Azure-Samples
diff --git a/‎AppCreationScripts/AppCreationScripts.md‎
Lines changed: 46 additions & 10 deletions b/‎AppCreationScripts/AppCreationScripts.md‎
Lines changed: 46 additions & 10 deletions
diff --git a/‎AppCreationScripts/Cleanup.ps1‎
Lines changed: 22 additions & 18 deletions b/‎AppCreationScripts/Cleanup.ps1‎
Lines changed: 22 additions & 18 deletions
diff --git a/‎AppCreationScripts/Configure.ps1‎
Lines changed: 54 additions & 42 deletions b/‎AppCreationScripts/Configure.ps1‎
Lines changed: 54 additions & 42 deletions
@@ -1,5 +1,32 @@
 # Registering the Azure Active Directory applications and updating the configuration files for this sample using PowerShell scripts
 
+## Overview
+
+### Quick summary
+
+1. On Windows run PowerShell and navigate to the root of the cloned directory
+1. In PowerShell run:
+   ```PowerShell
+   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
+   ```
+1. Run the script to create your Azure AD application and configure the code of the sample application accordinly. (Other ways of running the scripts are described below)
+   ```PowerShell
+   .\AppCreationScripts\Configure.ps1
+   ```
+1. Open the Visual Studio solution and click start
+
+### More details
+
+The following paragraphs:
+
+- [Present the scripts](#presentation-of-the-scripts) and explain their [usage patterns](#usage-pattern-for-tests-and-devops-scenarios) for test and DevOps scenarios.
+- Explain the [pre-requisites](#pre-requisites)
+- Explain [four ways of running the scripts](#four-ways-to-run-the-script):
+  - [Interactively](#option-1-interactive) to create the app in your home tenant
+  - [Passing credentials](#option-2-non-interactive) to create the app in your home tenant
+  - [Interactively in a specific tenant](#option-3-interactive-but-create-apps-in-a-specified-tenant)
+  - [Passing credentials in a specific tenant](#option-4-non-interactive-and-create-apps-in-a-specified-tenant)
+
 ## Goal of the scripts
 
 ### Presentation of the scripts
@@ -26,21 +53,30 @@ The `Configure.ps1` will stop if it tries to create an Azure AD application whic
 
 ### Pre-requisites
 
-To use the app creation scripts:
-
 1. Open PowerShell (On Windows, press  `Windows-R` and type `PowerShell` in the search window)
 2. Navigate to the root directory of the project.
-3. Until you change it, the default Execution Policy for scripts is usually `Restricted`. In order to run the PowerShell script you need to set the Execution Policy to `Unrestricted`. You can set this just for the current PowerShell process by running the command:
+3. Until you change it, the default [Execution Policy](https:/go.microsoft.com/fwlink/?LinkID=135170) for scripts is usually `Restricted`. In order to run the PowerShell script you need to set the Execution Policy to `RemoteSigned`. You can set this just for the current PowerShell process by running the command:
     ```PowerShell
-    Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
+    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
     ```
+### (Optionally) install AzureAD PowerShell modules
+The scripts install the required PowerShell module (AzureAD) for the current user if needed. However, if you want to install if for all users on the machine, you can follow the following steps:
+
 4. If you have never done it already, in the PowerShell window, install the AzureAD PowerShell modules. For this:
 
    1. Open PowerShell as admin (On Windows, Search Powershell in the search bar, right click on it and select Run as administrator).
    2. Type:
-        ```PowerShell
-        Install-Module AzureAD
-        ```
+      ```PowerShell
+      Install-Module AzureAD
+      ```
+
+      or if you cannot be administrator on your machine, run:
+      ```PowerShell
+      Install-Module AzureAD -Scope CurrentUser
+      ```
+
+### Run the script and start running
+
 5. Go to the `AppCreationScripts` sub-folder. From the folder where you cloned the repo,
     ```PowerShell
     cd AppCreationScripts
@@ -56,9 +92,9 @@ You're done. this just works!
 We advise four ways of running the script:
 
 - Interactive: you will be prompted for credentials, and the scripts decide in which tenant to create the objects,
-- non-interactive: you will provide crendentials, and the scripts decide in which tenant to create the objects,
-- Interactive in specific tenant: you will be prompted for credentials, and the scripts decide in which tenant to create the objects,
-- non-interactive in specific tenant: you will provide crendentials, and the scripts decide in which tenant to create the objects.
+- non-interactive: you will provide credentials, and the scripts decide in which tenant to create the objects,
+- Interactive in specific tenant:  you will provide the tenant in which you want to create the objects and then you will be prompted for credentials, and the scripts will create the objects,
+- non-interactive in specific tenant: you will provide tenant in which you want to create the objects and credentials, and the scripts will create the objects.
 
