Minor edits after architect review

Author: Kalyan Krishna

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/Cleanup.ps1

@@ -38,15 +38,17 @@ Function Cleanup
     Write-Host "Removing 'service' (TodoListService-aspnetcore-webapi) if needed"
     try
     {
-        Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'"  | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
+        Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
     }
     catch
     {
-        Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
     }
 
     Write-Host "Making sure there are no more (TodoListService-aspnetcore-webapi) applications found, will remove if needed..."
-    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'"
+    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain
 
     if ($apps)
     {
@@ -62,24 +64,28 @@ Function Cleanup
     # also remove service principals of this app
     try
     {
-        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
+        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
     }
     catch
     {
-        Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
     }
     Write-Host "Removing 'client' (TodoListClient-aspnetcore-webapi) if needed"
     try
     {
-        Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'"  | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
+        Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
     }
     catch
     {
-        Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
     }
 
     Write-Host "Making sure there are no more (TodoListClient-aspnetcore-webapi) applications found, will remove if needed..."
-    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'"
+    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain
 
     if ($apps)
     {
@@ -95,11 +101,13 @@ Function Cleanup
     # also remove service principals of this app
     try
     {
-        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
+        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
     }
     catch
     {
-        Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
     }
      # remove self-signed certificate
      Write-Host "Removing CN=TodoListClient-aspnetcore-webapi certificate from Cert:/CurrentUser/My"

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/Configure.ps1

@@ -358,27 +358,37 @@ Function ConfigureApplications
 
     # Add Required Resources Access (from 'client' to 'service')
     Write-Host "Getting access from 'client' to 'service'"
-    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
+    $requiredPermission = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
         -requiredDelegatedPermissions "ToDoList.Read|ToDoList.ReadWrite" `
-    
 
-    $requiredResourcesAccess.Add($requiredPermissions)
+    $requiredResourcesAccess.Add($requiredPermission)
     Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
     Write-Host "Granted permissions."
+
+    Write-Host "Successfully registered and configured that app registration for 'TodoListClient-aspnetcore-webapi' at" -ForegroundColor Green
+
+    # print the registered app portal URL for any further navigation
+    $clientPortalUrl
 
     # Update config file for 'service'
-    $configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
+    # $configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
+    $configFile = $(Resolve-Path ($pwd.Path + "\..\TodoListService\appsettings.json"))
+    
     $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $serviceAadApplication.AppId };
 
-    Write-Host "Updating the sample code ($configFile)"
+    Write-Host "Updating the sample config '$configFile' with the following config values"
+    $dictionary
 
     UpdateTextFile -configFilePath $configFile -dictionary $dictionary
 
     # Update config file for 'client'
-    $configFile = $pwd.Path + "\..\Client\appsettings.json"
+    # $configFile = $pwd.Path + "\..\Client\appsettings.json"
+    $configFile = $(Resolve-Path ($pwd.Path + "\..\Client\appsettings.json"))
+    
     $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
 
-    Write-Host "Updating the sample code ($configFile)"
+    Write-Host "Updating the sample config '$configFile' with the following config values"
+    $dictionary
 
     UpdateTextFile -configFilePath $configFile -dictionary $dictionary
     Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
@@ -410,7 +420,16 @@ Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the
 $ErrorActionPreference = "Stop"
 
 # Run interactively (will ask you for the tenant ID)
-ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName
 
+try
+{
+    ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName
+}
+catch
+{
+    $message = $_
+    Write-Warning $Error[0]
+    Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
+}
 Write-Host "Disconnecting from tenant"
 Disconnect-MgGraph

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/sample.json

@@ -9,7 +9,8 @@
     "Endpoint": "AAD v2.0",
     "Description": "This sample demonstrates an ASP.NET Core client Web App calling an ASP.NET Core Web API that is secured using Azure AD.",
     "Languages": [ "csharp" ],
-    "Products": [ "aspnet-core", "azure-active-directory" ]
+    "Products": [ "aspnet-core", "azure-active-directory" ],
+    "Platform": "AspNetCore"
   },
 
   /*
@@ -127,7 +128,7 @@
       "OptionalClaims": {
         "IdTokenClaims": [ "acct" ]
       },
-      "Certificate":"the name will be assigned automatically by PowerShell script and it will be equal to the Application name",
+      "Certificate": "the name will be assigned automatically by PowerShell script and it will be equal to the Application name",
       "ManualSteps": [],
       "Sample": {
         "SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Cleanup.ps1

@@ -38,15 +38,17 @@ Function Cleanup
     Write-Host "Removing 'service' (TodoListService-aspnetcore-webapi) if needed"
     try
     {
-        Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'"  | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
+        Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
     }
     catch
     {
-        Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove the application 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
     }
 
     Write-Host "Making sure there are no more (TodoListService-aspnetcore-webapi) applications found, will remove if needed..."
-    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'"
+    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain
 
     if ($apps)
     {
@@ -62,24 +64,28 @@ Function Cleanup
     # also remove service principals of this app
     try
     {
-        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
+        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListService-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
     }
     catch
     {
-        Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove ServicePrincipal 'TodoListService-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
     }
     Write-Host "Removing 'client' (TodoListClient-aspnetcore-webapi) if needed"
     try
     {
-        Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'"  | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
+        Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgApplication -ApplicationId $_.Id }
     }
     catch
     {
-        Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove the application 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually." -ForegroundColor White -BackgroundColor Red
     }
 
