New sample done (#93)

* PS and config done

* Coding almost done

* A few bits remaining

* Final touches to the readme.md

* Code review comments addressed

* Minor edit

Author: Kalyan Krishna

.gitignore

@@ -67,3 +67,6 @@
 /5-WebApp-AuthZ/5-2-Groups/.vs
 /5-WebApp-AuthZ/5-2-Groups/bin/Debug/netcoreapp2.2
 /5-WebApp-AuthZ/5-2-Groups/obj
+/5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/createdApps.html
+/5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/Steps.md
+/5-WebApp-AuthZ/5-1-Roles/WebApp-OpenIDConnect-DotNet.csproj.user

5-WebApp-AuthZ-Roles-Groups/README..md

@@ -49,8 +49,8 @@ This function removes the Azure AD applications for the sample. These applicatio
     # Removes the applications
     Write-Host "Cleaning-up applications from tenant '$tenantName'"
 
-    Write-Host "Removing 'webApp' (WebApp-OpenIDConnect-DotNet-code-v2) if needed"
-    $app=Get-AzureADApplication -Filter "DisplayName eq 'WebApp-OpenIDConnect-DotNet-code-v2'"  
+    Write-Host "Removing 'webApp' (WebApp-RolesClaims) if needed"
+    $app=Get-AzureADApplication -Filter "DisplayName eq 'WebApp-RolesClaims'"  
 
     if ($app)
     {

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/Cleanup.ps1

@@ -0,0 +1,78 @@
+[CmdletBinding()]
+param(    
+    [PSCredential] $Credential,
+    [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+    [string] $tenantId
+)
+
+Import-Module AzureAD
+$ErrorActionPreference = 'Stop'
+
+Function RemoveUser([string]$userPrincipal)
+{
+    $user = Get-AzureADUser -Filter "UserPrincipalName eq '$userPrincipal'"
+    if ($user)
+    {
+        Write-Host "Removing User '($userPrincipal)'"
+        Remove-AzureADUser -ObjectId $user.ObjectId
+    }
+    else {
+        Write-Host "Failed to remove user '($userPrincipal)'"
+    }
+}
+
+Function CleanupUsers
+{
+    <#
+    .Description
+    This function removes the users created in the Azure AD tenant by the CreateUsersAndRoles.ps1 script.
+    #>
+
+    # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant 
+    # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD. 
+
+    # Login to Azure PowerShell (interactive if credentials are not already provided:
+    # you'll need to sign-in with creds enabling your to create apps in the tenant)
+    if (!$Credential -and $TenantId)
+    {
+        $creds = Connect-AzureAD -TenantId $tenantId
+    }
+    else
+    {
+        if (!$TenantId)
+        {
+            $creds = Connect-AzureAD -Credential $Credential
+        }
+        else
+        {
+            $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential
+        }
+    }
+
+    if (!$tenantId)
+    {
+        $tenantId = $creds.Tenant.Id
+    }
+
+    $tenant = Get-AzureADTenantDetail
+
+    $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
+
+    $appName = "WebApp-RolesClaims"
+
+    # Removes the users created for the application
+    Write-Host "Removing Users"
+    RemoveUser -userPrincipal "$appName-DirectoryViewers@$tenantName"
+    RemoveUser -userPrincipal "$appName-UserReaders@$tenantName"
+
+    Write-Host "finished removing  users created for this app." 
+}
+
+# Pre-requisites
+if ((Get-Module -ListAvailable -Name "AzureAD") -eq $null) { 
+    Install-Module "AzureAD" -Scope CurrentUser 
+} 
+Import-Module AzureAD
+$ErrorActionPreference = 'Stop'
+
+CleanupUsers -Credential $Credential -tenantId $TenantId

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/CleanupUsersAndRoles.ps1

@@ -178,46 +178,49 @@ Function ConfigureApplications
     $user = Get-AzureADUser -ObjectId $creds.Account.Id
 