 Here are the details on how to do this.
 
 
@@ -1,4 +1,13 @@
-param([Parameter(Mandatory=$false)][PSCredential]$Credential=$null, [Parameter(Mandatory=$false)][string]$TenantId)
+[CmdletBinding()]
+param(    
+    [PSCredential] $Credential,
+    [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+    [string] $tenantId
+)
+
+if ((Get-Module -ListAvailable -Name "AzureAD") -eq $null) { 
+    Install-Module "AzureAD" -Scope CurrentUser 
+} 
 Import-Module AzureAD
 $ErrorActionPreference = 'Stop'
 
@@ -8,15 +17,7 @@ Function Cleanup
 .Description
 This function removes the Azure AD applications for the sample. These applications were created by the Configure.ps1 script
 #>
-   [CmdletBinding()]
-    param(
-        [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
-        [PSCredential] $Credential,
-        [string] $tenantId
-    )
 
-   process
-   {
     # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant 
     # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD. 
 
@@ -49,22 +50,25 @@ This function removes the Azure AD applications for the sample. These applicatio
     Write-Host "Cleaning-up applications from tenant '$tenantName'"
 
     Write-Host "Removing 'service' (TodoListService-ManualJwt) if needed"
-    $app=Get-AzureADApplication -Filter "identifierUris/any(uri:uri eq 'https://$tenantName/TodoListService-ManualJwt')"  
-    if ($app)
+    Get-AzureADApplication -Filter "DisplayName eq 'TodoListService-ManualJwt'"  | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+    $apps = Get-AzureADApplication -Filter "DisplayName eq 'TodoListService-ManualJwt'"
+    if ($apps)
     {
-        Remove-AzureADApplication -ObjectId $app.ObjectId
-        Write-Host "Removed."
+        Remove-AzureADApplication -ObjectId $apps.ObjectId
     }
+    # Get-AzureRmADServicePrincipal -SearchString "TodoListService-ManualJwt" | ForEach-Object {Remove-AzureRmADServicePrincipal -ObjectId $_.Id -Confirm:$false}
+    Write-Host "Removed TodoListService-ManualJwt."
 
     Write-Host "Removing 'client' (TodoListClient-ManualJwt) if needed"
-    $app=Get-AzureADApplication -Filter "DisplayName eq 'TodoListClient-ManualJwt'"  
-    if ($app)
+    Get-AzureADApplication -Filter "DisplayName eq 'TodoListClient-ManualJwt'"  | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+    $apps = Get-AzureADApplication -Filter "DisplayName eq 'TodoListClient-ManualJwt'"
+    if ($apps)
     {
-        Remove-AzureADApplication -ObjectId $app.ObjectId
-        Write-Host "Removed."
+        Remove-AzureADApplication -ObjectId $apps.ObjectId
     }
+    # Get-AzureRmADServicePrincipal -SearchString "TodoListClient-ManualJwt" | ForEach-Object {Remove-AzureRmADServicePrincipal -ObjectId $_.Id -Confirm:$false}
+    Write-Host "Removed TodoListClient-ManualJwt."
 
-   }
 }
 
 Cleanup -Credential $Credential -tenantId $TenantId
@@ -1,9 +1,9 @@
 [CmdletBinding()]
-    param(
-        [PSCredential] $Credential,
-        [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
-        [string] $tenantId
-    )
+param(
+    [PSCredential] $Credential,
+    [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+    [string] $tenantId
+)
 
 <#
  This script creates the Azure AD applications needed for this sample and updates the configuration files
@@ -15,10 +15,6 @@
  2) in the PowerShell window, type: Install-Module AzureAD
 
  There are four ways to run this script. For more information, read the AppCreationScripts.md file in the same folder as this script.
-
- # Parameters
- # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
- # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
 #>
 