     Write-Host "Making sure there are no more (TodoListClient-aspnetcore-webapi) applications found, will remove if needed..."
-    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'"
+    $apps = Get-MgApplication -Filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | Format-List Id, DisplayName, AppId, SignInAudience, PublisherDomain
 
     if ($apps)
     {
@@ -95,11 +101,13 @@ Function Cleanup
     # also remove service principals of this app
     try
     {
-        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ApplicationId $_.Id -Confirm:$false}
+        Get-MgServicePrincipal -filter "DisplayName eq 'TodoListClient-aspnetcore-webapi'" | ForEach-Object {Remove-MgServicePrincipal -ServicePrincipalId $_.Id -Confirm:$false}
     }
     catch
     {
-        Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
+        $message = $_
+        Write-Warning $Error[0]
+        Write-Host "Unable to remove ServicePrincipal 'TodoListClient-aspnetcore-webapi'. Error is $message. Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
     }
 }
 

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/Configure.ps1

@@ -348,27 +348,37 @@ Function ConfigureApplications
 
     # Add Required Resources Access (from 'client' to 'service')
     Write-Host "Getting access from 'client' to 'service'"
-    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
+    $requiredPermission = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
         -requiredDelegatedPermissions "ToDoList.Read|ToDoList.ReadWrite" `
-    
 
-    $requiredResourcesAccess.Add($requiredPermissions)
+    $requiredResourcesAccess.Add($requiredPermission)
     Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
     Write-Host "Granted permissions."
+
+    Write-Host "Successfully registered and configured that app registration for 'TodoListClient-aspnetcore-webapi' at" -ForegroundColor Green
+
+    # print the registered app portal URL for any further navigation
+    $clientPortalUrl
 
     # Update config file for 'service'
-    $configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
+    # $configFile = $pwd.Path + "\..\TodoListService\appsettings.json"
+    $configFile = $(Resolve-Path ($pwd.Path + "\..\TodoListService\appsettings.json"))
+    
     $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $serviceAadApplication.AppId };
 
-    Write-Host "Updating the sample code ($configFile)"
+    Write-Host "Updating the sample config '$configFile' with the following config values"
+    $dictionary
 
     UpdateTextFile -configFilePath $configFile -dictionary $dictionary
 
     # Update config file for 'client'
-    $configFile = $pwd.Path + "\..\Client\appsettings.json"
+    # $configFile = $pwd.Path + "\..\Client\appsettings.json"
+    $configFile = $(Resolve-Path ($pwd.Path + "\..\Client\appsettings.json"))
+    
     $dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"ClientSecret" = $pwdCredential.SecretText;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
 
-    Write-Host "Updating the sample code ($configFile)"
+    Write-Host "Updating the sample config '$configFile' with the following config values"
+    $dictionary
 
     UpdateTextFile -configFilePath $configFile -dictionary $dictionary
     Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
@@ -400,7 +410,16 @@ Add-Content -Value "<thead><tr><th>Application</th><th>AppId</th><th>Url in the
 $ErrorActionPreference = "Stop"
 
 # Run interactively (will ask you for the tenant ID)
-ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName
 
+try
+{
+    ConfigureApplications -tenantId $tenantId -environment $azureEnvironmentName
+}
+catch
+{
+    $message = $_
+    Write-Warning $Error[0]
+    Write-Host "Unable to register apps. Error is $message." -ForegroundColor White -BackgroundColor Red
+}
 Write-Host "Disconnecting from tenant"
 Disconnect-MgGraph

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json

@@ -10,7 +10,8 @@
     "Description": "This sample demonstrates an ASP.NET Core Web App signing-in a user and calling an ASP.NET Core Web API that is secured with Azure AD.",
     "Languages": [ "csharp" ],
     "Products": [ "aspnet-core", "azure-active-directory" ],
-    "Library":["Microsoft.Identity.Web"]
+    "Library": [ "Microsoft.Identity.Web" ],
+    "Platform": "AspNetCore"
   },
 
   /*

4-WebApp-your-API/4-1-MyOrg/README.md

@@ -300,9 +300,11 @@ To provide a recommendation, visit the following [User Voice page](https://feedb
     * `AddMicrosoftIdentityWebApiAuthentication()` protects the Web API by [validating Access tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens#validating-tokens) sent tho this API. Check out [Protected web API: Code configuration](https://docs.microsoft.com/azure/active-directory/develop/scenario-protected-web-api-app-configuration) which explains the inner workings of this method in more detail.
 
     * There is a bit of code (commented) provided under this method that can be used to used do **extended token validation** and do checks based on additional claims, such as:
-      * check if the client app's appid (azp) is in some sort of an allowed  list via the 'azp' claim, in case you wanted to restrict the API to a list of client apps.
-      * check if the caller's account is homed or guest via the 'acct' optional claim
-      * check if the caller belongs to right roles or groups via the 'roles' or 'groups' claim, respectively
+      * check if the client app's `appid (azp)` is in some sort of an allowed  list via the 'azp' claim, in case you wanted to restrict the API to a list of client apps.
+      * check if the caller's account is homed or guest via the `acct` optional claim
+      * check if the caller belongs to right roles or groups via the `roles` or `groups` claim, respectively
+
+    See [How to manually validate a JWT access token using the Microsoft identity platform](https://aka.ms/extendtokenvalidation) for more details on to further verify the caller using this method.
 
 1. Then in the controllers `TodoListController.cs`, the `[Authorize]` added on top of the class to protect this route.
     * Further in the controller, the [RequiredScopeOrAppPermission](https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#checking-for-scopes-or-app-permissions=) is used to list the ([Delegated permissions](https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent)), that the user should consent for, before the method can be called.