermissions "User.Read|GroupMember.Read.All" `
+
  $requiredResourcesAccess.Add($requiredPermission)
- Write-Host "Added 'Microsoft Graph' to the RRA list."
- # Useful for RRA troubleshooting
- # $requiredResourcesAccess.Count
- # $requiredResourcesAccess
- 
  Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
  Write-Host "Granted permissions."
 
+ Write-Host "Successfully registered and configured that app registration for 'msal-angular-app' at" -ForegroundColor Green
+
  # print the registered app portal URL for any further navigation
- Write-Host "Successfully registered and configured that app registration for 'msal-angular-app' at `n $clientPortalUrl"
- 
- 
+ $clientPortalUrl
 Function UpdateLine([string] $line, [string] $value)
 {
  $index = $line.IndexOf(':')
@@ -363,7 +334,6 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
 
  Write-Host "Updating the sample config '$configFile' with the following config values:"
  $dictionary
- Write-Host "-----------------"
 
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
 
@@ -375,16 +345,14 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
 
  Write-Host "Updating the sample config '$configFile' with the following config values:"
  $dictionary
- Write-Host "-----------------"
 
  ReplaceInTextFile -configFilePath $configFile -dictionary $dictionary
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
  Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":
  Write-Host "- For client"
  Write-Host " - Navigate to $clientPortalUrl"
  Write-Host " - On Azure portal, create a security group named 'GroupAdmin' and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created." -ForegroundColor Red 
- Write-Host " - On Azure portal, create a security group named 'GroupMember' and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created." -ForegroundColor Red 
- Write-Host " - Security groups matching the names you provided have been created in this tenant (if not present already). On Azure portal, assign some users to it, and configure ID & Access tokens to emit Group IDs" -ForegroundColor Red 
+ Write-Host " - On Azure portal, create a security group named 'GroupMember' and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created." -ForegroundColor Red
  Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
  if($isOpenSSL -eq 'Y')
  {
@@ -416,7 +384,6 @@ try
 }
 catch
 {
- $_.Exception.ToString() | out-host
  $message = $_
  Write-Warning $Error[0]
  Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
 
@@ -6,7 +6,7 @@
  "Service": ".NET Core web API",
  "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
  "Endpoint": "AAD v2.0",
- "platform":"javascript",
+ "platform": "javascript",
  "Languages": [
  "typescript",
  "csharp",
@@ -22,61 +22,61 @@
  ]
  },
  "AADApps": [
- {
- "Id": "client",
- "Name": "msal-angular-app",
- "Kind": "SinglePageApplication",
- "Audience": "AzureADMyOrg",
- "HomePage": "http://localhost:4200/",
- "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
- "GroupMembershipClaims": "SecurityGroup",
- "PasswordCredentials": "Auto",
- "Scopes": [
- "access_via_group_assignments"
- ],
- "Sample": {
- "SampleSubPath": "5-AccessControl\\2-call-api-groups\\SPA",
- "ProjectDirectory": "\\2-call-api-groups\\SPA"
- },
- "SecurityGroups": [
- {
- "Name": "GroupAdmin",
- "Description": "Admin Security Group"
- },
- {
- "Name": "GroupMember",
- "Description": "User Security Group"
- }
- ],
- "RequiredResourcesAccess": [
- {
- "Resource": "client",
- "DelegatedPermissions": [
- "access_via_group_assignments"
- ]
- },
- {
- "Resource": "Microsoft Graph",
- "DelegatedPermissions": [
- "User.Read",
- "GroupMember.Read.All"
+ {
+ "Id": "client",
+ "Name": "msal-angular-app",
+ "Kind": "SinglePageApplication",
+ "Audience": "AzureADMyOrg",
+ "HomePage": "http://localhost:4200/",
+ "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
+ "GroupMembershipClaims": "SecurityGroup",
+ "PasswordCredentials": "Auto",
+ "Scopes": [
+ "access_via_group_assignments"
+ ],
+ "Sample": {
+ "SampleSubPath": "5-AccessControl\\2-call-api-groups\\SPA",
+ "ProjectDirectory": "\\2-call-api-groups\\SPA"
+ },
+ "SecurityGroups": [
+ {
+ "Name": "GroupAdmin",
+ "Description": "Admin Security Group"
+ },
+ {
+ "Name": "GroupMember",
+ "Description": "User Security Group"
+ }
+ ],
+ "RequiredResourcesAccess": [
+ {
+ "Resource": "client",
+ "DelegatedPermissions": [
+ "access_via_group_assignments"
+ ]
+ },
+ {
+ "Resource": "Microsoft Graph",
+ "DelegatedPermissions": [
+ "User.Read",
+ "GroupMember.Read.All"
+ ]
+ }
+ ],
+ "OptionalClaims": {
+ "IdTokenClaims": [
+ "acct"
+ ]
+ },
+ "ManualSteps": [
+ {
+ "Comment": "On Azure portal, create a security group named 'GroupAdmin' and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created."
+ },
+ {
+ "Comment": "On Azure portal, create a security group named 'GroupMember' and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created."
+ }
  ]
- }
- ],
- "OptionalClaims": {
- "IdTokenClaims": [
- "acct"
- ]
- },
- "ManualSteps": [
- {
- "Comment": "On Azure portal, create a security group named 'GroupAdmin' and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created."
- },
- {
- "Comment": "On Azure portal, create a security group named 'GroupMember' and assign some users to it. Afterwards, update the configuration files with the Object ID of the gruop you've just created."
- }
- ]
- }
+ }
  ],
  "CodeConfiguration": [
  {
 
