mtrilbybassett
diff --git a/‎5-AccessControl/1-call-api-roles/API/TodoListAPI/appsettings.json‎
Lines changed: 3 additions & 3 deletions b/‎5-AccessControl/1-call-api-roles/API/TodoListAPI/appsettings.json‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎5-AccessControl/1-call-api-roles/AppCreationScripts/Configure.ps1‎
Lines changed: 5 additions & 0 deletions b/‎5-AccessControl/1-call-api-roles/AppCreationScripts/Configure.ps1‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎5-AccessControl/1-call-api-roles/AppCreationScripts/sample.json‎
Lines changed: 108 additions & 90 deletions b/‎5-AccessControl/1-call-api-roles/AppCreationScripts/sample.json‎
Lines changed: 108 additions & 90 deletions
diff --git a/‎5-AccessControl/1-call-api-roles/README.md‎
Lines changed: 45 additions & 19 deletions b/‎5-AccessControl/1-call-api-roles/README.md‎
Lines changed: 45 additions & 19 deletions
diff --git a/‎5-AccessControl/1-call-api-roles/SPA/src/app/app-routing.module.ts‎
Lines changed: 0 additions & 3 deletions b/‎5-AccessControl/1-call-api-roles/SPA/src/app/app-routing.module.ts‎
Lines changed: 0 additions & 3 deletions
@@ -1,9 +1,9 @@
 {
  "AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
- "Domain": "Enter the domain of your Azure AD tenant, e.g. 'contoso.onmicrosoft.com'",
- "TenantId": "Enter the tenant ID",
- "ClientId": "Enter the Client ID (aka 'Application ID')",
+ "Domain": "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com",
+ "TenantId": "Enter the ID of your Azure AD tenant copied from the Azure portal",
+ "ClientId": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
  "Scopes": ["access_as_user"],
  "Roles": {
  "TaskAdmin": "TaskAdmin",
 
@@ -193,6 +193,11 @@ Function ConfigureApplications
  New-MgApplicationOwnerByRef -ApplicationId $clientAadApplication.Id -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
  Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
  }
+
+ # Add optional claims
+ $newClaim = CreateOptionalClaim -name "acct" 
+ $optionalClaims.AccessToken += ($newClaim)
+ Update-MgApplication -ApplicationId $serviceAadApplication.Id -OptionalClaims $optionalClaims
 
