Skip to content

Commit 55e3a1c

Browse files
committed
fixed bug for readme and added app permissions
1 parent fd8ba1a commit 55e3a1c

File tree

3 files changed

+51
-20
lines changed

3 files changed

+51
-20
lines changed

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/Configure.ps1

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,14 @@ Function ConfigureApplications
205205
Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceServicePrincipal.DisplayName)'"
206206
}
207207

208+
# Add application permissions/user roles
209+
$appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
210+
$newRole = CreateAppRole -types "Application" -name "ToDoList.Read.All" -description "Application can only read ToDo list"
211+
$appRoles.Add($newRole)
212+
$newRole = CreateAppRole -types "Application" -name "ToDoList.ReadWrite.All" -description "Application can read and write into ToDo list"
213+
$appRoles.Add($newRole)
214+
Update-MgApplication -ApplicationId $serviceAadApplication.Id -AppRoles $appRoles
215+
208216
# rename the user_impersonation scope if it exists to match the readme steps or add a new scope
209217

210218
# delete default scope i.e. User_impersonation
@@ -228,14 +236,21 @@ Function ConfigureApplications
228236
-userConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
229237
-userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf." `
230238
-adminConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
231-
-adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
239+
-adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"
232240

233241
$scopes.Add($scope)
234242
$scope = CreateScope -value ToDoList.Write `
235243
-userConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
236244
-userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf." `
237245
-adminConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
238-
-adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
246+
-adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"
247+
248+
$scopes.Add($scope)
249+
$scope = CreateScope -value ToDoList.ReadWrite `
250+
-userConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
251+
-userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf." `
252+
-adminConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
253+
-adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"
239254

240255
$scopes.Add($scope)
241256

@@ -262,10 +277,13 @@ Function ConfigureApplications
262277
RedirectUris = "https://localhost:44321/", "https://localhost:44321/signin-oidc"; `
263278
HomePageUrl = "https://localhost:44321/"; `
264279
LogoutUrl = "https://localhost:44321/signout-oidc"; `
280+
ImplicitGrantSettings = @{ `
281+
EnableAccessTokenIssuance=$true; `
282+
} `
265283
} `
266284
-SignInAudience AzureADMyOrg `
267285
#end of command
268-
#add password to the application
286+
#add a secret to the application
269287
$pwdCredential = Add-MgApplicationPassword -ApplicationId $clientAadApplication.Id -PasswordCredential $key
270288
$clientAppKey = $pwdCredential.SecretText
271289
$tenantName = (Get-MgApplication -ApplicationId $clientAadApplication.Id).PublisherDomain
@@ -345,7 +363,7 @@ Function ConfigureApplications
345363

346364
# Update config file for 'client'
347365
$configFile = $pwd.Path + "\..\Client\appsettings.json"
348-
$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.Write";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
366+
$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.Write api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
349367

350368
Write-Host "Updating the sample code ($configFile)"
351369

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/sample.json

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -94,19 +94,19 @@
9494
"SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
9595
"ProjectDirectory": "\\TodoListService"
9696
},
97-
"Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ]
98-
//"AppRoles": [
99-
// {
100-
// "Types": [ "Application" ],
101-
// "Name": "ToDoList.Read.All",
102-
// "Description": "Application can only read ToDo list"
103-
// },
104-
// {
105-
// "Types": [ "Application" ],
106-
// "Name": "ToDoList.ReadWrite.All",
107-
// "Description": "Application can read and write into ToDo list"
108-
// }
109-
//]
97+
"Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ],
98+
"AppRoles": [
99+
{
100+
"Types": [ "Application" ],
101+
"Name": "ToDoList.Read.All",
102+
"Description": "Application can only read ToDo list"
103+
},
104+
{
105+
"Types": [ "Application" ],
106+
"Name": "ToDoList.ReadWrite.All",
107+
"Description": "Application can read and write into ToDo list"
108+
}
109+
]
110110
},
111111
{
112112
"Id": "client",