    # Create the webApp AAD application
-   Write-Host "Creating the AAD application (WebApp-OpenIDConnect-DotNet-code-v2)"
+   Write-Host "Creating the AAD application (WebApp-RolesClaims)"
    # Get a 2 years application key for the webApp Application
    $pw = ComputePassword
    $fromDate = [DateTime]::Now;
    $key = CreateAppKey -fromDate $fromDate -durationInYears 2 -pw $pw
    $webAppAppKey = $pw
-   $webAppAadApplication = New-AzureADApplication -DisplayName "WebApp-OpenIDConnect-DotNet-code-v2" `
+   $webAppAadApplication = New-AzureADApplication -DisplayName "WebApp-RolesClaims" `
                                                   -HomePage "https://localhost:44321/" `
                                                   -LogoutUrl "https://localhost:44321/signout-oidc" `
                                                   -ReplyUrls "https://localhost:44321/", "https://localhost:44321/signin-oidc" `
-                                                  -IdentifierUris "https://$tenantName/WebApp-OpenIDConnect-DotNet-code-v2" `
-                                                  -AvailableToOtherTenants $True `
+                                                  -IdentifierUris "https://$tenantName/WebApp-RolesClaims" `
                                                   -PasswordCredentials $key `
                                                   -Oauth2AllowImplicitFlow $true `
+                                                  -GroupMembershipClaims "SecurityGroup" `
                                                   -PublicClient $False
 
    $currentAppId = $webAppAadApplication.AppId
-   $webAppServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
+   $webAppServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp} -AppRoleAssignmentRequired $true
 
    # add the user running the script as an app owner if needed
    $owner = Get-AzureADApplicationOwner -ObjectId $webAppAadApplication.ObjectId
    if ($owner -eq $null)
    { 
-    Add-AzureADApplicationOwner -ObjectId $webAppAadApplication.ObjectId -RefObjectId $user.ObjectId
-    Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($webAppServicePrincipal.DisplayName)'"
+        Add-AzureADApplicationOwner -ObjectId $webAppAadApplication.ObjectId -RefObjectId $user.ObjectId
+        Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($webAppServicePrincipal.DisplayName)'"
+
+        # assign the current user to the app as well
+        New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $webAppServicePrincipal.ObjectId -Id ([Guid]::Empty) 
    }
 
-   Write-Host "Done creating the webApp application (WebApp-OpenIDConnect-DotNet-code-v2)"
+   Write-Host "Done creating the webApp application (WebApp-RolesClaims)"
 
    # URL of the AAD application in the Azure portal
    # Future? $webAppPortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$webAppAadApplication.AppId+"/objectId/"+$webAppAadApplication.ObjectId+"/isMSAApp/"
    $webAppPortalUrl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/"+$webAppAadApplication.AppId+"/objectId/"+$webAppAadApplication.ObjectId+"/isMSAApp/"
-   Add-Content -Value "<tr><td>webApp</td><td>$currentAppId</td><td><a href='$webAppPortalUrl'>WebApp-OpenIDConnect-DotNet-code-v2</a></td></tr>" -Path createdApps.html
+   Add-Content -Value "<tr><td>webApp</td><td>$currentAppId</td><td><a href='$webAppPortalUrl'>WebApp-RolesClaims</a></td></tr>" -Path createdApps.html
 
    $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
 
    # Add Required Resources Access (from 'webApp' to 'Microsoft Graph')
    Write-Host "Getting access from 'webApp' to 'Microsoft Graph'"
    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
-                                                -requiredDelegatedPermissions "User.Read" `
+                                                -requiredDelegatedPermissions "User.Read|User.ReadBasic.All|Directory.Read.All" `
 
    $requiredResourcesAccess.Add($requiredPermissions)
 
@@ -230,6 +233,8 @@ Function ConfigureApplications
    Write-Host "Updating the sample code ($configFile)"
    $dictionary = @{ "ClientId" = $webAppAadApplication.AppId;"TenantId" = $tenantId;"Domain" = $tenantName;"ClientSecret" = $webAppAppKey };
    UpdateTextFile -configFilePath $configFile -dictionary $dictionary
+   Write-Host ""
+   Write-Host -ForegroundColor Green "Run the ..\CreateUsersAndRoles.ps1 command to automatically create a number of users, app roles and assign users to these roles or refer to the 'Define your application roles' section in README on how to configure your newly created app further for this sample."
 
    Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html  
 }

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/Configure.ps1

@@ -0,0 +1,148 @@
+[CmdletBinding()]
+param(
+    [PSCredential] $Credential,
+    [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+    [string] $tenantId
+)
+
+<#
+ This script creates the following artefacts in the Azure AD tenant.
+ 1) A number of App roles
+ 2) A set of users and assigns them to the app roles.
+
+ Before running this script you need to install the AzureAD cmdlets as an administrator. 
+ For this:
+ 1) Run Powershell as an administrator
+ 2) in the PowerShell window, type: Install-Module AzureAD
+
+ There are four ways to run this script. For more information, read the AppCreationScripts.md file in the same folder as this script.
+#>
+
+# Create an application role of given name and description
+Function CreateAppRole([string] $Name, [string] $Description)
+{
+    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
+    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
+    $appRole.AllowedMemberTypes.Add("User");
+    $appRole.DisplayName = $Name
+    $appRole.Id = New-Guid
+    $appRole.IsEnabled = $true
+    $appRole.Description = $Description
+    $appRole.Value = $Name;
+    return $appRole
+}
+
+Function CreateUserRepresentingAppRole([string]$appName, $role, [string]$tenantName)
+{
+    $password = "test123456789."
+    $displayName = $appName +"-" + $role.Value
+    $userEmail = $displayName + "@" + $tenantName
+    $nickName = $role.Value
+
+    CreateUser -displayName $displayName -nickName $nickName -tenantName $tenantName
+}
+
+Function CreateUser([string]$displayName, [string]$nickName, [string]$tenantName)
+{
+    $password = "test123456789."
+    $userEmail = $displayName + "@" + $tenantName
+    $passwordProfile = New-Object Microsoft.Open.AzureAD.Model.PasswordProfile($password, $false, $false)
+
+    New-AzureADUser -DisplayName $displayName -PasswordProfile $passwordProfile -AccountEnabled $true -MailNickName $nickName -UserPrincipalName $userEmail
+}
+
+Function CreateRolesUsersAndRoleAssignments
+{
+<#.Description
+   This function creates the 
+#> 
+
+    # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
+    # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
+
+    # Login to Azure PowerShell (interactive if credentials are not already provided:
+    # you'll need to sign-in with creds enabling your to create apps in the tenant)
+    if (!$Credential -and $TenantId)
+    {
+        $creds = Connect-AzureAD -TenantId $tenantId
+    }
+    else
+    {
+        if (!$TenantId)
+        {
+            $creds = Connect-AzureAD -Credential $Credential
+        }
+        else
+        {
+            $creds = Connect-AzureAD -TenantId $tenantId -Credential $Credential
+        }
+    }
+
+    if (!$tenantId)
+    {
+        $tenantId = $creds.Tenant.Id
+    }
+
+    $tenant = Get-AzureADTenantDetail
+    $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
+
+    # Get the user running the script
+    $user = Get-AzureADUser -ObjectId $creds.Account.Id
+
+    # Add application Roles
+    $directoryViewerRole = CreateAppRole -Name "DirectoryViewers" -Description "Directory viewers can view objects in the whole directory."
+    $userreaderRole = CreateAppRole -Name "UserReaders"  -Description "User readers can read basic profiles of all users in the directory"
+
+    $appRoles = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.AppRole]
+    $appRoles.Add($directoryViewerRole)
+    $appRoles.Add($userreaderRole)
+        
+    # Add the roles
+    Write-Host "Adding app roles to to the app 'WebApp-RolesClaims' in tenant '$tenantName'"
+
+    $app=Get-AzureADApplication -Filter "DisplayName eq 'WebApp-RolesClaims'" 
+    
+    if ($app)
+    {
+        $servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$($app.AppId)'"  
+        
+        Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
+        Write-Host "Successfully added app roles to the app 'WebApp-RolesClaims'."
+
+        $appName = $app.DisplayName
+
+        Write-Host "Creating users and assigning them to roles."
+
+        # Create users
+        # ------
+        # Make sure that the user who is running this script is assigned to the Directory viewer role
+        Write-Host "Adding '$($user.DisplayName)' as a member of the '$($directoryViewerRole.DisplayName)' role"
+        $userAssignment = New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $directoryViewerRole.Id
+
+        # Creating a directory viewer
+        Write-Host "Creating a user and assigning to '$($directoryViewerRole.DisplayName)' role"
+        $aDirectoryViewer = CreateUserRepresentingAppRole $appName $directoryViewerRole $tenantName
+        $userAssignment = New-AzureADUserAppRoleAssignment -ObjectId $aDirectoryViewer.ObjectId -PrincipalId $aDirectoryViewer.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $directoryViewerRole.Id
+        Write-Host "Created "($anApprover.UserPrincipalName)" with password 'test123456789.'"
+
+        # Creating a users reader
+        Write-Host "Creating a user and assigning to '$($userreaderRole.DisplayName)' role"
+        $auserreaderRole = CreateUserRepresentingAppRole $appName $userreaderRole $tenantName
+        $userAssignment = New-AzureADUserAppRoleAssignment -ObjectId $auserreaderRole.ObjectId -PrincipalId $auserreaderRole.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $userreaderRole.Id
+        Write-Host "Created "($auserreaderRole.UserPrincipalName)" with password 'test123456789.'"
+    }
+    else {
+        Write-Host "Failed to add app roles to the app 'WebApp-RolesClaims'."
+    }
+
+    Write-Host -ForegroundColor Green "Run the ..\CleanupUsersAndRoles.ps1 command to remove users created for this sample's application ."
+}
+
+# Pre-requisites
+if ((Get-Module -ListAvailable -Name "AzureAD") -eq $null) { 
+    Install-Module "AzureAD" -Scope CurrentUser 
+} 
+Import-Module AzureAD
+$ErrorActionPreference = 'Stop'
+
+CreateRolesUsersAndRoleAssignments -Credential $Credential -tenantId $TenantId

