roles sample upgraded

Author: Kalyan Krishna

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/AppCreationScripts.md

@@ -1,4 +1,4 @@
-# Registering the Azure Active Directory applications and updating the configuration files for this sample using PowerShell scripts
+# Registering the sample apps with Microsoft Identity Platform and updating the configuration files using PowerShell scripts
 
 ## Overview
 
@@ -9,7 +9,7 @@
    ```PowerShell
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
    ```
-1. Run the script to create your Azure AD application and configure the code of the sample application accordinly. (Other ways of running the scripts are described below)
+1. Run the script to create your Azure AD application and configure the code of the sample application accordingly. (Other ways of running the scripts are described below)
    ```PowerShell
    .\AppCreationScripts\Configure.ps1
    ```

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/Cleanup.ps1

@@ -5,11 +5,11 @@ param(
     [string] $tenantId
 )
 
-if ((Get-Module -ListAvailable -Name "AzureAD") -eq $null) { 
+if ($null -eq (Get-Module -ListAvailable -Name "AzureAD")) { 
     Install-Module "AzureAD" -Scope CurrentUser 
 } 
 Import-Module AzureAD
-$ErrorActionPreference = 'Stop'
+$ErrorActionPreference = "Stop"
 
 Function Cleanup
 {
@@ -44,19 +44,27 @@ This function removes the Azure AD applications for the sample. These applicatio
         $tenantId = $creds.Tenant.Id
     }
     $tenant = Get-AzureADTenantDetail
-    $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
+    $tenantName =  ($tenant.VerifiedDomains | Where-Object { $_._Default -eq $True }).Name
 
     # Removes the applications
     Write-Host "Cleaning-up applications from tenant '$tenantName'"
 
     Write-Host "Removing 'webApp' (WebApp-RolesClaims) if needed"
-    $app=Get-AzureADApplication -Filter "DisplayName eq 'WebApp-RolesClaims'"  
+    Get-AzureADApplication -Filter "DisplayName eq 'WebApp-RolesClaims'"  | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+    $apps = Get-AzureADApplication -Filter "DisplayName eq 'WebApp-RolesClaims'"
+    if ($apps)
+    {
+        Remove-AzureADApplication -ObjectId $apps.ObjectId
+    }
 
-    if ($app)
+    foreach ($app in $apps) 
     {
         Remove-AzureADApplication -ObjectId $app.ObjectId
-        Write-Host "Removed WebApp-RolesClaims."
-    }
+        Write-Host "Removed WebApp-RolesClaims.."
     }
+    # also remove service principals of this app
+    Get-AzureADServicePrincipal -filter "DisplayName eq 'WebApp-RolesClaims'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
+    
+}
 
-Cleanup -Credential $Credential -tenantId $TenantId
+Cleanup -Credential $Credential -tenantId $TenantId

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/Configure.ps1

@@ -65,7 +65,7 @@ Function AddResourcePermission($requiredAccess, `
 }
 
 #
-# Exemple: GetRequiredPermissions "Microsoft Graph"  "Graph.Read|User.Read"
+# Example: GetRequiredPermissions "Microsoft Graph"  "Graph.Read|User.Read"
 # See also: http://stackoverflow.com/questions/42164581/how-to-configure-a-new-azure-ad-application-through-powershell
 Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requiredDelegatedPermissions, [string]$requiredApplicationPermissions, $servicePrincipal)
 {
@@ -137,14 +137,15 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
 Set-Content -Value "<html><body><table>" -Path createdApps.html
 Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the Azure portal</th></tr></thead><tbody>" -Path createdApps.html
 
+$ErrorActionPreference = "Stop"
+
 Function ConfigureApplications
 {
 <#.Description
    This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the
    configuration files in the client and service project  of the visual studio solution (App.Config and Web.Config)
    so that they are consistent with the Applications parameters
 #> 
-
     $commonendpoint = "common"
 
     # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
@@ -176,7 +177,7 @@ Function ConfigureApplications
     $tenant = Get-AzureADTenantDetail
     $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
 
-    # Get the user running the script
+    # Get the user running the script to add the user as the app owner
     $user = Get-AzureADUser -ObjectId $creds.Account.Id
 
    # Create the webApp AAD application
@@ -186,6 +187,7 @@ Function ConfigureApplications
    $fromDate = [DateTime]::Now;
    $key = CreateAppKey -fromDate $fromDate -durationInYears 2 -pw $pw
    $webAppAppKey = $pw
+   # create the application 
    $webAppAadApplication = New-AzureADApplication -DisplayName "WebApp-RolesClaims" `
                                                   -HomePage "https://localhost:44321/" `
                                                   -LogoutUrl "https://localhost:44321/signout-oidc" `
@@ -195,6 +197,7 @@ Function ConfigureApplications
                                                   -Oauth2AllowImplicitFlow $true `
                                                   -PublicClient $False
 
+   # create the service principal of the newly created application 
    $currentAppId = $webAppAadApplication.AppId
    $webAppServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp} -AppRoleAssignmentRequired $true
 
@@ -209,6 +212,7 @@ Function ConfigureApplications
         New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $webAppServicePrincipal.ObjectId -Id ([Guid]::Empty) 
    }
 
+
    Write-Host "Done creating the webApp application (WebApp-RolesClaims)"
 
    # URL of the AAD application in the Azure portal
@@ -249,7 +253,8 @@ Function ConfigureApplications
 # Pre-requisites
 if ((Get-Module -ListAvailable -Name "AzureAD") -eq $null) { 
     Install-Module "AzureAD" -Scope CurrentUser 
-} 
+}
+
 Import-Module AzureAD
 
 # Run interactively (will ask you for the tenant ID)

5-WebApp-AuthZ/5-1-Roles/AppCreationScripts/CreateUsersAndRoles.ps1

@@ -107,10 +107,11 @@ Function CreateRolesUsersAndRoleAssignments
         $servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$($app.AppId)'"  
 
         Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
-        Write-Host "Successfully added app roles to the app 'WebApp-RolesClaims'."
 