@@ -1,8 +1,5 @@
 ---
 page_type: sample
-services: ms-identity
-client: Angular SPA
-service: .NET Core web API
 level: 300
 languages:
 - typescript
@@ -14,14 +11,12 @@ products:
 - msal-js
 - msal-angular
 - microsoft-identity-web
-platform: javascript
-endpoint: AAD v2.0
 urlFragment: ms-identity-javascript-angular-tutorial
-name: Angular single-page application calling a protected AspNet Core web API and using Security Groups to implement Role-Based Access Control
-description: Angular single-page application calling a protected AspNet web API and using Security Groups to implement Role-Based Access Control (RBAC)
+name: Angular single-page application calling a protected ASP.NET Core web API using Security Groups to implement Role-Based Access Control
+description: Angular single-page application calling a protected ASP.NET Core web API using Security Groups to implement Role-Based Access Control (RBAC)
 ---
 
-# Angular single-page application calling a protected AspNet Core web API and using Security Groups to implement Role-Based Access Control
+# Angular single-page application calling a protected ASP.NET Core web API using Security Groups to implement Role-Based Access Control
 
 * [Overview](#overview)
 * [Scenario](#scenario)
@@ -38,7 +33,7 @@ description: Angular single-page application calling a protected AspNet web API
 
 This sample demonstrates a cross-platform application suite involving an Angular single-page application (*TodoListSPA*) calling an ASP.NET Core web API (*TodoListAPI*) secured with the Microsoft identity platform. In doing so, it implements **Role-based Access Control** (RBAC) by using Azure AD **Security Groups**.
 
-Access control in Azure AD can also be done with, **App Roles** (see the [previous tutorial](../1-call-api-roles/README.md)) and/or **Delegated Permissions**. **Security Groups**, **App Roles** and **Delegated Permissions** in Azure AD are by no means mutually exclusive - they can be used in tandem to provide even finer grained access control.
+Access control in Azure AD can also be done with, **App Roles** (see the [previous tutorial](../1-call-api-roles/README.md)) and/or **Delegated Permissions**. **Security Groups**, **App Roles** and **Delegated Permissions** in Azure AD are by no means mutually exclusive -they can be used in tandem to provide even finer grained access control.
 
 In the sample, a dashboard component allows signed-in users to see the tasks assigned to them or other users based on their memberships to one of the two security groups, **GroupAdmin** and **GroupMember**.
 
