@@ -39,7 +39,7 @@ Function AddResourcePermission($requiredAccess, `
3939}
4040
4141#
42- # Exemple : GetRequiredPermissions "Microsoft Graph" "Graph.Read|User.Read"
42+ # Example : GetRequiredPermissions "Microsoft Graph" "Graph.Read|User.Read"
4343# See also: http://stackoverflow.com/questions/42164581/how-to-configure-a-new-azure-ad-application-through-powershell
4444Function GetRequiredPermissions ([string ] $applicationDisplayName , [string ] $requiredDelegatedPermissions , [string ]$requiredApplicationPermissions , $servicePrincipal )
4545{
@@ -125,17 +125,56 @@ Function UpdateTextFile([string] $configFilePath, [System.Collections.HashTable]
125125
126126 Set-Content - Path $configFilePath - Value $lines - Force
127127}
128+ <# . Description
129+ This function creates a new Azure AD scope (OAuth2Permission) with default and provided values
130+ #>
131+ Function CreateScope ( [string ] $value , [string ] $userConsentDisplayName , [string ] $userConsentDescription , [string ] $adminConsentDisplayName , [string ] $adminConsentDescription )
132+ {
133+ $scope = New-Object Microsoft.Open.AzureAD.Model.OAuth2Permission
134+ $scope.Id = New-Guid
135+ $scope.Value = $value
136+ $scope.UserConsentDisplayName = $userConsentDisplayName
137+ $scope.UserConsentDescription = $userConsentDescription
138+ $scope.AdminConsentDisplayName = $adminConsentDisplayName
139+ $scope.AdminConsentDescription = $adminConsentDescription
140+ $scope.IsEnabled = $true
141+ $scope.Type = " User"
142+ return $scope
143+ }
144+
145+ <# . Description
146+ This function creates a new Azure AD AppRole with default and provided values
147+ #>
148+ Function CreateAppRole ([string ] $types , [string ] $name , [string ] $description )
149+ {
150+ $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
151+ $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string ]
152+ $typesArr = $types.Split (' ,'
153+ foreach ($type in $typesArr )
154+ {
155+ $appRole.AllowedMemberTypes.Add ($type );
156+ }
157+ $appRole.DisplayName = $name
158+ $appRole.Id = New-Guid
159+ $appRole.IsEnabled = $true
160+ $appRole.Description = $description
161+ $appRole.Value = $name ;
162+ return $appRole
163+ }
128164
129165Set-Content - Value " <html><body><table>" - Path createdApps.html
130166Add-Content - Value " <thead><tr><th>Application</th><th>AppId</th><th>Url in the Azure portal</th></tr></thead><tbody>" - Path createdApps.html
131167
168+ $ErrorActionPreference = " Stop"
169+
132170Function ConfigureApplications
133171{
134172<# . Description
135173 This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the
136174 configuration files in the client and service project of the visual studio solution (App.Config and Web.Config)
137175 so that they are consistent with the Applications parameters
138176#>
177+ $commonendpoint = " common"
139178
140179 # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
141180 # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
@@ -166,54 +205,90 @@ Function ConfigureApplications
166205 $tenant = Get-AzureADTenantDetail
167206 $tenantName = ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
168207
169- # Get the user running the script
208+ # Get the user running the script to add the user as the app owner
170209 $user = Get-AzureADUser - ObjectId $creds.Account.Id
171210
172211 # Create the service AAD application
173212 Write-Host " Creating the AAD application (TodoListService (active-directory-dotnet-native-aspnetcore-v2))"
213+ # create the application
174214 $serviceAadApplication = New-AzureADApplication - DisplayName " TodoListService (active-directory-dotnet-native-aspnetcore-v2)" `
175215 - HomePage " https://localhost:44351/" `
176216 - AvailableToOtherTenants $True `
177217 - PublicClient $False
178218 $serviceIdentifierUri = ' api://' + $serviceAadApplication.AppId
179219 Set-AzureADApplication - ObjectId $serviceAadApplication.ObjectId - IdentifierUris $serviceIdentifierUri
180220
221+ # create the service principal of the newly created application
181222 $currentAppId = $serviceAadApplication.AppId
182223 $serviceServicePrincipal = New-AzureADServicePrincipal - AppId $currentAppId - Tags {WindowsAzureActiveDirectoryIntegratedApp}
183224
184225 # add the user running the script as an app owner if needed
185226 $owner = Get-AzureADApplicationOwner - ObjectId $serviceAadApplication.ObjectId
186227 if ($owner -eq $null )
187228 {
188- Add-AzureADApplicationOwner - ObjectId $serviceAadApplication.ObjectId - RefObjectId $user.ObjectId
189- Write-Host " '$ ( $user.UserPrincipalName ) ' added as an application owner to app '$ ( $serviceServicePrincipal.DisplayName ) '"
229+ Add-AzureADApplicationOwner - ObjectId $serviceAadApplication.ObjectId - RefObjectId $user.ObjectId
230+ Write-Host " '$ ( $user.UserPrincipalName ) ' added as an application owner to app '$ ( $serviceServicePrincipal.DisplayName ) '"
190231 }
191232
233+ # rename the user_impersonation scope if it exists to match the readme steps or add a new scope
234+ $scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission ]
235+
236+ if ($scopes.Count -ge 0 )
237+ {
238+ # add all existing scopes first
239+ $serviceAadApplication.Oauth2Permissions | foreach-object { $scopes.Add ($_ ) }
240+
241+ $scope = $serviceAadApplication.Oauth2Permissions | Where-Object { $_.Value -eq " User_impersonation"
242+
243+ if ($scope -ne $null )
244+ {
245+ $scope.Value = " access_as_user"
246+ }
247+ else
248+ {
249+ # Add scope
250+ $scope = CreateScope - value " access_as_user" `
251+ - userConsentDisplayName " Access TodoListService (active-directory-dotnet-native-aspnetcore-v2)" `
252+ - userConsentDescription " Allow the application to access TodoListService (active-directory-dotnet-native-aspnetcore-v2) on your behalf." `
253+ - adminConsentDisplayName " Access TodoListService (active-directory-dotnet-native-aspnetcore-v2)" `
254+ - adminConsentDescription " Allows the app to have the same access to information in the directory on behalf of the signed-in user."