 # Adds the requiredAccesses (expressed as a pipe separated string) to the requiredAccess structure
@@ -66,7 +62,7 @@ Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requ
     {
         AddResourcePermission $requiredAccess -exposedPermissions $sp.Oauth2Permissions -requiredAccesses $requiredDelegatedPermissions -permissionType "Scope"
     }
-
+    
     # $sp.AppRoles | Select Id,AdminConsentDisplayName,Value: To see the list of all the Application permissions for the application
     if ($requiredApplicationPermissions)
     {
@@ -103,7 +99,10 @@ Function ConfigureApplications
    This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the
    configuration files in the client and service project  of the visual studio solution (App.Config and Web.Config)
    so that they are consistent with the Applications parameters
-#>
+#> 
+
+    # $tenantId is the Active Directory Tenant. This is a GUID which represents the "Directory ID" of the AzureAD tenant
+    # into which you want to create the apps. Look it up in the Azure portal in the "Properties" of the Azure AD.
 
     # Login to Azure PowerShell (interactive if credentials are not already provided:
     # you'll need to sign-in with creds enabling your to create apps in the tenant)
@@ -127,86 +126,99 @@ Function ConfigureApplications
     {
         $tenantId = $creds.Tenant.Id
     }
+
     $tenant = Get-AzureADTenantDetail
     $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
 
+    # Get the user running the script
+    $user = Get-AzureADUser -ObjectId $creds.Account.Id
+
    # Create the service AAD application
-   Write-Host "Creating the AAD appplication (TodoListService-ManualJwt)"
+   Write-Host "Creating the AAD application (TodoListService-ManualJwt)"
    $serviceAadApplication = New-AzureADApplication -DisplayName "TodoListService-ManualJwt" `
                                                    -HomePage "https://localhost:44324" `
-                                                   -IdentifierUris "https://$tenantName/TodoListService-ManualJwt" `
                                                    -PublicClient $False
-
+   $serviceIdentifierUri = 'api://'+$serviceAadApplication.AppId
+   Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -IdentifierUris $serviceIdentifierUri
 
    $currentAppId = $serviceAadApplication.AppId
    $serviceServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
 
-   # add this user as app owner
-   $user = Get-AzureADUser -ObjectId $creds.Account.Id
-   Add-AzureADApplicationOwner -ObjectId $serviceAadApplication.ObjectId -RefObjectId $user.ObjectId
-   Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceAadApplication.DisplayName)'"
+   # add the user running the script as an app owner if needed
+   $owner = Get-AzureADApplicationOwner -ObjectId $serviceAadApplication.ObjectId
+   if ($owner -eq $null)
+   { 
+    Add-AzureADApplicationOwner -ObjectId $serviceAadApplication.ObjectId -RefObjectId $user.ObjectId
+    Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($serviceServicePrincipal.DisplayName)'"
+   }
 
-   Write-Host "Done."
+   Write-Host "Done creating the service application (TodoListService-ManualJwt)"
 
    # URL of the AAD application in the Azure portal
-   $servicePortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_IAM/ApplicationBlade/appId/"+$serviceAadApplication.AppId+"/objectId/"+$serviceAadApplication.ObjectId
+   # Future? $servicePortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$serviceAadApplication.AppId+"/objectId/"+$serviceAadApplication.ObjectId+"/isMSAApp/"
+   $servicePortalUrl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/"+$serviceAadApplication.AppId+"/objectId/"+$serviceAadApplication.ObjectId+"/isMSAApp/"
    Add-Content -Value "<tr><td>service</td><td>$currentAppId</td><td><a href='$servicePortalUrl'>TodoListService-ManualJwt</a></td></tr>" -Path createdApps.html
 
    # Create the client AAD application
-   Write-Host "Creating the AAD appplication (TodoListClient-ManualJwt)"
+   Write-Host "Creating the AAD application (TodoListClient-ManualJwt)"
    $clientAadApplication = New-AzureADApplication -DisplayName "TodoListClient-ManualJwt" `
-                                                  -ReplyUrls "https://TodoListClient-ManualJwt" `
+                                                  -ReplyUrls "urn:ietf:wg:oauth:2.0:oob", "https://login.microsoftonline.com/common/oauth2/nativeclient" `
                                                   -PublicClient $True
 
