Updated the roles samples as well

Author: Kalyan Krishna

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/AppCreationScripts.md

@@ -1,4 +1,4 @@
-# Registering the sample apps with Microsoft Identity Platform and updating the configuration files using PowerShell scripts
+# Registering the sample apps with Microsoft identity platform and updating the configuration files using PowerShell scripts
 
 ## Overview
 

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/Configure.ps1

@@ -133,6 +133,42 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
 
     Set-Content -Path $configFilePath -Value $lines -Force
 }
+<#.Description
+   This function creates a new Azure AD scope (OAuth2Permission) with default and provided values
+#>  
+Function CreateScope( [string] $value, [string] $userConsentDisplayName, [string] $userConsentDescription, [string] $adminConsentDisplayName, [string] $adminConsentDescription)
+{
+    $scope = New-Object Microsoft.Open.AzureAD.Model.OAuth2Permission
+    $scope.Id = New-Guid
+    $scope.Value = $value
+    $scope.UserConsentDisplayName = $userConsentDisplayName
+    $scope.UserConsentDescription = $userConsentDescription
+    $scope.AdminConsentDisplayName = $adminConsentDisplayName
+    $scope.AdminConsentDescription = $adminConsentDescription
+    $scope.IsEnabled = $true
+    $scope.Type = "User"
+    return $scope
+}
+
+<#.Description
+   This function creates a new Azure AD AppRole with default and provided values
+#>  
+Function CreateAppRole([string] $types, [string] $name, [string] $description)
+{
+    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
+    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
+    $typesArr = $types.Split(',')
+    foreach($type in $typesArr)
+    {
+        $appRole.AllowedMemberTypes.Add($type);
+    }
+    $appRole.DisplayName = $name
+    $appRole.Id = New-Guid
+    $appRole.IsEnabled = $true
+    $appRole.Description = $description
+    $appRole.Value = $name;
+    return $appRole
+}
 
 Set-Content -Value "<html><body><table>" -Path createdApps.html
 Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the Azure portal</th></tr></thead><tbody>" -Path createdApps.html
@@ -207,11 +243,15 @@ Function ConfigureApplications
    { 
         Add-AzureADApplicationOwner -ObjectId $webAppAadApplication.ObjectId -RefObjectId $user.ObjectId
         Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($webAppServicePrincipal.DisplayName)'"
-        
-        # assign the current user to the app as well
-        New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $webAppServicePrincipal.ObjectId -Id ([Guid]::Empty) 
    }
 
+   # Add application Roles
+   $appRoles = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.AppRole]
+   $newRole = CreateAppRole -types "User" -name "UserReaders" -description "User readers can read basic profiles of all users in the directory."
+   $appRoles.Add($newRole)
+   $newRole = CreateAppRole -types "User" -name "DirectoryViewers" -description "Directory viewers can view objects in the whole directory."
+   $appRoles.Add($newRole)
+   Set-AzureADApplication -ObjectId $webAppAadApplication.ObjectId -AppRoles $appRoles
 
    Write-Host "Done creating the webApp application (WebApp-RolesClaims)"
 
@@ -243,7 +283,7 @@ Function ConfigureApplications
    Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":
    Write-Host "- For 'webApp'"
    Write-Host "  - Navigate to '$webAppPortalUrl'"
-   Write-Host "  - Run the ..\CreateUsersAndRoles.ps1 command to automatically create a number of users, app roles and assign users to these roles or refer to the 'Define your application roles' section in README on how to configure your newly created app further for this sample." -ForegroundColor Red 
+   Write-Host "  - You can run the ..\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign users to these roles or assign users to this application app roles using the portal.To receive the `roles` claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this app. The guide, https://docs.microsoft.com/azure/active-directory/manage-apps/assign-user-or-group-access-portal#assign-a-user-to-an-app---portal provides step by step instructions." -ForegroundColor Red 
 
    Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
 

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/CreateUsersAndRoles.ps1 renamed to 5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/CreateUsersAndAssignRoles.ps1

