merged

Author: kalyankrishna1

5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/Configure.ps1

@@ -197,7 +197,7 @@ Function ConfigureApplications
    # Add Required Resources Access (from 'webApp' to 'Microsoft Graph')
    Write-Host "Getting access from 'webApp' to 'Microsoft Graph'"
    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "Microsoft Graph" `
-                                                -requiredDelegatedPermissions "User.Read GroupMember.Read.All" `
+                                                -requiredDelegatedPermissions "User.Read|GroupMember.Read.All" `
 
    $requiredResourcesAccess.Add($requiredPermissions)
 
@@ -209,6 +209,15 @@ Function ConfigureApplications
    $configFile = $pwd.Path + "\..\appsettings.json"
    Write-Host "Updating the sample code ($configFile)"
 
+   Write-Host ""
+   Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+   Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":
+   Write-Host "- For 'webApp'"
+   Write-Host "  - Navigate to '$webAppPortalUrl'"
+   Write-Host "  - Navigate to the API Permissions page and select 'Grant admin consent for (your tenant)'" -ForegroundColor Red 
+
+   Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+     
    Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html  
 }
 

5-WebApp-AuthZ/5-2-Groups/AppCreationScripts/sample.json

@@ -25,7 +25,12 @@
       "RequiredResourcesAccess": [
         {
           "Resource": "Microsoft Graph",
-          "DelegatedPermissions": [ "User.Read GroupMember.Read.All" ]
+          "DelegatedPermissions": [ "User.Read", "GroupMember.Read.All" ]
+        }
+      ],
+      "ManualSteps": [
+        {
+          "Comment": "Navigate to the API Permissions page and select 'Grant admin consent for (your tenant)'"
         }
       ]
     }

5-WebApp-AuthZ/5-2-Groups/Infrastructure/Constants.cs

@@ -4,6 +4,8 @@ public static class Constants
     {
         public const string ScopeUserRead = "User.Read";
 
+        public const string ScopeGroupMemberRead = "GroupMember.Read.All";
+
         public const string BearerAuthorizationScheme = "Bearer";
     }
 }

5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs

@@ -24,32 +24,45 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
                 // Checks if the incoming token contained a 'Group Overage' claim.
                 if (context.Principal.Claims.Any(x => x.Type == "hasgroups" || (x.Type == "_claim_names" && x.Value == "{\"groups\":\"src1\"}")))
                 {
-                    // For this API call to succeed, the app should have permission 'GroupMember.Read.All' granted.
-                    var graph = context.HttpContext.RequestServices.GetService<GraphServiceClient>();
+                    // Before instatntiating GraphServiceClient, the app should have granted admin consent for 'GroupMember.Read.All' permission.
+                    var graphClient = context.HttpContext.RequestServices.GetService<GraphServiceClient>();
 
-                    if (graph == null)
+                    if (graphClient == null)
                     {
                         Console.WriteLine("No service for type 'Microsoft.Graph.GraphServiceClient' has been registered in the Startup.");
                     }
+
+                    // Checks if the SecurityToken is not null.
+                    // For the Web App, SecurityToken contains value of the ID Token.
                     else if (context.SecurityToken != null)
                     {
-                        // Check if an on-behalf-of all was made to a Web API
+                        // Checks if 'JwtSecurityTokenUsedToCallWebAPI' key already exists. 
+                        // This key is required to acquire Access Token for Graph Service Client.
                         if (!context.HttpContext.Items.ContainsKey("JwtSecurityTokenUsedToCallWebAPI"))
                         {
-                            // extract the cached AT that was presented to the Web API
+                            // For Web App, access token is retrieved using account identifier. But at this point account identifier is null.
+                            // So, SecurityToken is saved in 'JwtSecurityTokenUsedToCallWebAPI' key.
+                            // The key is then used to get the Access Token on-behalf of user.
                             context.HttpContext.Items.Add("JwtSecurityTokenUsedToCallWebAPI", context.SecurityToken as JwtSecurityToken);
                         }
 
