Adding code comments

Author: Tiago Brenck

2-WebApp-graph-user/2-3-Multi-Tenant/Controllers/HomeController.cs

@@ -46,6 +46,7 @@ public HomeController(SampleDbContext dbContext)
 
         public IActionResult Index()
         {
+            //Getting all authorized tenants to be displayed on a table, for demonstration purpose
             var authorizedTenants = dbContext.AuthorizedTenants.Where(x => x.TenantId != null && x.AuthorizedOn != null).ToList();
             return View(authorizedTenants);
         }
@@ -58,6 +59,7 @@ public IActionResult DeleteTenant(string id)
 
             var signedUserTenant = User.GetTenantId();
 
+            // If the user deletes its own tenant from the list, they should be signed-out
             if (id == signedUserTenant)
                 return RedirectToAction("SignOut", "Account", new { area = "AzureAD" });
             else
@@ -67,6 +69,7 @@ public IActionResult DeleteTenant(string id)
         [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
         public IActionResult UnauthorizedTenant()
         {
+            //If you landed here, is because you tried to sign-in with a user from a tenant that hasnt been onboarded in the application yet.
             return View();
         }
 

2-WebApp-graph-user/2-3-Multi-Tenant/Controllers/OnboardingController.cs

@@ -67,6 +67,7 @@ public IActionResult Onboard()
                 TempAuthorizationCode = stateMarker //Use the stateMarker as a tempCode, so we can find this entity on the ProcessCode method
             };
 
+            // Saving a temporary tenant to validate the stateMarker on the admin consent response
             dbContext.AuthorizedTenants.Add(authorizedTenant);
             dbContext.SaveChanges();
 
@@ -79,11 +80,10 @@ public IActionResult Onboard()
             string authorizationRequest = string.Format(
                 "{0}common/v2.0/adminconsent?client_id={1}&redirect_uri={2}&state={3}&scope={4}",
                 azureADOptions.Instance,
-                Uri.EscapeDataString(azureADOptions.ClientId),
-                Uri.EscapeDataString(currentUri + "Onboarding/ProcessCode"),
-                Uri.EscapeDataString(stateMarker),
-                Uri.EscapeDataString("https://graph.microsoft.com/.default"));
-
+                Uri.EscapeDataString(azureADOptions.ClientId), // The application Id on Azure Portal
+                Uri.EscapeDataString(currentUri + "Onboarding/ProcessCode"), //Uri that will get redirected after the admin has consented
+                Uri.EscapeDataString(stateMarker), // The state parameter is used to validate the response, preventing a man-in-the-middle attack, and it will also be used to identify the entity on ProcessCode action.
+                Uri.EscapeDataString("https://graph.microsoft.com/.default")); // The scopes to be presented to the admin. Here we are using the static scope /.default. 
 
             return Redirect(authorizationRequest);
         }
@@ -99,7 +99,7 @@ public async Task<IActionResult> ProcessCode(string tenant, string error, string
 
             var authenticationProperties = new AuthenticationProperties { RedirectUri = "Home/Index" };
 
-            // Check if tenant is already authorized
+            // If tenant is already authorized, there is no need updated its record
             if (dbContext.AuthorizedTenants.FirstOrDefault(x => x.TenantId == tenant) != null)
             {
                 // Challenge an authentication so dotnet can set the user identity claims. 

2-WebApp-graph-user/2-3-Multi-Tenant/Services/MSGraphService.cs

@@ -52,6 +52,8 @@ public async Task<IEnumerable<User>> GetUsersAsync(string accessToken)
             try
             {
                 PrepareAuthenticatedClient(accessToken);
+
+                // Using Graph SDK to get users, filtering by active ones and returning just id and userPrincipalName field
                 users = await graphServiceClient.Users.Request()
                     .Filter($"accountEnabled eq true")
                     .Select("id, userPrincipalName")