4-WebApp-your-API/4-1-MyOrg/README.md

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -144,12 +144,24 @@ Follow the steps below for manually register and configure your apps
144144
- For **User consent description** type `Allow the application to [ex, Read ToDo list items] as the signed-in user on your behalf.`
145145
* Keep **State** as **Enabled**.
146146
* Select the **Add scope** button on the bottom to save this scope.
147-
> Repeat the steps above for scope **ToDoList.Write**
147+
> Repeat the steps above for scope **ToDoList.ReadWrite**
148148
149149
1. Select the `Manifest` blade on the left.
150150
* Set `accessTokenAcceptedVersion` property to **2**.
151151
* Click on **Save**.
152152
153+
##### Define Application Permissions
154+
155+
1. Still on the same app registration, select the **App roles** blade to the left.
156+
1. Select **Create app role**:
157+
* For **Display name**, enter a suitable name, for instance **ToDoList.Read.All**.
158+
* For **Allowed member types**, choose **Application**.
159+
* For **Value**, enter **ToDoList.Read.All**.
160+
* For **Description**, enter **Application can only read ToDo list**.
161+
> Repeat the steps above for permission **ToDoList.ReadWrite.All**
162+
163+
1. Select **Apply** to save your changes.
164+
153165
##### Configure the service app (TodoListService-aspnetcore-webapi) to use your app registration
154166
155167
Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
@@ -177,6 +189,7 @@ Follow the steps below for manually register and configure your apps
177189
1. `https://localhost:44321/signin-oidc`
178190
179191
1. In the **Front-channel logout URL** section, set it to `https://localhost:44321/signout-oidc`.
192+
1. In the **Implicit grant and hybrid flows** section, check the **Access tokens (used for implicit flows)** option.
180193
1. Click **Save** to save your changes.
181194
1. In the app's registration screen, select the **Certificates & secrets** blade in the left to open the page where you can generate secrets and upload certificates.
182195
1. In the **Client secrets** section, select **New client secret**:
@@ -191,7 +204,7 @@ Follow the steps below for manually register and configure your apps
191204
* Select the **Add a permission** button and then,
192205
* Ensure that the **My APIs** tab is selected.
193206
* In the list of APIs, select the API `TodoListService-aspnetcore-webapi`.
194-
* In the **Delegated permissions** section, select the **ToDoList.Read**, **ToDoList.Write** in the list. Use the search box if necessary.
207+
* In the **Delegated permissions** section, select the **ToDoList.Read**, **ToDoList.ReadWrite** in the list. Use the search box if necessary.
195208
* Select the **Add permissions** button at the bottom.
196209
197210
##### Configure the client app (TodoListClient-aspnetcore-webapi) to use your app registration
@@ -205,7 +218,7 @@ Follow the steps below for manually register and configure your apps
205218
1. Find the key `TenantId` and replace the existing value with your Azure AD tenant ID.
206219
1. Find the key `ClientId` and replace the existing value with the application ID (clientId) of `TodoListClient-aspnetcore-webapi` app copied from the Azure portal.
207220
1. Find the key `ClientSecret` and replace the existing value with the key you saved during the creation of `TodoListClient-aspnetcore-webapi` copied from the Azure portal.
208-
1. Find the key `TodoListScopes` and replace the existing value with **"api://<your_service_api_client_id>/ToDoList.Read api://<your_service_api_client_id>/ToDoList.Write"**.
221+
1. Find the key `TodoListScopes` and replace the existing value with **"api://<your_service_api_client_id>/ToDoList.Read api://<your_service_api_client_id>/ToDoList.ReadWrite"**.
209222
1. Find the key `TodoListBaseAddress` and replace the existing value with the base address of `TodoListService-aspnetcore-webapi` (by default `https://localhost:44351`).
210223
</details>
211224

0 commit comments

Comments
 (0)