Merge pull request #286 from shriramnat/master

shriramnat · web-flow · commit 13b772d303b3 · 2017-07-26T14:36:25.000-07:00
Fixing Multi Tenancy issues in Identity Module
diff --git a/Identity/AzureStack.Identity.psm1 b/Identity/AzureStack.Identity.psm1
@@ -345,11 +345,6 @@ function Register-AzsWithMyDirectoryTenant {
         [ValidateNotNullOrEmpty()]
         [string] $DirectoryTenantName,
 
-        # Optional: The identifier (GUID) of the Resource Manager application. Pass this parameter to skip the need to complete the guest signup flow via the portal.
-        [Parameter(Mandatory=$false)]
-        [ValidateNotNullOrEmpty()]
-        [string] $ResourceManagerApplicationId,
-
         # Optional: A credential used to authenticate with Azure Stack. Must support a non-interactive authentication flow. If not provided, the script will prompt for user credentials.
         [Parameter()]
         [ValidateNotNull()]
@@ -359,6 +354,9 @@ function Register-AzsWithMyDirectoryTenant {
     $ErrorActionPreference = 'Stop'
     $VerbosePreference = 'Continue'
 
+    # Get the Application of Resource Manager
+    $ResourceManagerApplicationId = $(Invoke-RestMethod "$TenantResourceManagerEndpoint/metadata/identity?api-version=2015-01-01").applicationId
+
     # Install-Module AzureRm -RequiredVersion '1.2.8'
     Import-Module 'AzureRm.Profile' -Force -Verbose:$false 4> $null
     Import-Module "$PSScriptRoot\GraphAPI\GraphAPI.psm1" -Force -Verbose:$false 4> $null
@@ -405,7 +403,7 @@ function Register-AzsWithMyDirectoryTenant {
         # Initialize the necessary tags for the registered application
         if ($applicationRegistration.tags)
         {
-            Update-GraphApplicationServicePrincipalTags -ApplicationId $applicationRegistration.appId -Tags $applicationRegistration.tags
+            Update-GraphApplicationServicePrincipalTag -ApplicationId $applicationRegistration.appId -Tags $applicationRegistration.tags
         }
 
         # Lookup the permission consent status for the application permissions (either to or from) that the registered application requires
diff --git a/Identity/README.md b/Identity/README.md
@@ -1,10 +1,4 @@
-// Place your settings in this file to overwrite the default settings
-{
-    "workbench.colorTheme": "Abyss"
-}nstall-Module -Name 'AzureRm.Bootstrapper' -Scope CurrentUser
-Install-AzureRmProfile -profile '2017-03-09-profile' -Force -Scope CurrentUser
-Install-Module -Name AzureStack -RequiredVersion 1.2.9 -Scope CurrentUser
-```
+Instructions below are relative to the .\Identity folder of the AzureStack-Tools repo.
 
 Then make sure the following modules are imported:
 
@@ -13,18 +7,7 @@ Import-Module ..\Connect\AzureStack.Connect.psm1
 Import-Module ..\Identity\AzureStack.Identity.psm1
 ```
 
-## Getting the directory tenant identifier from the Identity System
-
-This function is used to get the Directory Tenant Guid. This method works for both AAD and AD FS.
-
-```powershell
-$directoryTenantId = Get-AzsDirectoryTenantIdentifier -Authority "<DirectoryTenantUrl>"
-```
-
-An example of an authority for AAD is `https://login.windows.net/microsoft.onmicrosoft.com`
-and for AD FS is `https://adfs.local.azurestack.external/adfs`.
-
-## Creating a Service Principal in a disconnected (AD FS) topology
+# Creating a Service Principal in a disconnected (AD FS) topology
 
 You can create a Service Principal by executing the following command after importing the Identity module
 
@@ -38,17 +21,17 @@ After the Service Principal is created, you should open your Azure Stack Portal
 Add-AzureRmAccount -EnvironmentName "<AzureStackEnvironmentName>" -ServicePrincipal -CertificateThumbprint $servicePrincipal.Thumbprint -ApplicationId $servicePrincipal.ApplicationId -TenantId $directoryTenantId
 ```
 
-## Enabling AAD Multi-Tenancy in Azure Stack
+# Enabling AAD Multi-Tenancy in Azure Stack
 
 Allowing users and service principals from multiple AAD directory tenants to sign in and create resources on Azure Stack.
 There are two personas involved in implementing this scenario.
 
 1. The Administrator of the Azure Stack installation
 1. The Directory Tenant Administrator of the directory that needs to be onboarded to Azure Stack
 
-### Azure Stack Administrator
+## Azure Stack Administrator
 
-#### Step 1: Onboard the Guest Directory Tenant to Azure Stack
+### Step 1: Onboard the Guest Directory Tenant to Azure Stack
 
 This step will let Azure Resource manager know that it can accept users and service principals from the guest directory tenant.
 
@@ -65,16 +48,11 @@ Register-AzsGuestDirectoryTenant -AdminResourceManagerEndpoint $adminARMEndpoint
 
 With this step, the work of the Azure Stack administrator is done.
 
-### Guest Directory Tenant Administrator
+## Guest Directory Tenant Administrator
 
 The following steps need to be completed by the **Directory Tenant Administrator** of the directory that needs to be onboarded to Azure Stack.
 
-#### Step 2: Providing UI-based consent to Azure Stack Portal and ARM
-
-- This is an important step. Open up a web browser, and go to `https://portal.<region>.<domain>/guest/signup/<guestDirectoryName>`. Note that this is the directory tenant that needs to be onboarded to Azure Stack.
-- This will take you to an AAD sign in page where you need to enter your credentials and click on 'Accept' on the consent screen.
-
-#### Step 3: Registering Azure Stack applications with the Guest Directory
+### Step 2: Registering Azure Stack applications with the Guest Directory
 
 Execute the following cmdlet as the administrator of the directory that needs to be onboarded, replacing ```$guestDirectoryTenantName``` with your directory domain name
 
@@ -85,3 +63,14 @@ $guestDirectoryTenantName = "<guestDirectoryTenant>.onmicrosoft.com" # this is t
 Register-AzsWithMyDirectoryTenant -TenantResourceManagerEndpoint $tenantARMEndpoint `
     -DirectoryTenantName $guestDirectoryTenantName
 ```
+
+# Getting the directory tenant identifier from the Identity System
+
+This function is used to get the Directory Tenant Guid. This method works for both AAD and AD FS.
+
+```powershell
+$directoryTenantId = Get-AzsDirectoryTenantIdentifier -Authority "<DirectoryTenantUrl>"
+```
+
+An example of an authority for AAD is `https://login.windows.net/microsoft.onmicrosoft.com`
+and for AD FS is `https://adfs.local.azurestack.external/adfs`.
