Skip to content

Task 1924572 Sample 4-1 basher update #602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 69 commits into from
Aug 26, 2022
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
2599ef8
updated readme and ps1 with new wording
aremo-ms Jun 3, 2022
7289a0d
Added BASHER logic to Service controller and made some refactoring
aremo-ms Jun 8, 2022
3b794e6
update
aremo-ms Jun 8, 2022
fd8ba1a
changed to getting Owner as Object Id
aremo-ms Jun 9, 2022
55e3a1c
fixed bug for readme and added app permissions
aremo-ms Jun 13, 2022
6f2465f
some review comments were addressed
aremo-ms Jun 23, 2022
6a8c470
updated README and configure.ps1
aremo-ms Jun 30, 2022
06cce15
replaced Newtonsoft by JsonSerializer
aremo-ms Jun 30, 2022
56ac49c
addressed most of comments. The last thing to address is token valida…
aremo-ms Jul 11, 2022
a57b73e
comments addressed
aremo-ms Jul 12, 2022
cd33fce
Added tenant validation on Service
aremo-ms Jul 13, 2022
a2bd757
Kalyan's edits to polish the code and readme
kalyankrishna1 Jul 14, 2022
dff53f9
merge fixed
kalyankrishna1 Jul 14, 2022
148968e
extended token validation code
kalyankrishna1 Jul 14, 2022
8a9f3bc
extended token validation code discussed
kalyankrishna1 Jul 14, 2022
516b438
secrets accidently added secrets removed
kalyankrishna1 Jul 14, 2022
bab24f2
removed a bunch of redundant files
kalyankrishna1 Jul 14, 2022
6f8dc6c
empty but shows changed !
kalyankrishna1 Jul 14, 2022
f866d5a
added optional claim
aremo-ms Jul 18, 2022
727f74f
processing idtyp claim
aremo-ms Jul 18, 2022
0242a69
updated readme with latest updates
aremo-ms Jul 21, 2022
2e3d9e4
added an ignored folder
Jul 21, 2022
6f2ec1d
local branch merged
Jul 21, 2022
4180373
done and approved for BASHER
Jul 22, 2022
e6760af
enabled logging by default with disclaimers
Jul 22, 2022
7df60d9
added more missing material
Jul 22, 2022
1b56aa7
highlighted using certificates
Jul 22, 2022
5d4d4b6
update for certificate, updated link
aremo-ms Jul 26, 2022
831f51f
merge from master
aremo-ms Aug 4, 2022
5c5188c
Configuration scripts generated with updated sample.json and Code Gen…
aremo-ms Aug 10, 2022
21a6f1c
updated appsettings.json with instruction for local and keyvault ceri…
aremo-ms Aug 10, 2022
a5a8507
updated configuration.ps1 and appsettings.json
aremo-ms Aug 10, 2022
ed95a14
updated appsettings.json
aremo-ms Aug 10, 2022
32b9827
updated sample with latest Readme
aremo-ms Aug 11, 2022
a273a6b
Added instructions to use local certificate
aremo-ms Aug 11, 2022
ba2bfb4
reset appsettings.json
aremo-ms Aug 11, 2022
40c86aa
nit
aremo-ms Aug 11, 2022
ab93e0f
nit
aremo-ms Aug 11, 2022
de8a786
added security warning to appsetting.json
aremo-ms Aug 12, 2022
49a3a1c
reset appsettings.json
aremo-ms Aug 12, 2022
180aad8
removed data
aremo-ms Aug 12, 2022
3b6d228
removed UseNewSetup flag as redundant
aremo-ms Aug 15, 2022
949d23b
updated ceritifcate redme name
aremo-ms Aug 16, 2022
fa8bbe0
updated comments on appsettings.json
aremo-ms Aug 16, 2022
fde05ea
Readme with updated warning about using client secrets
aremo-ms Aug 18, 2022
d8a4208
updated readme with correct certificate readme file path
aremo-ms Aug 18, 2022
cdb0b62
updated scopes comment
aremo-ms Aug 18, 2022
afbd2e8
removed redundant package
aremo-ms Aug 18, 2022
afc68bb
updated certificate part to be less confusiong
aremo-ms Aug 18, 2022
4c7ad15
Compilation issues and some formatting addressed
Aug 19, 2022
cd752a1
More fixes
Aug 19, 2022
ab5a60c
updated the certs steps a bit
Aug 20, 2022
49abddc
updated the referenced code
Aug 21, 2022
164a302
reverting certificates CsharpConfigurations support, Automated Deply …
aremo-ms Aug 23, 2022
9fa8f01
merge
aremo-ms Aug 23, 2022
5a18734
typo fixed
Aug 23, 2022
2f8e0f4
minor working updates
aremo-ms Aug 23, 2022
67ee023
minor fix
Aug 23, 2022
957dbf8
Merge branch 'aremo-ms/Task-1924572-4-1-basher-update' of https://git…
Aug 23, 2022
f1c4601
removed PasswordCredentials key
aremo-ms Aug 23, 2022
68caf90
another round of minor edits
Aug 24, 2022
da47245
Updated readme file with deloyment steps
aremo-ms Aug 24, 2022
a74abf9
Merge branch 'aremo-ms/Task-1924572-4-1-basher-update' of https://git…
aremo-ms Aug 24, 2022
dd39fd5
Minor last minute edits
Aug 25, 2022
5f0986c
Minor edits and deployment related updates
Aug 25, 2022
49476ae
merge conflicts resolved
Aug 25, 2022
0f7e06b
renamed Delete to DeleteItem (action didn't work for Delete for some …
aremo-ms Aug 25, 2022
f9599f4
and this is done ..
Aug 26, 2022
e03d1a7
Merge branch 'master' into aremo-ms/Task-1924572-4-1-basher-update
Aug 26, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,14 @@ Function ConfigureApplications
Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceServicePrincipal.DisplayName)'"
}