-
    $currentAppId = $clientAadApplication.AppId
    $clientServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
 
-   # add this user as app owner
-   Add-AzureADApplicationOwner -ObjectId $clientAadApplication.ObjectId -RefObjectId $user.ObjectId
-   Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
+   # add the user running the script as an app owner if needed
+   $owner = Get-AzureADApplicationOwner -ObjectId $clientAadApplication.ObjectId
+   if ($owner -eq $null)
+   { 
+    Add-AzureADApplicationOwner -ObjectId $clientAadApplication.ObjectId -RefObjectId $user.ObjectId
+    Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
+   }
 
-   Write-Host "Done."
+   Write-Host "Done creating the client application (TodoListClient-ManualJwt)"
 
    # URL of the AAD application in the Azure portal
-   $clientPortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_IAM/ApplicationBlade/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.ObjectId
+   # Future? $clientPortalUrl = "https://portal.azure.com/#@"+$tenantName+"/blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.ObjectId+"/isMSAApp/"
+   $clientPortalUrl = "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/"+$clientAadApplication.AppId+"/objectId/"+$clientAadApplication.ObjectId+"/isMSAApp/"
    Add-Content -Value "<tr><td>client</td><td>$currentAppId</td><td><a href='$clientPortalUrl'>TodoListClient-ManualJwt</a></td></tr>" -Path createdApps.html
 
    $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
+
    # Add Required Resources Access (from 'client' to 'service')
    Write-Host "Getting access from 'client' to 'service'"
    $requiredPermissions = GetRequiredPermissions -applicationDisplayName "TodoListService-ManualJwt" `
-                                                 -requiredDelegatedPermissions "user_impersonation";
+                                                -requiredDelegatedPermissions "user_impersonation" `
+
    $requiredResourcesAccess.Add($requiredPermissions)
-   Set-AzureADApplication -ObjectId $clientAadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
-   Write-Host "Granted."
 
-   # Configure known client applications for service
-   Write-Host "Configure known client applications for the 'service'"
-   $knowApplications = New-Object System.Collections.Generic.List[System.String]
-   $knowApplications.Add($clientAadApplication.AppId)
-   Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -KnownClientApplications $knowApplications
-   Write-Host "Configured."
+
+   Set-AzureADApplication -ObjectId $clientAadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
+   Write-Host "Granted permissions."
 
    # Update config file for 'service'
    $configFile = $pwd.Path + "\..\TodoListService-ManualJwt\Web.Config"
    Write-Host "Updating the sample code ($configFile)"
    ReplaceSetting -configFilePath $configFile -key "ida:Tenant" -newValue $tenantName
-   ReplaceSetting -configFilePath $configFile -key "ida:Audience" -newValue $serviceAadApplication.IdentifierUris
+   ReplaceSetting -configFilePath $configFile -key "ida:Audience" -newValue $serviceIdentifierUri
    ReplaceSetting -configFilePath $configFile -key "ida:ClientId" -newValue $serviceAadApplication.AppId
 
    # Update config file for 'client'
    $configFile = $pwd.Path + "\..\TodoListClient\App.Config"
    Write-Host "Updating the sample code ($configFile)"
    ReplaceSetting -configFilePath $configFile -key "ida:Tenant" -newValue $tenantName
    ReplaceSetting -configFilePath $configFile -key "ida:ClientId" -newValue $clientAadApplication.AppId
-   ReplaceSetting -configFilePath $configFile -key "ida:RedirectUri" -newValue $clientAadApplication.ReplyUrls
-   ReplaceSetting -configFilePath $configFile -key "todo:TodoListResourceId" -newValue $serviceAadApplication.IdentifierUris
+   ReplaceSetting -configFilePath $configFile -key "todo:TodoListResourceId" -newValue $serviceIdentifierUri
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListBaseAddress" -newValue $serviceAadApplication.HomePage
-   Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html
-  
+
+   Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html  
 }
 
+# Pre-requisites
+if ((Get-Module -ListAvailable -Name "AzureAD") -eq $null) { 
+    Install-Module "AzureAD" -Scope CurrentUser 
+} 
+Import-Module AzureAD
 
 # Run interactively (will ask you for the tenant ID)
 ConfigureApplications -Credential $Credential -tenantId $TenantId