-                        // We do not want to pull all attributes of a group from MS Graph, so we use a 'select' to just pick the ones we need.
+                        // The properties that we want to retrieve from MemberOf endpoint.
                         string select = "id,displayName,onPremisesNetBiosName,onPremisesDomainName,onPremisesSamAccountNameonPremisesSecurityIdentifier";
-
-                        // TODO: this line needs a try-catch, with the exception error message being "A call to Microsoft Graph failed, the error is <whatever>"
-                        // Make a Graph call to get groups and directory roles that the user is a direct member of.
-                        var memberPage = await graph.Me.MemberOf.Request().Select(select).GetAsync().ConfigureAwait(false);
-
+                       
+                        IUserMemberOfCollectionWithReferencesPage memberPage = new UserMemberOfCollectionWithReferencesPage();
+                        try
+                        {
+                            //Request to get groups and directory roles that the user is a direct member of.
+                            memberPage = await graphClient.Me.MemberOf.Request().Select(select).GetAsync().ConfigureAwait(false);
+                        }
+                        catch(Exception graphEx)
+                        {
+                            var exMsg = graphEx.InnerException != null ? graphEx.InnerException.Message : graphEx.Message;
+                            Console.WriteLine("Call to Microsoft Graph failed: "+ exMsg);
+                        }
                         if (memberPage?.Count > 0)
                         {
-                            // If the result is paginated, this method will process all the pages for us.
+                            // There is a limit to number of groups returned, below method make calls to Microsoft graph to get all the groups.
                             var allgroups = ProcessIGraphServiceMemberOfCollectionPage(memberPage);
 
                             if (allgroups?.Count > 0)
@@ -85,11 +98,12 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
             }
             finally
             {
+                // Checks if the key 'JwtSecurityTokenUsedToCallWebAPI' exists.
                 if (context.HttpContext.Items.ContainsKey("JwtSecurityTokenUsedToCallWebAPI"))
                 {
-                    // TODO: The following comment makes no sense !
-                    // Remove the key as Microsoft.Identity.Web library utilizes this key.
+                    // Removes 'JwtSecurityTokenUsedToCallWebAPI' from Items collection.
                     // If not removed then it can cause failure to the application.
+                    // Because this key is also added by StoreTokenUsedToCallWebAPI method of Microsoft.Identity.Web. 
                     context.HttpContext.Items.Remove("JwtSecurityTokenUsedToCallWebAPI");
                 }
             }
@@ -100,9 +114,9 @@ public static async Task ProcessClaimsForGroupsOverage(TokenValidatedContext con
         /// </summary>
         /// <param name="context"></param>
         /// <param name="identity"></param>
-        private static void RemoveExistingClaim(ClaimsIdentity identity)
+        private static void RemoveExistingClaims(ClaimsIdentity identity)
         {
-            // clear an existing claim
+            //clear existing claim
             List<Claim> existingGroupsClaims = identity.Claims.Where(x => x.Type == "groups").ToList();
             if (existingGroupsClaims?.Count > 0)
             {

5-WebApp-AuthZ/5-2-Groups/Startup.cs

@@ -10,6 +10,7 @@
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 using Microsoft.Identity.Web.UI;
+using WebApp_OpenIDConnect_DotNet.Infrastructure;
 using WebApp_OpenIDConnect_DotNet.Services.GroupProcessing;
 
 namespace WebApp_OpenIDConnect_DotNet
@@ -26,6 +27,7 @@ public Startup(IConfiguration configuration)
         // This method gets called by the runtime. Use this method to add services to the container.
         public void ConfigureServices(IServiceCollection services)
         {
+            var initialScopes = new string[] { Constants.ScopeUserRead, Constants.ScopeGroupMemberRead };
             services.Configure<CookiePolicyOptions>(options =>
             {
                 // This lambda determines whether user consent for non-essential cookies is needed for a given request.
@@ -48,7 +50,7 @@ public void ConfigureServices(IServiceCollection services)
                         await GraphHelper.ProcessClaimsForGroupsOverage(context);
                     };
                 }, options => { Configuration.Bind("AzureAd", options); })
-                    .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options))
+                    .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind("AzureAd", options), initialScopes)
                     .AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))
                     .AddInMemoryTokenCaches();
 

5-WebApp-AuthZ/5-2-Groups/appsettings.json

@@ -22,5 +22,5 @@
     }
   },
   "AllowedHosts": "*",
-  "GraphApiUrl": "https://graph.microsoft.com/beta"
+  "GraphApiUrl": "https://graph.microsoft.com/v1.0"
 }