# Add application permissions/user roles
$appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
$newRole = CreateAppRole -types "Application" -name "ToDoList.Read.All" -description "Allow application to read all ToDo list items"
$appRoles.Add($newRole)
$newRole = CreateAppRole -types "Application" -name "ToDoList.ReadWrite.All" -description "Allow application to read and write into ToDo list"
$appRoles.Add($newRole)
Update-MgApplication -ApplicationId $serviceAadApplication.Id -AppRoles $appRoles

# rename the user_impersonation scope if it exists to match the readme steps or add a new scope

# delete default scope i.e. User_impersonation
Expand All @@ -228,14 +236,14 @@ Function ConfigureApplications
-userConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
-userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf." `
-adminConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
-adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
-adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"

$scopes.Add($scope)
$scope = CreateScope -value ToDoList.Write `
$scope = CreateScope -value ToDoList.ReadWrite `
-userConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
-userConsentDescription "Allow the application to access TodoListService-aspnetcore-webapi on your behalf." `
-adminConsentDisplayName "Access TodoListService-aspnetcore-webapi" `
-adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
-adminConsentDescription "Allow the app TodoListService-aspnetcore-webapi to [ex, read ToDo list items]"

$scopes.Add($scope)

Expand All @@ -262,10 +270,13 @@ Function ConfigureApplications
RedirectUris = "https://localhost:44321/", "https://localhost:44321/signin-oidc"; `
HomePageUrl = "https://localhost:44321/"; `
LogoutUrl = "https://localhost:44321/signout-oidc"; `
ImplicitGrantSettings = @{ `
EnableAccessTokenIssuance=$true; `
} `
} `
-SignInAudience AzureADMyOrg `
#end of command
#add password to the application
#add a secret to the application
$pwdCredential = Add-MgApplicationPassword -ApplicationId $clientAadApplication.Id -PasswordCredential $key
$clientAppKey = $pwdCredential.SecretText
$tenantName = (Get-MgApplication -ApplicationId $clientAadApplication.Id).PublisherDomain
Expand Down Expand Up @@ -316,6 +327,10 @@ Function ConfigureApplications
New-MgApplicationOwnerByRef -ApplicationId $clientAadApplication.Id -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
}

