fixed bug for readme and added app permissions

Author: aremo-ms

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/Configure.ps1

@@ -205,6 +205,14 @@ Function ConfigureApplications
         Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceServicePrincipal.DisplayName)'"
     }
 
+    # Add application permissions/user roles
+    $appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
+    $newRole = CreateAppRole -types "Application" -name "ToDoList.Read.All" -description "Application can only read ToDo list"
+    $appRoles.Add($newRole)
+    $newRole = CreateAppRole -types "Application" -name "ToDoList.ReadWrite.All" -description "Application can read and write into ToDo list"
+    $appRoles.Add($newRole)
+    Update-MgApplication -ApplicationId $serviceAadApplication.Id -AppRoles $appRoles
+    
     # rename the user_impersonation scope if it exists to match the readme steps or add a new scope
 
     # delete default scope i.e. User_impersonation
@@ -228,14 +236,21 @@ Function ConfigureApplications
     -userConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
     -userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf."  `
     -adminConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
-    -adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
+    -adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"
 
     $scopes.Add($scope)
     $scope = CreateScope -value ToDoList.Write  `
     -userConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
     -userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf."  `
     -adminConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
-    -adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
+    -adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"
+            
+    $scopes.Add($scope)
+    $scope = CreateScope -value ToDoList.ReadWrite  `
+    -userConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
+    -userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf."  `
+    -adminConsentDisplayName "Access TodoListService-aspnetcore-webapi"  `
+    -adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"
 
     $scopes.Add($scope)
 
@@ -262,10 +277,13 @@ Function ConfigureApplications
                                                           RedirectUris = "https://localhost:44321/", "https://localhost:44321/signin-oidc"; `
                                                           HomePageUrl = "https://localhost:44321/"; `
                                                           LogoutUrl = "https://localhost:44321/signout-oidc"; `
+                                                          ImplicitGrantSettings = @{ `
+                                                              EnableAccessTokenIssuance=$true; `
+                                                          } `
                                                         } `
                                                        -SignInAudience AzureADMyOrg `
                                                       #end of command
-    #add password to the application
+    #add a secret to the application
     $pwdCredential = Add-MgApplicationPassword -ApplicationId $clientAadApplication.Id -PasswordCredential $key
     $clientAppKey = $pwdCredential.SecretText
     $tenantName = (Get-MgApplication -ApplicationId $clientAadApplication.Id).PublisherDomain
@@ -345,7 +363,7 @@ Function ConfigureApplications
 
     # Update config file for 'client'
     $configFile = $pwd.Path + "\..\Client\appsettings.json"
-    $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.Write";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
+    $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.Write api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
 
     Write-Host "Updating the sample code ($configFile)"
 

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/sample.json

@@ -94,19 +94,19 @@
         "SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
         "ProjectDirectory": "\\TodoListService"
       },
-      "Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ]
-      //"AppRoles": [
-      //  {
-      //    "Types": [ "Application" ],
-      //    "Name": "ToDoList.Read.All",
-      //    "Description": "Application can only read ToDo list"
-      //  },
-      //  {
-      //    "Types": [ "Application" ],
-      //    "Name": "ToDoList.ReadWrite.All",
-      //    "Description": "Application can read and write into ToDo list"
-      //  }
-      //]
+      "Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ],
+      "AppRoles": [
+        {
+          "Types": [ "Application" ],
+          "Name": "ToDoList.Read.All",
+          "Description": "Application can only read ToDo list"
+        },
+        {
+          "Types": [ "Application" ],
+          "Name": "ToDoList.ReadWrite.All",
+          "Description": "Application can read and write into ToDo list"
+        }
+      ]
     },
     {
       "Id": "client",

4-WebApp-your-API/4-1-MyOrg/README.md

@@ -144,12 +144,24 @@ Follow the steps below for manually register and configure your apps
         - For **User consent description** type `Allow the application to [ex, Read ToDo list items] as the signed-in user on your behalf.`
           * Keep **State** as **Enabled**.
           * Select the **Add scope** button on the bottom to save this scope.
-     > Repeat the steps above for scope **ToDoList.Write**
+     > Repeat the steps above for scope **ToDoList.ReadWrite**
 
   1. Select the `Manifest` blade on the left.
      * Set `accessTokenAcceptedVersion` property to **2**.
      * Click on **Save**.
 
+##### Define Application Permissions
+
+  1. Still on the same app registration, select the **App roles** blade to the left.
+  1. Select **Create app role**:
+     * For **Display name**, enter a suitable name, for instance **ToDoList.Read.All**.
+     * For **Allowed member types**, choose **Application**.
+     * For **Value**, enter **ToDoList.Read.All**.
+     * For **Description**, enter **Application can only read ToDo list**.
+     > Repeat the steps above for permission **ToDoList.ReadWrite.All**
+
+  1. Select **Apply** to save your changes. 
+
 ##### Configure the service app (TodoListService-aspnetcore-webapi) to use your app registration
 
   Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
@@ -177,6 +189,7 @@ Follow the steps below for manually register and configure your apps
     1. `https://localhost:44321/signin-oidc`
 
   1. In the **Front-channel logout URL** section, set it to `https://localhost:44321/signout-oidc`.
+  1. In the **Implicit grant and hybrid flows** section, check the **Access tokens (used for implicit flows)** option.
   1. Click **Save** to save your changes.
   1. In the app's registration screen, select the **Certificates & secrets** blade in the left to open the page where you can generate secrets and upload certificates.
   1. In the **Client secrets** section, select **New client secret**:
@@ -191,7 +204,7 @@ Follow the steps below for manually register and configure your apps
       * Select the **Add a permission** button and then,
       * Ensure that the **My APIs** tab is selected.
       * In the list of APIs, select the API `TodoListService-aspnetcore-webapi`.
-      * In the **Delegated permissions** section, select the **ToDoList.Read**, **ToDoList.Write** in the list. Use the search box if necessary.
+      * In the **Delegated permissions** section, select the **ToDoList.Read**, **ToDoList.ReadWrite** in the list. Use the search box if necessary.
       * Select the **Add permissions** button at the bottom.
 
 ##### Configure the client app (TodoListClient-aspnetcore-webapi) to use your app registration
@@ -205,7 +218,7 @@ Follow the steps below for manually register and configure your apps
   1. Find the key `TenantId` and replace the existing value with your Azure AD tenant ID.
   1. Find the key `ClientId` and replace the existing value with the application ID (clientId) of `TodoListClient-aspnetcore-webapi` app copied from the Azure portal.
   1. Find the key `ClientSecret` and replace the existing value with the key you saved during the creation of `TodoListClient-aspnetcore-webapi` copied from the Azure portal.
-  1. Find the key `TodoListScopes` and replace the existing value with **"api://<your_service_api_client_id>/ToDoList.Read api://<your_service_api_client_id>/ToDoList.Write"**.
+  1. Find the key `TodoListScopes` and replace the existing value with **"api://<your_service_api_client_id>/ToDoList.Read api://<your_service_api_client_id>/ToDoList.ReadWrite"**.
   1. Find the key `TodoListBaseAddress` and replace the existing value with the base address of `TodoListService-aspnetcore-webapi` (by default `https://localhost:44351`).
 </details>