255+
256+ $scopes.Add ($scope )
257+ }
258+ }
259+
260+ # add/update scopes
261+ Set-AzureADApplication - ObjectId $serviceAadApplication.ObjectId - OAuth2Permission $scopes
262+
192263 Write-Host " Done creating the service application (TodoListService (active-directory-dotnet-native-aspnetcore-v2))"
193264
194265 # URL of the AAD application in the Azure portal
195266 # Future? $servicePortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$serviceAadApplication.AppId+"/objectId/"+$serviceAadApplication.ObjectId+"/isMSAApp/"
196267 $servicePortalUrl = " https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/" + $serviceAadApplication.AppId + " /objectId/" + $serviceAadApplication.ObjectId + " /isMSAApp/"
197268 Add-Content - Value " <tr><td>service</td><td>$currentAppId </td><td><a href='$servicePortalUrl '>TodoListService (active-directory-dotnet-native-aspnetcore-v2)</a></td></tr>" - Path createdApps.html
198269
270+
199271 # Create the client AAD application
200272 Write-Host " Creating the AAD application (TodoListClient (active-directory-dotnet-native-aspnetcore-v2))"
273+ # create the application
201274 $clientAadApplication = New-AzureADApplication - DisplayName " TodoListClient (active-directory-dotnet-native-aspnetcore-v2)" `
202- - ReplyUrls " urn:ietf:wg:oauth:2.0:oob " `
275+ - ReplyUrls " https://login.microsoftonline.com/common/oauth2/nativeclient " `
203276 - AvailableToOtherTenants $True `
204277 - PublicClient $True
205278
279+ # create the service principal of the newly created application
206280 $currentAppId = $clientAadApplication.AppId
207281 $clientServicePrincipal = New-AzureADServicePrincipal - AppId $currentAppId - Tags {WindowsAzureActiveDirectoryIntegratedApp}
208282
209283 # add the user running the script as an app owner if needed
210284 $owner = Get-AzureADApplicationOwner - ObjectId $clientAadApplication.ObjectId
211285 if ($owner -eq $null )
212286 {
213- Add-AzureADApplicationOwner - ObjectId $clientAadApplication.ObjectId - RefObjectId $user.ObjectId
214- Write-Host " '$ ( $user.UserPrincipalName ) ' added as an application owner to app '$ ( $clientServicePrincipal.DisplayName ) '"
287+ Add-AzureADApplicationOwner - ObjectId $clientAadApplication.ObjectId - RefObjectId $user.ObjectId
288+ Write-Host " '$ ( $user.UserPrincipalName ) ' added as an application owner to app '$ ( $clientServicePrincipal.DisplayName ) '"
215289 }
216290
291+
217292 Write-Host " Done creating the client application (TodoListClient (active-directory-dotnet-native-aspnetcore-v2))"
218293
219294 # URL of the AAD application in the Azure portal
@@ -226,7 +301,7 @@ Function ConfigureApplications
226301 # Add Required Resources Access (from 'client' to 'service')
227302 Write-Host " Getting access from 'client' to 'service'"
228303 $requiredPermissions = GetRequiredPermissions - applicationDisplayName " TodoListService (active-directory-dotnet-native-aspnetcore-v2)" `
229- - requiredDelegatedPermissions " user_impersonation " `
304+ - requiredDelegatedPermissions " access_as_user " `
230305
231306 $requiredResourcesAccess.Add ($requiredPermissions )
232307
@@ -245,7 +320,7 @@ Function ConfigureApplications
245320 Write-Host " Updating the sample code ($configFile )"
246321 ReplaceSetting - configFilePath $configFile - key " ida:Tenant" - newValue $tenantName
247322 ReplaceSetting - configFilePath $configFile - key " ida:ClientId" - newValue $clientAadApplication.AppId
248- ReplaceSetting - configFilePath $configFile - key " todo:TodoListScope" - newValue (" api://" + $serviceAadApplication.AppId + " /user_impersonation "
323+ ReplaceSetting - configFilePath $configFile - key " todo:TodoListScope" - newValue (" api://" + $serviceAadApplication.AppId + " /access_as_user "
249324 ReplaceSetting - configFilePath $configFile - key " todo:TodoListBaseAddress" - newValue $serviceAadApplication.HomePage
250325 Write-Host " "
251326 Write-Host - ForegroundColor Green " ------------------------------------------------------------------------------------------------"
@@ -257,14 +332,17 @@ Function ConfigureApplications
257332 Write-Host " - For 'client'"
258333 Write-Host " - Navigate to '$clientPortalUrl '"
259334 Write-Host " - Navigate to the Manifest page and change 'signInAudience' to 'AzureADandPersonalMicrosoftAccount'." - ForegroundColor Red
335+
260336 Write-Host - ForegroundColor Green " ------------------------------------------------------------------------------------------------"
337+
261338 Add-Content - Value " </tbody></table></body></html>" - Path createdApps.html
262339}
263340
264341# Pre-requisites
265342if ((Get-Module - ListAvailable - Name " AzureAD" -eq $null ) {
266343 Install-Module " AzureAD" - Scope CurrentUser
267- }
344+ }
345+
268346Import-Module AzureAD
269347
270348# Run interactively (will ask you for the tenant ID)
0 commit comments