# Add application permissions/user roles
$appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
Update-MgApplication -ApplicationId $clientAadApplication.Id -AppRoles $appRoles
Write-Host "Done creating the client application (TodoListClient-aspnetcore-webapi)"

# URL of the AAD application in the Azure portal
Expand All @@ -328,7 +343,7 @@ Function ConfigureApplications
# Add Required Resources Access (from 'client' to 'service')
Write-Host "Getting access from 'client' to 'service'"
$requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListService-aspnetcore-webapi" `
-requiredDelegatedPermissions "ToDoList.Read|ToDoList.Write" `
-requiredDelegatedPermissions "ToDoList.Read|ToDoList.ReadWrite" `


$requiredResourcesAccess.Add($requiredPermissions)
Expand All @@ -345,7 +360,7 @@ Function ConfigureApplications

# Update config file for 'client'
$configFile = $pwd.Path + "\..\Client\appsettings.json"
$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.Write";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };
$dictionary = @{ "Domain" = $tenantName;"TenantId" = $tenantId;"ClientId" = $clientAadApplication.AppId;"KeyVaultCertificateName" = $certificateName;"TodoListScopes" = "api://$($serviceAadApplication.AppId)/ToDoList.Read api://$($serviceAadApplication.AppId)/ToDoList.ReadWrite";"TodoListBaseAddress" = $serviceAadApplication.Web.HomePageUrl };

Write-Host "Updating the sample code ($configFile)"

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,19 @@
"SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
"ProjectDirectory": "\\TodoListService"
},
"AppScopes": [ "ToDoList.Read", "ToDoList.Write" ]

"Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ],
"AppRoles": [
{
"Types": [ "Application" ],
"Name": "ToDoList.Read.All",
"Description": "Allow application to read all ToDo list items"
},
{
"Types": [ "Application" ],
"Name": "ToDoList.ReadWrite.All",
"Description": "Allow application to read and write into ToDo list"
}
]
},
{
"Id": "client",
Expand All @@ -109,11 +120,13 @@
"RequiredResourcesAccess": [
{
"Resource": "service",
"DelegatedPermissions": [ "ToDoList.Read", "ToDoList.Write" ]
"DelegatedPermissions": [ "ToDoList.Read", "ToDoList.ReadWrite" ]
}
],
"Certificate": "the certificate will be named by application name",
"ManualSteps": [],
"EnableAccessTokenIssuance": "true",
"EnableIdTokenIssuance": "false",
Copy link
Contributor

@kalyankrishna1 kalyankrishna1 Jul 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove these #Closed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see it in my sample.json

"Sample": {
"SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
"ProjectDirectory": "\\Client"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,45 +1,35 @@
# Registering the sample apps with the Microsoft identity platform and updating the configuration files using PowerShell
# Registering sample apps with the Microsoft identity platform and updating configuration files using PowerShell

## Overview

### Quick summary

1. On Windows run PowerShell as **Administrator** and navigate to the root of the cloned directory
1. On Windows, run PowerShell as **Administrator** and navigate to the root of the cloned directory
1. In PowerShell run:

```PowerShell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
```

1. Run the script to create your Azure AD application and configure the code of the sample application accordingly. (Other ways of running the scripts are described below)
1. Run the script to create your Azure AD application and configure the code of the sample application accordingly.

```PowerShell
cd .\AppCreationScripts\
.\Configure.ps1
.\Configure.ps1 -TenantId "your test tenant's id" -AzureEnvironmentName "[Optional] - Azure environment, defaults to 'Global'"
```

1. Open the Visual Studio solution and click start

### More details

The following paragraphs:

