Merge pull request #201910 from dlepow/msalv2

PRMerger18 · web-flow · commit 7b1a1c483296 · 2022-07-18T15:04:29.000-07:00
[APIM] MSALv2 in dev portal
diff --git a/articles/api-management/api-management-howto-aad-b2c.md b/articles/api-management/api-management-howto-aad-b2c.md
@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: how-to
-ms.date: 09/28/2021
+ms.date: 07/12/2022
 ms.author: danlep
 ---
 
@@ -18,6 +18,10 @@ Azure Active Directory B2C is a cloud identity management solution for consumer-
 
 In this tutorial, you'll learn the configuration required in your API Management service to integrate with Azure Active Directory B2C. As noted later in this article, if you are using the deprecated legacy developer portal, some steps will differ.
 
+> [!IMPORTANT]
+> * This article has been updated with steps to configure an Azure AD B2C app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)) v2.0. 
+> * If you previously configured an Azure AD B2C app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal).
+
 For information about enabling access to the developer portal by using classic Azure Active Directory, see [How to authorize developer accounts using Azure Active Directory](api-management-howto-aad.md).
 
 ## Prerequisites
@@ -47,7 +51,9 @@ In this section, you'll create a user flow in your Azure Active Directory B2C te
 
 1. In a separate [Azure portal](https://portal.azure.com) tab, navigate to your API Management instance.
 1. Under **Developer portal**, select **Identities** > **+ Add**.
-1. In the **Add identity provider** page, select **Azure Active Directory B2C**.
+1. In the **Add identity provider** page, select **Azure Active Directory B2C**. Once selected, you'll be able to enter other necessary information. 
+    * In the **Client library** dropdown, select **MSAL**.
+    * To add other settings, see steps later in the article.
 1. In the **Add identity provider** window, copy the **Redirect URL**.
 
     :::image type="content" source="media/api-management-howto-aad-b2c/b2c-identity-provider-redirect-url.png" alt-text="Copy redirect URL":::    
@@ -56,7 +62,7 @@ In this section, you'll create a user flow in your Azure Active Directory B2C te
 1. In the **Register an application** page, enter your application's registration information.
     * In the **Name** section, enter an application name of your choosing.
     * In the **Supported account types** section, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**. For more information, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application).
-    * In **Redirect URI**, enter the Redirect URL your copied from your API Management instance.
+    * In **Redirect URI**, select **Single-page application (SPA)** and paste the redirect URL you saved from a previous step.
     * In **Permissions**, select **Grant admin consent to openid and offline_access permissions.**
     * Select **Register** to create the application.
 
@@ -82,9 +88,27 @@ In this section, you'll create a user flow in your Azure Active Directory B2C te
 
          :::image type="content" source="media/api-management-howto-aad-b2c/add-identity-provider.png" alt-text="Active Directory B2c identity provider configuration":::
 1. After you've specified the desired configuration, select **Add**.
+1. Republish the developer portal for the Azure AD B2C configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**.
 
 After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.
 
+## Migrate to MSAL
+
+If you previously configured an Azure AD B2C app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management.
+
+### Update Azure AD B2C app for MSAL compatibility
+
+For steps, see [Switch redirect URIs to the single-page application type](../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform).
+
+### Update identity provider configuration
+
+1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**.
+1. Select **Azure Active Directory B2C** from the list.
+1. In the **Client library** dropdown, select **MSAL**.
+1. Select **Update**.
+1. [Republish your developer portal](api-management-howto-developer-portal-customize.md#publish-from-the-azure-portal).
+
+
 ## Developer portal - add Azure Active Directory B2C account authentication
 
 > [!IMPORTANT]
@@ -137,6 +161,7 @@ The **Sign-up form: OAuth** widget represents a form used for signing up with OA
 
 *  [Azure Active Directory B2C overview]
 *  [Azure Active Directory B2C: Extensible policy framework]
+* Learn more about [MSAL](../active-directory/develop/msal-overview.md) and [migrating to MSAL v2](../active-directory/develop/msal-migration.md)
 *  [Use a Microsoft account as an identity provider in Azure Active Directory B2C]
 *  [Use a Google account as an identity provider in Azure Active Directory B2C]
 *  [Use a LinkedIn account as an identity provider in Azure Active Directory B2C]
diff --git a/articles/api-management/api-management-howto-aad.md b/articles/api-management/api-management-howto-aad.md
@@ -6,7 +6,7 @@ description: Learn how to enable user sign-in to the API Management developer po
 author: dlepow
 ms.service: api-management
 ms.topic: article
-ms.date: 05/20/2022
+ms.date: 07/12/2022
 ms.author: danlep
 ---
 
@@ -17,6 +17,10 @@ In this article, you'll learn how to:
 > * Enable access to the developer portal for users from Azure Active Directory (Azure AD).
 > * Manage groups of Azure AD users by adding external groups that contain the users.
 