@@ -18,6 +18,8 @@ param(
  There are four ways to run this script. For more information, read the AppCreationScripts.md file in the same folder as this script.
 #>
 
+$ErrorActionPreference = "Stop"
+
 # Create an application role of given name and description
 Function CreateAppRole([string] $Name, [string] $Description)
 {
@@ -88,30 +90,21 @@ Function CreateRolesUsersAndRoleAssignments
 
     # Get the user running the script
     $user = Get-AzureADUser -ObjectId $creds.Account.Id
-
-    # Add application Roles
-    $directoryViewerRole = CreateAppRole -Name "DirectoryViewers" -Description "Directory viewers can view objects in the whole directory."
-    $userreaderRole = CreateAppRole -Name "UserReaders"  -Description "User readers can read basic profiles of all users in the directory"
-
-    $appRoles = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.AppRole]
-    $appRoles.Add($directoryViewerRole)
-    $appRoles.Add($userreaderRole)
-        
+    
     # Add the roles
     Write-Host "Adding app roles to to the app 'WebApp-RolesClaims' in tenant '$tenantName'"
 
     $app=Get-AzureADApplication -Filter "DisplayName eq 'WebApp-RolesClaims'" 
 
     if ($app)
     {
-        $servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$($app.AppId)'"  
+        $servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$($app.AppId)'"
+        
+        $directoryViewerRole = $servicePrincipal.AppRoles | Where-Object { $_.DisplayName -eq "DirectoryViewers" }
+        $userreaderRole = $servicePrincipal.AppRoles | Where-Object { $_.DisplayName -eq "UserReaders" }
 
-        Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
-
         $appName = $app.DisplayName
-
-        Write-Host "Successfully added app roles to the app '$appName'."
-
+        
         Write-Host "Creating users and assigning them to roles."
 
         # Create users

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/sample.json

@@ -1,8 +1,8 @@
 {
   "Sample": {
-    "Title": "Add authorization using app roles & roles claims to an ASP.NET Core Web app thats signs-in users with the Microsoft identity platform",
+    "Title": "Add authorization using app roles & roles claims to an ASP.NET Core Web app that signs-in users with the Microsoft identity platform",
     "Level": 300,
-    "Client": "ASP.NET Core 2.x Web App",
+    "Client": "ASP.NET Core Web App",
     "Service": "Microsoft Graph",
     "RepositoryUrl": "microsoft-identity-platform-aspnetcore-webapp-tutorial",
     "Endpoint": "AAD v2.0"
@@ -21,14 +21,26 @@
       "ReplyUrls": "https://localhost:44321/, https://localhost:44321/signin-oidc",
       "LogoutUrl": "https://localhost:44321/signout-oidc",
       "PasswordCredentials": "Auto",
-      "GroupMembershipClaims": "SecurityGroup",
+      "AppRoles": [
+        {
+          "Types" :  ["User"],
+          "Name" : "UserReaders",
+          "Description" : "User readers can read basic profiles of all users in the directory."
+        },
+        {
+          "Types" :  ["User"],
+          "Name" : "DirectoryViewers",
+          "Description" : "Directory viewers can view objects in the whole directory."
+        }
+      ],
       "RequiredResourcesAccess": [
         {
           "Resource": "Microsoft Graph",
           "DelegatedPermissions": [ "User.Read", "User.ReadBasic.All","Directory.Read.All" ]
         }
       ],"ManualSteps": [
-        { "Comment": "Run the ..\\CreateUsersAndRoles.ps1 command to automatically create a number of users, app roles and assign users to these roles or refer to the 'Define your application roles' section in README on how to configure your newly created app further for this sample." }
+        { "Comment": "You can run the ..\\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign users to these roles or assign users to this application app roles using the portal.To receive the `roles` claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this app. The guide, https://docs.microsoft.com/azure/active-directory/manage-apps/assign-user-or-group-access-portal#assign-a-user-to-an-app---portal provides step by step instructions." }
+
       ]
     }
   ],