@@ -176,7 +171,6 @@ To manually register the apps, as a first step you'll need to:
  1. Select one of the available key durations (**6 months**, **12 months** or **Custom**) as per your security posture.
  1. The generated key value will be displayed when you select the **Add** button. Copy and save the generated value for use in later steps.
  1. You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Azure portal before navigating to any other screen or blade.
- > :bulb: For enhanced security, instead of using client secrets, consider [using certificates](./README-use-certificate.md) and [Azure KeyVault](https://azure.microsoft.com/services/key-vault/#product-overview).
  1. In the app's registration screen, select the **Expose an API** blade to the left to open the page where you can publish the permission as an API for which client applications can obtain [access tokens](https://aka.ms/access-tokens) for. The first thing that we need to do is to declare the unique [resource](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) URI that the clients will be using to obtain access tokens for this API. To declare an resource URI(Application ID URI), follow the following steps:
  1. Select **Set** next to the **Application ID URI** to generate a URI that is unique for this app.
  1. For this sample, accept the proposed Application ID URI (`api://{clientId}`) by selecting **Save**. Read more about Application ID URI at [Validation differences by supported account types \(signInAudience\)](https://docs.microsoft.com/azure/active-directory/develop/supported-accounts-validation).
@@ -390,15 +384,17 @@ If a user is member of more groups than the overage limit (**150 for SAML tokens
 
 #### Create the Overage scenario for testing
 
-1. You can use the `BulkCreateGroups.ps1` provided in the [App Creation Scripts](./AppCreationScripts/) folder to create a large number of groups and assign users to them. This will help test overage scenarios during development. You'll need to enter a user Object ID when prompted by the `BulkCreateGroups.ps1` script.
+1. You can use the [BulkCreateGroups.ps1](./AppCreationScripts/BulkCreateGroups.ps1) provided in the [App Creation Scripts](./AppCreationScripts/) folder to create a large number of groups and assign users to them. This will help test overage scenarios during development. You'll need to enter a user Object ID when prompted by the `BulkCreateGroups.ps1` script. If you would like to delete these groups, run the [BulkRemoveGroups.ps1](./AppCreationScripts/BulkRemoveGroups.ps1) after testing the overage scenario.
+
+When overage occurs, the user's ID and/or access token will not gave the **groups** claim. Instead, a new claim named **_claim_names** will appear. This confirms that the overage scenario is reproduced.
 
 When attending to overage scenarios, which requires a call to [Microsoft Graph](https://graph.microsoft.com) to read the signed-in user's group memberships, your app will need to have the [User.Read](https://docs.microsoft.com/graph/permissions-reference#user-permissions) and [GroupMember.Read.All](https://docs.microsoft.com/graph/permissions-reference#group-permissions) for the [getMemberGroups](https://docs.microsoft.com/graph/api/user-getmembergroups) API to execute successfully.
 
 > :warning: For the overage scenario, make sure you have granted **Admin Consent** for the MS Graph API's **GroupMember.Read.All** scope (see the **App Registration** steps above).
 
 ##### Angular GroupGuard service
 
-Consider the [group.guard.ts](./SPA/src/app/group.guard.ts). Here, we are checking whether the token for the user has the `_claim_names` claim, which indicates that the user has too many group memberships. If so, we redirect the user to the [overage](./SPA/src/app/overage/overage.component.ts) component. There, we initiate a call to MS Graph API's `https://graph.microsoft.com/v1.0/me/memberOf` endpoint to query the full list of groups that the user belongs to. Finally we check for the designated `groupID` among this list.
+Consider the [group.guard.ts](./SPA/src/app/group.guard.ts). Here, we are checking whether the token for the user's ID token has the `_claim_names` claim, which indicates that the user has too many group memberships. If so, we redirect the user to the [overage](./SPA/src/app/overage/overage.component.ts) component. There, we initiate a call to MS Graph API's `https://graph.microsoft.com/v1.0/me/memberOf` endpoint to query the full list of groups that the user belongs to. Finally we check for the designated `groupID` among this list.
 
 ```typescript
 @Injectable()