+> [!IMPORTANT]
+> * This article has been updated with steps to configure an Azure AD app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)). 
+> * If you previously configured an Azure AD app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal).
+
 ## Prerequisites
 
 - Complete the [Create an Azure API Management instance](get-started-create-service-instance.md) quickstart.
@@ -55,10 +59,9 @@ After the Azure AD provider is enabled:
 
 1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**.
 1. Select **+Add** from the top to open the **Add identity provider** pane to the right.
-1. Under **Type**, select **Azure Active Directory** from the drop-down menu.
-    * Once selected, you'll be able to enter other necessary information. 
-    * Information includes **Client ID** and **Client secret**. 
-    * See more information about these controls later in the article.
+1. Under **Type**, select **Azure Active Directory** from the drop-down menu. Once selected, you'll be able to enter other necessary information. 
+    * In the **Client library** dropdown, select **MSAL**.
+    * To add **Client ID** and **Client secret**, see steps later in the article.
 1. Save the **Redirect URL** for later.
     
     :::image type="content" source="media/api-management-howto-aad/api-management-with-aad001.png" alt-text="Screenshot of adding identity provider in Azure portal.":::
@@ -75,14 +78,14 @@ After the Azure AD provider is enabled:
 1. Select **New registration**. On the **Register an application** page, set the values as follows:
     
     * Set **Name** to a meaningful name such as *developer-portal*
-    * Set **Supported account types** to **Accounts in this organizational directory only**. 
-    * In **Redirect URI**, select **Web** and paste the redirect URL you saved from a previous step. 
+    * Set **Supported account types** to **Accounts in any organizational directory**. 
+    * In **Redirect URI**, select **Single-page application (SPA)** and paste the redirect URL you saved from a previous step. 
     * Select **Register**. 
 
 1.  After you've registered the application, copy the **Application (client) ID** from the **Overview** page. 
 1. Switch to the browser tab with your API Management instance. 
 1. In the **Add identity provider** window, paste the **Application (client) ID** value into the **Client ID** box.
-1. Switch to the browser tab with the App Registration.
+1. Switch to the browser tab with the App registration.
 1. Select the appropriate app registration.
 1. Under the **Manage** section of the side menu, select **Certificates & secrets**. 
 1. From the **Certificates & secrets** page, select the **New client secret** button under **Client secrets**. 
@@ -122,6 +125,23 @@ After the Azure AD provider is enabled:
 * Optionally configure other sign-in settings by selecting **Identities** > **Settings**. For example, you might want to redirect anonymous users to the sign-in page.
 * Republish the developer portal after any configuration change.
 
+## Migrate to MSAL
+
+If you previously configured an Azure AD app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management.
+
+### Update Azure AD app for MSAL compatibility
+
+For steps, see [Switch redirect URIs to the single-page application type](../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform).
+
+### Update identity provider configuration
+
+1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**.
+1. Select **Azure Active Directory** from the list.
+1. In the **Client library** dropdown, select **MSAL**.
+1. Select **Update**.
+1. [Republish your developer portal](api-management-howto-developer-portal-customize.md#publish-from-the-azure-portal).
+
+
 ## Add an external Azure AD group
 
 Now that you've enabled access for users in an Azure AD tenant, you can:
@@ -135,9 +155,9 @@ Follow these steps to grant:
 1. Update the first 3 lines of the following Azure CLI script to match your environment and run it.
 
    ```azurecli
-   $subId = "Your Azure subscription ID" #e.g. "1fb8fadf-03a3-4253-8993-65391f432d3a"
-   $tenantId = "Your Azure AD Tenant or Organization ID" #e.g. 0e054eb4-e5d0-43b8-ba1e-d7b5156f6da8"
-   $appObjectID = "Application Object ID that has been registered in AAD" #e.g. "2215b54a-df84-453f-b4db-ae079c0d2619"
+   $subId = "Your Azure subscription ID" # Example: "1fb8fadf-03a3-4253-8993-65391f432d3a"
+   $tenantId = "Your Azure AD Tenant or Organization ID" # Example: 0e054eb4-e5d0-43b8-ba1e-d7b5156f6da8"
+   $appObjectID = "Application Object ID that has been registered in AAD" # Example: "2215b54a-df84-453f-b4db-ae079c0d2619"
    #Login and Set the Subscription
    az login
    az account set --subscription $subId
@@ -210,10 +230,8 @@ Your user is now signed in to the developer portal for your API Management servi
 
 ## Next Steps
 
-- Learn how to [Protect your web API backend in API Management by using OAuth 2.0 authorization with Azure AD](./api-management-howto-protect-backend-with-aad.md)
 - Learn more about [Azure Active Directory and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).
-- Check out more [videos](https://azure.microsoft.com/documentation/videos/index/?services=api-management) about API Management.
-- For other ways to secure your back-end service, see [Mutual Certificate authentication](./api-management-howto-mutual-certificates.md).
+- Learn more about [MSAL](../active-directory/develop/msal-overview.md) and [migrating to MSAL](../active-directory/develop/msal-migration.md).
 - [Create an API Management service instance](./get-started-create-service-instance.md).
 - [Manage your first API](./import-and-publish.md).
 