- [Registering the sample apps with the Microsoft identity platform and updating the configuration files using PowerShell](#Registering-the-sample-apps-with-the-Microsoft-identity-platform-and-updating-the-configuration-files-using-PowerShell)
- [Overview](#Overview)
- [Quick summary](#Quick-summary)
- [More details](#More-details)
- [Goal of the provided scripts](#Goal-of-the-provided-scripts)
- [Presentation of the scripts](#Presentation-of-the-scripts)
- [Usage pattern for tests and DevOps scenarios](#Usage-pattern-for-tests-and-DevOps-scenarios)
- [How to use the app creation scripts?](#How-to-use-the-app-creation-scripts)
- [Pre-requisites](#Pre-requisites)
- [Run the script and start running](#Run-the-script-and-start-running)
- [Four ways to run the script](#Four-ways-to-run-the-script)
- [Option 1 (interactive)](#Option-1-interactive)
- [Option 2 (non-interactive)](#Option-2-non-interactive)
- [Option 3 (Interactive, but create apps in a specified tenant)](#Option-3-Interactive-but-create-apps-in-a-specified-tenant)
- [Option 4 (non-interactive, and create apps in a specified tenant)](#Option-4-non-interactive-and-create-apps-in-a-specified-tenant)
- [Running the script on Azure Sovereign clouds](#Running-the-script-on-Azure-Sovereign-clouds)
- [Goal of the provided scripts](#goal-of-the-provided-scripts)
- [Presentation of the scripts](#presentation-of-the-scripts)
- [Usage pattern for tests and DevOps scenarios](#usage-pattern-for-tests-and-DevOps-scenarios)
- [How to use the app creation scripts?](#how-to-use-the-app-creation-scripts)
- [Pre-requisites](#pre-requisites)
- [Run the script and start running](#run-the-script-and-start-running)
- [Four ways to run the script](#four-ways-to-run-the-script)
- [Option 1 (interactive)](#option-1-interactive)
- [Option 2 (Interactive, but create apps in a specified tenant)](#option-3-Interactive-but-create-apps-in-a-specified-tenant)
- [Running the script on Azure Sovereign clouds](#running-the-script-on-Azure-Sovereign-clouds)

## Goal of the provided scripts

Expand All @@ -50,14 +40,14 @@ This sample comes with two PowerShell scripts, which automate the creation of th
These scripts are:

- `Configure.ps1` which:
- creates Azure AD applications and their related objects (permissions, dependencies, secrets),
- changes the configuration files in the C# and JavaScript projects.
- creates Azure AD applications and their related objects (permissions, dependencies, secrets, app roles),
- changes the configuration files in the sample projects.
- creates a summary file named `createdApps.html` in the folder from which you ran the script, and containing, for each Azure AD application it created:
- the identifier of the application
- the AppId of the application
- the url of its registration in the [Azure portal](https://portal.azure.com).

- `Cleanup.ps1` which cleans-up the Azure AD objects created by `Configure.ps1`. Note that this script does not revert the changes done in the configuration files, though. You will need to undo the change from source control (from Visual Studio, or from the command line using, for instance, git reset).
- `Cleanup.ps1` which cleans-up the Azure AD objects created by `Configure.ps1`. Note that this script does not revert the changes done in the configuration files, though. You will need to undo the change from source control (from Visual Studio, or from the command line using, for instance, `git reset`).

### Usage pattern for tests and DevOps scenarios

Expand All @@ -75,21 +65,21 @@ The `Configure.ps1` will stop if it tries to create an Azure AD application whic
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
```

### (Optionally) install AzureAD PowerShell modules
### (Optionally) install Microsoft.Graph.Applications PowerShell modules

The scripts install the required PowerShell module (Microsoft.Graph.Applications) for the current user if needed. However, if you want to install if for all users on the machine, you can follow the following steps:

1. If you have never done it already, in the PowerShell window, install the Graph PowerShell modules. For this:
1. If you have never done it already, in the PowerShell window, install the Microsoft.Graph.Applications PowerShell modules. For this:

1. Open PowerShell as admin (On Windows, Search Powershell in the search bar, right click on it and select Run as administrator).
1. Open PowerShell as admin (On Windows, Search Powershell in the search bar, right click on it and select **Run as administrator**).
2. Type:

```PowerShell
Install-Module Microsoft.Graph.Applications
```

or if you cannot be administrator on your machine, run:

```PowerShell
Install-Module Microsoft.Graph.Applications -Scope CurrentUser
```
Expand All @@ -106,44 +96,29 @@ The scripts install the required PowerShell module (Microsoft.Graph.Applications
1. Open the Visual Studio solution, and in the solution's context menu, choose **Set Startup Projects**.
1. select **Start** for the projects

You're done. this just works!
You're done!

### Four ways to run the script
### Two ways to run the script

We advise four ways of running the script:

- Interactive: you will be prompted for credentials, and the scripts decide in which tenant to create the objects,
- non-interactive: you will provide credentials, and the scripts decide in which tenant to create the objects,
- Interactive in specific tenant: you will provide the tenant in which you want to create the objects and then you will be prompted for credentials, and the scripts will create the objects,
- non-interactive in specific tenant: you will provide tenant in which you want to create the objects and credentials, and the scripts will create the objects.
- Interactive in specific tenant: you will provide the tenant in which you want to create the objects and then you will be prompted for credentials, and the scripts will create the objects,

Here are the details on how to do this.

#### Option 1 (interactive)

- Just run ``. .\Configure.ps1``, and you will be prompted to sign-in (email address, password, and if needed MFA).
- Just run ``.\Configure.ps1``, and you will be prompted to sign-in (email address, password, and if needed MFA).
- The script will be run as the signed-in user and will use the tenant in which the user is defined.

Note that the script will choose the tenant in which to create the applications, based on the user. Also to run the `Cleanup.ps1` script, you will need to re-sign-in.

#### Option 2 (non-interactive)

When you know the identity and credentials of the user in the name of whom you want to create the applications, you can use the non-interactive approach. It's more adapted to DevOps. Here is an example of script you'd want to run in a PowerShell Window

```PowerShell
$secpasswd = ConvertTo-SecureString "[Password here]" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("[login@tenantName here]", $secpasswd)
. .\Cleanup.ps1 -Credential $mycreds
. .\Configure.ps1 -Credential $mycreds
```

Of course, in real life, you might already get the password as a `SecureString`. You might also want to get the password from KeyVault.

#### Option 3 (Interactive, but create apps in a specified tenant)
#### Option 2 (Interactive, but create apps in a specified tenant)

if you want to create the apps in a particular tenant, you can use the following option:

- open the [Azure portal](https://portal.azure.com)
- Open the [Azure portal](https://portal.azure.com)
- Select the Azure Active directory you are interested in (in the combo-box below your name on the top right of the browser window)
- Find the "Active Directory" object in this tenant
- Go to **Properties** and copy the content of the **Directory Id** property
Expand All @@ -155,21 +130,9 @@ $tenantId = "yourTenantIdGuid"
. .\Configure.ps1 -TenantId $tenantId
```

#### Option 4 (non-interactive, and create apps in a specified tenant)

This option combines option 2 and option 3: it creates the application in a specific tenant. See option 3 for the way to get the tenant Id. Then run:

```PowerShell
$secpasswd = ConvertTo-SecureString "[Password here]" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("[login@tenantName here]", $secpasswd)
$tenantId = "yourTenantIdGuid"
. .\Cleanup.ps1 -Credential $mycreds -TenantId $tenantId
. .\Configure.ps1 -Credential $mycreds -TenantId $tenantId
```

### Running the script on Azure Sovereign clouds

All the four options listed above, can be used on any Azure Sovereign clouds. By default, the script targets `AzureCloud`, but it can be changed using the parameter `-AzureEnvironmentName`.
All the four options listed above can be used on any Azure Sovereign clouds. By default, the script targets `AzureCloud`, but it can be changed using the parameter `-AzureEnvironmentName`.

The acceptable values for this parameter are:

Expand Down
Loading