Major update to sample

Kalyan Krishna · Kalyan Krishna · commit 25b7690dbf0e · 2020-04-20T02:01:33.000-07:00
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/AppCreationScripts.md b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/AppCreationScripts.md
@@ -11,7 +11,7 @@
    ```
 1. Run the script to create your Azure AD application and configure the code of the sample application accordingly. (Other ways of running the scripts are described below)
    ```PowerShell
-   cd .\AppCreationScripts\ 
+   cd .\AppCreationScripts\
    .\Configure.ps1
    ```
 1. Open the Visual Studio solution and click start
@@ -27,6 +27,7 @@ The following paragraphs:
   - [Passing credentials](#option-2-non-interactive) to create the app in your home tenant
   - [Interactively in a specific tenant](#option-3-interactive-but-create-apps-in-a-specified-tenant)
   - [Passing credentials in a specific tenant](#option-4-non-interactive-and-create-apps-in-a-specified-tenant)
+  - [Passing environment name, for Sovereign clouds](#running-the-script-on-azure-sovereign-clouds)
 
 ## Goal of the scripts
 
@@ -50,7 +51,7 @@ These scripts are:
 
 The `Configure.ps1` will stop if it tries to create an Azure AD application which already exists in the tenant. For this, if you are using the script to try/test the sample, or in DevOps scenarios, you might want to run `Cleanup.ps1` just before `Configure.ps1`. This is what is shown in the steps below.
 
-## How to use the app creation scripts ?
+## How to use the app creation scripts?
 
 ### Pre-requisites
 
@@ -108,7 +109,7 @@ Note that the script will choose the tenant in which to create the applications,
 
 #### Option 2 (non-interactive)
 
-When you know the indentity and credentials of the user in the name of whom you want to create the applications, you can use the non-interactive approach. It's more adapted to DevOps. Here is an example of script you'd want to run in a PowerShell Window
+When you know the identity and credentials of the user in the name of whom you want to create the applications, you can use the non-interactive approach. It's more adapted to DevOps. Here is an example of script you'd want to run in a PowerShell Window
 
 ```PowerShell
 $secpasswd = ConvertTo-SecureString "[Password here]" -AsPlainText -Force
@@ -145,3 +146,21 @@ $tenantId = "yourTenantIdGuid"
 . .\Cleanup.ps1 -Credential $mycreds -TenantId $tenantId
 . .\Configure.ps1 -Credential $mycreds -TenantId $tenantId
 ```
+
+### Running the script on Azure Sovereign clouds
+
+All the four options listed above, can be used on any Azure Sovereign clouds. By default, the script targets `AzureCloud`, but it can be changed using the parameter `-AzureEnvironmentName`.
+
+The acceptable values for this parameter are:
+
+- AzureCloud
+- AzureChinaCloud
+- AzureUSGovernment
+- AzureGermanyCloud
+
+Example:
+
+ ```PowerShell
+ . .\Cleanup.ps1 -AzureEnvironmentName "AzureGermanyCloud"
+ . .\Configure.ps1 -AzureEnvironmentName "AzureGermanyCloud"
+ ```
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Cleanup.ps1 b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Cleanup.ps1
@@ -2,7 +2,9 @@
 param(    
     [PSCredential] $Credential,
     [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
-    [string] $tenantId
+    [string] $tenantId,
+    [Parameter(Mandatory=$False, HelpMessage='Azure environment to use while running the script (it defaults to AzureCloud)')]
+    [string] $azureEnvironmentName
 )
 
 if ($null -eq (Get-Module -ListAvailable -Name "AzureAD")) { 
@@ -13,10 +15,15 @@ $ErrorActionPreference = "Stop"
 
 Function Cleanup
 {
-<#
-.Description
-This function removes the Azure AD applications for the sample. These applications were created by the Configure.ps1 script
-#>
+    if (!$azureEnvironmentName)
+    {
+        $azureEnvironmentName = "AzureCloud"
+    }
+
+    <#
+    .Description
+    This function removes the Azure AD applications for the sample. These applications were created by the Configure.ps1 script
+    #>
 
     # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant 
     # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD. 
@@ -25,17 +32,17 @@ This function removes the Azure AD applications for the sample. These applicatio
     # you'll need to sign-in with creds enabling your to create apps in the tenant)
     if (!$Credential -and $TenantId)
     {
-        $creds = Connect-AzureAD -TenantId $tenantId
+        $creds = Connect-AzureAD -TenantId $tenantId -AzureEnvironmentName $azureEnvironmentName
     }
     else
     {
         if (!$TenantId)
         {
-            $creds = Connect-AzureAD -Credential $Credential
+            $creds = Connect-AzureAD -Credential $Credential -AzureEnvironmentName $azureEnvironmentName
         }
         else
         {
-            $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential
+            $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential -AzureEnvironmentName $azureEnvironmentName
         }
     }
 
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1 b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1
@@ -2,7 +2,9 @@
 param(
     [PSCredential] $Credential,
     [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
-    [string] $tenantId
+    [string] $tenantId,
+    [Parameter(Mandatory=$False, HelpMessage='Azure environment to use while running the script (it defaults to AzureCloud)')]
+    [string] $azureEnvironmentName
 )
 
 <#
@@ -147,6 +149,11 @@ Function ConfigureApplications
    so that they are consistent with the Applications parameters
 #> 
     $commonendpoint = "common"
+    
+    if (!$azureEnvironmentName)
+    {
+        $azureEnvironmentName = "AzureCloud"
+    }
 
     # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
     # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
@@ -155,17 +162,17 @@ Function ConfigureApplications
     # you'll need to sign-in with creds enabling your to create apps in the tenant)
     if (!$Credential -and $TenantId)
     {
-        $creds = Connect-AzureAD -TenantId $tenantId
+        $creds = Connect-AzureAD -TenantId $tenantId -AzureEnvironmentName $azureEnvironmentName
     }
     else
     {
         if (!$TenantId)
         {
-            $creds = Connect-AzureAD -Credential $Credential
+            $creds = Connect-AzureAD -Credential $Credential -AzureEnvironmentName $azureEnvironmentName
         }
         else
         {
-            $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential
+            $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential -AzureEnvironmentName $azureEnvironmentName
         }
     }
 
@@ -174,6 +181,8 @@ Function ConfigureApplications
         $tenantId = $creds.Tenant.Id
     }
 
+    
+
     $tenant = Get-AzureADTenantDetail
     $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
 
@@ -223,7 +232,7 @@ Function ConfigureApplications
    # Add Required Resources Access (from 'webApp' to 'Microsoft Graph')
    Write-Host "Getting access from 'webApp' to 'Microsoft Graph'"
    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
-                                                -requiredDelegatedPermissions "User.Read|Directory.Read.All" `
+                                                -requiredDelegatedPermissions "GroupMember.Read.All" `
 
    $requiredResourcesAccess.Add($requiredPermissions)
 
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Quickstart.json b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Quickstart.json
@@ -4,7 +4,7 @@
   */
 
   "Sample": {
-    "Title": "Add authorization using groups & group claims to an ASP.NET Core Web app thats signs-in users with the Microsoft identity platform",
+    "Title": "Add authorization using groups & group claims to an ASP.NET Core Web app that signs-in users with the Microsoft identity platform",
     "Level": 400,
     "Client": "ASP.NET Core Web App"
   },
diff --git a/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json b/5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json
@@ -25,7 +25,7 @@
       "RequiredResourcesAccess": [
         {
           "Resource": "Microsoft Graph",
-          "DelegatedPermissions": [ "User.Read", "Directory.Read.All" ]
+          "DelegatedPermissions": [ "GroupMember.Read.All" ]
         }
       ]
     }
diff --git a/5-WebApp-AuthZ/5-2-Groups/README-incremental-instructions.md b/5-WebApp-AuthZ/5-2-Groups/README-incremental-instructions.md
diff --git a/5-WebApp-AuthZ/5-2-Groups/README.md b/5-WebApp-AuthZ/5-2-Groups/README.md

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,9 @@`
`2`	`2`	`param(`
`3`	`3`	`[PSCredential] $Credential,`
`4`	`4`	`[Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]`
`5`		`- [string] $tenantId`
	`5`	`+ [string] $tenantId,`
	`6`	`+ [Parameter(Mandatory=$False, HelpMessage='Azure environment to use while running the script (it defaults to AzureCloud)')]`
	`7`	`+ [string] $azureEnvironmentName`
`6`	`8`	`)`
`7`	`9`
`8`	`10`	`if ($null -eq (Get-Module -ListAvailable -Name "AzureAD")) {`
`@@ -13,10 +15,15 @@ $ErrorActionPreference = "Stop"`
`13`	`15`
`14`	`16`	`Function Cleanup`
`15`	`17`	`{`
`16`		`-<#`
`17`		`-.Description`
`18`		`-This function removes the Azure AD applications for the sample. These applications were created by the Configure.ps1 script`
`19`		`-#>`
	`18`	`+ if (!$azureEnvironmentName)`
	`19`	`+ {`
	`20`	`+ $azureEnvironmentName = "AzureCloud"`
	`21`	`+ }`
	`22`	`+`
	`23`	`+ <#`
	`24`	`+ .Description`
	`25`	`+ This function removes the Azure AD applications for the sample. These applications were created by the Configure.ps1 script`
	`26`	`+ #>`
`20`	`27`
`21`	`28`	`# $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant`
`22`	`29`	`# into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.`
`@@ -25,17 +32,17 @@ This function removes the Azure AD applications for the sample. These applicatio`
`25`	`32`	`# you'll need to sign-in with creds enabling your to create apps in the tenant)`
`26`	`33`	`if (!$Credential -and $TenantId)`
`27`	`34`	`{`
`28`		`- $creds = Connect-AzureAD -TenantId $tenantId`
	`35`	`+ $creds = Connect-AzureAD -TenantId $tenantId -AzureEnvironmentName $azureEnvironmentName`
`29`	`36`	`}`
`30`	`37`	`else`
`31`	`38`	`{`
`32`	`39`	`if (!$TenantId)`
`33`	`40`	`{`
`34`		`- $creds = Connect-AzureAD -Credential $Credential`
	`41`	`+ $creds = Connect-AzureAD -Credential $Credential -AzureEnvironmentName $azureEnvironmentName`
`35`	`42`	`}`
`36`	`43`	`else`
`37`	`44`	`{`
`38`		`- $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential`
	`45`	`+ $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential -AzureEnvironmentName $azureEnvironmentName`
`39`	`46`	`}`
`40`	`47`	`}`
`41`	`48`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@`
`25`	`25`	`"RequiredResourcesAccess": [`
`26`	`26`	`{`
`27`	`27`	`"Resource": "Microsoft Graph",`
`28`		`- "DelegatedPermissions": [ "User.Read", "Directory.Read.All" ]`
	`28`	`+ "DelegatedPermissions": [ "GroupMember.Read.All" ]`
`29`	`29`	`}`
`30`	`30`	`]`
`31`	`31`	`}`