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/CreateUsersAndRoles.ps1

@@ -1,10 +1,10 @@
 {
   "Sample": {
-    "Title": "Using the Microsoft identity platform to call the Microsoft Graph API from an An ASP.NET Core 2.x Web App, on behalf of a user signing-in using their work and school or Microsoft personal account",
-    "Level": 200,
+    "Title": "Add authorization using app roles & roles claims to an ASP.NET Core Web app thats signs-in users with the Microsoft identity platform",
+    "Level": 300,
     "Client": "ASP.NET Core 2.x Web App",
     "Service": "Microsoft Graph",
-    "RepositoryUrl": "active-directory-aspnetcore-webapp-openidconnect-v2",
+    "RepositoryUrl": "microsoft-identity-platform-aspnetcore-webapp-tutorial",
     "Endpoint": "AAD v2.0"
   },
 
@@ -14,17 +14,21 @@
   "AADApps": [
     {
       "Id": "webApp",
-      "Name": "WebApp-OpenIDConnect-DotNet-code-v2",
+      "Name": "WebApp-RolesClaims",
       "Kind": "WebApp",
+      "Audience": "AzureADMyOrg",
       "HomePage": "https://localhost:44321/",
       "ReplyUrls": "https://localhost:44321/, https://localhost:44321/signin-oidc",
       "LogoutUrl": "https://localhost:44321/signout-oidc",
       "PasswordCredentials": "Auto",
+      "GroupMembershipClaims": "SecurityGroup",
       "RequiredResourcesAccess": [
         {
           "Resource": "Microsoft Graph",
-          "DelegatedPermissions": [ "User.Read" ]
+          "DelegatedPermissions": [ "User.Read", "User.ReadBasic.All","Directory.Read.All" ]
         }
+      ],"ManualSteps": [
+        { "Comment": "Run the ..\\CreateUsersAndRoles.ps1 command to automatically create a number of users, app roles and assign users to these roles or refer to the 'Define your application roles' section in README on how to configure your newly created app further for this sample." }
       ]
     }
   ],