  # Add application Roles
  $appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
 
@@ -1,98 +1,116 @@
 {
- "Sample": {
- "Title": "Angular single-page application calling a protected web API and using App Roles to implement Role-Based Access Control",
- "Level": 300,
- "Client": "Angular SPA",
- "Service": ".NET Core web API",
- "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
- "Endpoint": "AAD v2.0",
- "Languages": ["typescript", "csharp", "javascript"],
- "Description": "Angular single-page application calling a protected web API using App Roles to implement Role-Based Access Control",
- "products": ["azure-active-directory", "msal-js", "msal-angular", "microsoft-identity-web"]
- },
- "AADApps": [
- {
- "Id": "client",
- "Name": "msal-angular-app",
- "Kind": "SinglePageApplication",
- "Audience": "AzureADMyOrg",
- "HomePage": "http://localhost:4200/",
- "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
- "Scopes": ["access_as_user"],
- "Sample": {
- "SampleSubPath": "5-AccessControl\\1-call-api-roles\\SPA",
- "ProjectDirectory": "\\1-call-api-roles\\SPA"
- },
- "RequiredResourcesAccess": [
- {
- "Resource": "client",
- "DelegatedPermissions": ["access_as_user"]
- }
- ],
- "AppRoles": [
- {
- "AllowedMemberTypes": [
- "User"
- ],
- "Name": "TaskAdmin",
- "Description": "Admins can read any user's todo list"
- },
- {
- "AllowedMemberTypes": [
- "User"
- ],
- "Name": "TaskUser",
- "Description": "Users can read and modify their todo lists"
- }
- ],
- "ManualSteps": [
- {
- "Comment": "To receive the 'roles' claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://aka.ms/userassignmentrequired provides step by step instructions."
- },
- {
- "Comment": "Or you can run the .\\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app."
- }
- ]
- }
- ],
- "CodeConfiguration": [
- {
- "App": "client",
- "SettingKind": "Replace",
- "SettingFile": "\\..\\API\\TodoListAPI\\appsettings.json",
- "Mappings": [
- {
- "key": "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com",
- "value": "$tenantName"
- },
- {
- "key": "Enter the ID of your Azure AD tenant copied from the Azure portal",
- "value": "$tenantId"
- },
- {
- "key": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
- "value": "client.AppId"
- }
- ]
+ "Sample": {
+ "Title": "Angular single-page application calling a protected web API and using App Roles to implement Role-Based Access Control",
+ "Level": 300,
+ "Client": "Angular SPA",
+ "Service": ".NET Core web API",
+ "RepositoryUrl": "ms-identity-javascript-angular-tutorial",
+ "Endpoint": "AAD v2.0",
+ "Languages": [
+ "typescript",
+ "csharp",
+ "javascript"
+ ],
+ "Description": "Angular single-page application calling a protected web API using App Roles to implement Role-Based Access Control",
+ "products": [
+ "azure-active-directory",
+ "msal-js",
+ "msal-angular",
+ "microsoft-identity-web"
+ ]
  },
- {
- "App": "client",
- "SettingKind": "Replace",
- "SettingFile": "\\..\\SPA\\src\\app\\auth-config.ts",
- "Mappings": [
+ "AADApps": [
  {
- "key": "Enter_the_Application_Id_Here",
- "value": "client.AppId"
- },
+ "Id": "client",
+ "Name": "msal-angular-app",
+ "Kind": "SinglePageApplication",
+ "Audience": "AzureADMyOrg",
+ "HomePage": "http://localhost:4200/",
+ "ReplyUrls": "http://localhost:4200/, http://localhost:4200/auth",
+ "Scopes": [
+ "access_as_user"
+ ],
+ "Sample": {
+ "SampleSubPath": "5-AccessControl\\1-call-api-roles\\SPA",
+ "ProjectDirectory": "\\1-call-api-roles\\SPA"
+ },
+ "RequiredResourcesAccess": [
+ {
+ "Resource": "client",
+ "DelegatedPermissions": [
+ "access_as_user"
+ ]
+ }
+ ],
+ "AppRoles": [
+ {
+ "AllowedMemberTypes": [
+ "User"
+ ],
+ "Name": "TaskAdmin",
+ "Description": "Admins can read any user's todo list"
+ },
+ {
+ "AllowedMemberTypes": [
+ "User"
+ ],
+ "Name": "TaskUser",
+ "Description": "Users can read and modify their todo lists"
+ }
+ ],
+ "OptionalClaims": {
+ "IdTokenClaims": [
+ "acct"
+ ]
+ },
+ "ManualSteps": [
+ {
+ "Comment": "To receive the 'roles' claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://aka.ms/userassignmentrequired provides step by step instructions."
+ },
+ {
+ "Comment": "Or you can run the .\\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app."
+ }
+ ]
+ }
+ ],
+ "CodeConfiguration": [
  {
- "key": "Enter_the_Tenant_Info_Here",
- "value": "$tenantId"
+ "App": "client",
+ "SettingKind": "Replace",
+ "SettingFile": "\\..\\API\\TodoListAPI\\appsettings.json",
+ "Mappings": [
+ {
+ "key": "Enter the domain of your Azure AD tenant, e.g. contoso.onmicrosoft.com",
+ "value": "$tenantName"
+ },
+ {
+ "key": "Enter the ID of your Azure AD tenant copied from the Azure portal",
+ "value": "$tenantId"
+ },
+ {
+ "key": "Enter the application ID (clientId) of the 'TodoListAPI' application copied from the Azure portal",
+ "value": "client.AppId"
+ }
+ ]
  },
  {
- "key": "Enter_the_Web_Api_Application_Id_Here",
- "value": "client.AppId"
+ "App": "client",
+ "SettingKind": "Replace",
+ "SettingFile": "\\..\\SPA\\src\\app\\auth-config.ts",
+ "Mappings": [
+ {
+ "key": "Enter_the_Application_Id_Here",
+ "value": "client.AppId"
+ },
+ {
+ "key": "Enter_the_Tenant_Info_Here",
+ "value": "$tenantId"
+ },
+ {
+ "key": "Enter_the_Web_Api_Application_Id_Here",
+ "value": "client.AppId"
+ }
+ ]
  }
- ]
- }
- ]
+ ]
 }
@@ -38,7 +38,6 @@ In the sample, a **dashboard** component allows signed-in users to see the tasks
 
 > :information_source: See the community call: [Implement authorization in your applications with the Microsoft identity platform](https://www.youtube.com/watch?v=LRoc-na27l0)
 
-
 > :information_source: See the community call: [Deep dive on using MSAL.js to integrate Angular single-page applications with Azure Active Directory](https://www.youtube.com/watch?v=EJey9KP1dZA)
 
 ## Scenario
@@ -213,6 +212,15 @@ To add users to this app role, follow the guidelines here: [Assign users and gro
 
 For more information, see: [How to: Add app roles in your application and receive them in the token](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)
 
+##### (Optional) Configure Optional Claims
+
+1. Still on the same app registration, select the **Token configuration** blade to the left.
+1. Select **Add optional claim**:
+ 1. Select **optional claim type**, then choose **Access**.
+ 1. Select the optional claim **acct**. 
+ > Provides user's account status in tenant. If the user is a member of the tenant, the value is 0. If they're a guest, the value is 1.
+ 1. Select **Add** to save your changes.
+
 ##### Configure the client app (msal-angular-app) to use your app registration
 
 Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
@@ -288,41 +296,61 @@ To provide feedback on or suggest features for Azure Active Directory, visit [Us
 
 ### Angular RoleGuard and protected routes for role-based access control
 
-The client application Angular SPA has a **RoleGuard** (`role.guard.ts`) component that checks whether a user has the right privileges to access a protected route. It does this by checking `roles` claim the ID token of the signed-in user:
+The client application Angular SPA has a [role.guard.ts](./SPA/src/app/role.guard.ts) component that checks whether a user has the right privileges to access a protected route. It does this by checking `roles` claim the ID token of the signed-in user:
 
 ```typescript
-export class RoleGuard implements CanActivate {
+@Injectable()
+export class RoleGuard extends BaseGuard {
+
+ constructor(
+ @Inject(MSAL_GUARD_CONFIG) protected override msalGuardConfig: MsalGuardConfiguration,
+ protected override msalBroadcastService: MsalBroadcastService,
+ protected override authService: MsalService,
+ protected override location: Location,
+ protected override router: Router
+ ) {
+ super(msalGuardConfig, msalBroadcastService, authService, location, router);
+ }
+
+ override activateHelper(state?: RouterStateSnapshot, route?: ActivatedRouteSnapshot): Observable<boolean | UrlTree> {
+ let result = super.activateHelper(state, route);
 
- constructor(private authService: MsalService) { }
+ const expectedRoles: string[] = route ? route.data['expectedRoles'] : [];
 
- canActivate(route: ActivatedRouteSnapshot): boolean {
-  const expectedRoles: string[] = route.data['expectedRoles'];
- let account: AccountInfo = this.authService.instance.getActiveAccount()!;
+ return result.pipe(
+ concatMap(() => {
+ let activeAccount = this.authService.instance.getActiveAccount();
 
- if (!account.idTokenClaims?.roles) {
+ if (!activeAccount && this.authService.instance.getAllAccounts().length > 0) {
+ activeAccount = this.authService.instance.getAllAccounts()[0];
+ }
+
+ if (!activeAccount?.idTokenClaims?.roles) {
  window.alert('Token does not have roles claim. Please ensure that your account is assigned to an app role and then sign-out and sign-in again.');
- return false;
+ return of(false);
  }
 
- if (!expectedRoles.includes(account.idTokenClaims.roles[0])) {
+ const hasRequiredRole = expectedRoles.some((role: string) => activeAccount?.idTokenClaims?.roles?.includes(role));
+
+ if (!hasRequiredRole) {
  window.alert('You do not have access as the expected role is not found. Please ensure that your account is assigned to an app role and then sign-out and sign-in again.');
- return false;
  }
 
- return true;
- }
+ return of(hasRequiredRole);
+ })
+ );
+ }
 }
 ```
 
-We then enable **RoleGuard** in `app-routing.module.ts` as follows:
+We then enable **RoleGuard** in [app-routing.module.ts](./SPA/src/app/app-routing.module.ts) as follows:
 
 ```typescript
 const routes: Routes = [
  {
  path: 'todo-edit/:id',
  component: TodoEditComponent,
  canActivate: [
- MsalGuard,
  RoleGuard
  ],
  data: {
@@ -333,7 +361,6 @@ const routes: Routes = [
  path: 'todo-view',
  component: TodoViewComponent,
  canActivate: [
- MsalGuard,
  RoleGuard
  ],
  data: {
@@ -344,7 +371,6 @@ const routes: Routes = [
  path: 'dashboard',
  component: DashboardComponent,
  canActivate: [
- MsalGuard,
  RoleGuard,
  ],
  data: {
@@ -401,7 +427,7 @@ Finally, in `TodoListController.cs`, we decorate our routes with the appropriate
  // GET: api/todolist/getAll
  [HttpGet]
  [Route("getAll")]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskAdminRoleRequired)]
  public async Task<ActionResult<IEnumerable<TodoItem>>> GetAll()
  {
@@ -410,7 +436,7 @@ Finally, in `TodoListController.cs`, we decorate our routes with the appropriate
 
  // GET: api/TodoItems
  [HttpGet]
- [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
  public async Task<ActionResult<IEnumerable<TodoItem>>> GetTodoItems()
  {
 
@@ -20,7 +20,6 @@ const routes: Routes = [
  path: 'todo-edit/:id',
  component: TodoEditComponent,
  canActivate: [
- MsalGuard,
  RoleGuard
  ],
  data: {
@@ -31,7 +30,6 @@ const routes: Routes = [
  path: 'todo-view',
  component: TodoViewComponent,
  canActivate: [
- MsalGuard,
  RoleGuard
  ],
  data: {
@@ -42,7 +40,6 @@ const routes: Routes = [
  path: 'dashboard',
  component: DashboardComponent,
  canActivate: [
- MsalGuard,
  RoleGuard,
  ],
  data: {