         $appName = $app.DisplayName
 
+        Write-Host "Successfully added app roles to the app '$appName'."
+
         Write-Host "Creating users and assigning them to roles."
 
         # Create users
@@ -120,19 +121,19 @@ Function CreateRolesUsersAndRoleAssignments
         $userAssignment = New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $directoryViewerRole.Id
 
         # Creating a directory viewer
-        Write-Host "Creating a user and assigning to '$($directoryViewerRole.DisplayName)' role"
+        Write-Host "Creating a new user and assigning to '$($directoryViewerRole.DisplayName)' role"
         $aDirectoryViewer = CreateUserRepresentingAppRole $appName $directoryViewerRole $tenantName
         $userAssignment = New-AzureADUserAppRoleAssignment -ObjectId $aDirectoryViewer.ObjectId -PrincipalId $aDirectoryViewer.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $directoryViewerRole.Id
-        Write-Host "Created "($anApprover.UserPrincipalName)" with password 'test123456789.'"
+        Write-Host "Created user "($aDirectoryViewer.UserPrincipalName)" with password 'test123456789.'"
 
         # Creating a users reader
         Write-Host "Creating a user and assigning to '$($userreaderRole.DisplayName)' role"
-        $auserreaderRole = CreateUserRepresentingAppRole $appName $userreaderRole $tenantName
-        $userAssignment = New-AzureADUserAppRoleAssignment -ObjectId $auserreaderRole.ObjectId -PrincipalId $auserreaderRole.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $userreaderRole.Id
-        Write-Host "Created "($auserreaderRole.UserPrincipalName)" with password 'test123456789.'"
+        $auserreader = CreateUserRepresentingAppRole $appName $userreaderRole $tenantName
+        $userAssignment = New-AzureADUserAppRoleAssignment -ObjectId $auserreader.ObjectId -PrincipalId $auserreader.ObjectId -ResourceId $servicePrincipal.ObjectId -Id $userreaderRole.Id
+        Write-Host "Created user "($auserreader.UserPrincipalName)" with password 'test123456789.'"
     }
     else {
-        Write-Host "Failed to add app roles to the app 'WebApp-RolesClaims'."
+        Write-Host -ForegroundColor Red "Failed to add app roles to the app 'WebApp-RolesClaims'."
     }
 
     Write-Host -ForegroundColor Green "Run the ..\CleanupUsersAndRoles.ps1 command to remove users created for this sample's application ."

5-WebApp-AuthZ/5-1-Roles/Controllers/HomeController.cs

@@ -1,23 +1,23 @@
-using System;
-using System.Diagnostics;
-using System.IO;
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
-using Graph = Microsoft.Graph;
 using Microsoft.Identity.Web;
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.Threading.Tasks;
 using WebApp_OpenIDConnect_DotNet.Infrastructure;
 using WebApp_OpenIDConnect_DotNet.Models;
 using WebApp_OpenIDConnect_DotNet.Services;
+using Graph = Microsoft.Graph;
 
 namespace WebApp_OpenIDConnect_DotNet.Controllers
 {
     [Authorize]
     public class HomeController : Controller
     {
-        readonly ITokenAcquisition tokenAcquisition;
-        readonly WebOptions webOptions;
+        private readonly ITokenAcquisition tokenAcquisition;
+        private readonly WebOptions webOptions;
 
         public HomeController(ITokenAcquisition tokenAcquisition,
                               IOptions<WebOptions> webOptionValue)
@@ -35,7 +35,7 @@ public IActionResult Index()
         [AuthorizeForScopes(Scopes = new[] { Constants.ScopeUserRead })]
         public async Task<IActionResult> Profile()
         {
-            // Initialize the GraphServiceClient. 
+            // Initialize the GraphServiceClient.
             Graph::GraphServiceClient graphClient = GetGraphServiceClient(new[] { Constants.ScopeUserRead });
 
             var me = await graphClient.Me.Request().GetAsync();
@@ -73,16 +73,15 @@ public IActionResult Error()
         }
 
         [AuthorizeForScopes(Scopes = new[] { GraphScopes.UserReadBasicAll })]
-        [Authorize(Roles = AppRoles.UserReaders )]
+        [Authorize(Roles = AppRoles.UserReaders)]
         public async Task<IActionResult> Users()
         {
-            // Initialize the GraphServiceClient. 
+            // Initialize the GraphServiceClient.
             Graph::GraphServiceClient graphClient = GetGraphServiceClient(new[] { GraphScopes.UserReadBasicAll });
 
             var users = await graphClient.Users.Request().GetAsync();
             ViewData["Users"] = users.CurrentPage;
 
-
             return View();
         }
     }