Merge pull request #44 from Azure-Samples/kkrishna/updates2021

security warning removed

Author: Kalyan Krishna

AppCreationScripts/AppCreationScripts.md

@@ -1,35 +1,39 @@
-# Registering the sample apps with Microsoft identity platform and updating the configuration files using PowerShell scripts
+# Registering sample apps with the Microsoft identity platform and updating the configuration files using PowerShell
 
 ## Overview
 
 ### Quick summary
 
-1. On Windows run PowerShell and navigate to the root of the cloned directory
+1. On Windows, run PowerShell as **Administrator** and navigate to the root of the cloned directory
 1. In PowerShell run:
+
    ```PowerShell
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
    ```
-1. Run the script to create your Azure AD application and configure the code of the sample application accordingly. (Other ways of running the scripts are described below)
+
+1. Run the script to create your Azure AD application and configure the code of the sample application accordingly.
+
    ```PowerShell
    cd .\AppCreationScripts\
    .\Configure.ps1
    ```
-1. Open the Visual Studio solution and click start
 
 ### More details
 
-The following paragraphs:
-
-- [Present the scripts](#presentation-of-the-scripts) and explain their [usage patterns](#usage-pattern-for-tests-and-devops-scenarios) for test and DevOps scenarios.
-- Explain the [pre-requisites](#pre-requisites)
-- Explain [four ways of running the scripts](#four-ways-to-run-the-script):
-  - [Interactively](#option-1-interactive) to create the app in your home tenant
-  - [Passing credentials](#option-2-non-interactive) to create the app in your home tenant
-  - [Interactively in a specific tenant](#option-3-interactive-but-create-apps-in-a-specified-tenant)
-  - [Passing credentials in a specific tenant](#option-4-non-interactive-and-create-apps-in-a-specified-tenant)
-  - [Passing environment name, for Sovereign clouds](#running-the-script-on-azure-sovereign-clouds)
-
-## Goal of the scripts
+- [Goal of the provided scripts](#goal-of-the-provided-scripts)
+  - [Presentation of the scripts](#presentation-of-the-scripts)
+  - [Usage pattern for tests and DevOps scenarios](#usage-pattern-for-tests-and-DevOps-scenarios)
+- [How to use the app creation scripts?](#how-to-use-the-app-creation-scripts)
+  - [Pre-requisites](#pre-requisites)
+  - [Run the script and start running](#run-the-script-and-start-running)
+  - [Four ways to run the script](#four-ways-to-run-the-script)
+    - [Option 1 (interactive)](#option-1-interactive)
+    - [Option 2 (non-interactive)](#option-2-non-interactive)
+    - [Option 3 (Interactive, but create apps in a specified tenant)](#option-3-Interactive-but-create-apps-in-a-specified-tenant)
+    - [Option 4 (non-interactive, and create apps in a specified tenant)](#option-4-non-interactive-and-create-apps-in-a-specified-tenant)
+  - [Running the script on Azure Sovereign clouds](#running-the-script-on-Azure-Sovereign-clouds)
+
+## Goal of the provided scripts
 
 ### Presentation of the scripts
 
@@ -39,13 +43,13 @@ These scripts are:
 
 - `Configure.ps1` which:
   - creates Azure AD applications and their related objects (permissions, dependencies, secrets),
-  - changes the configuration files in the C# and JavaScript projects.
+  - changes the configuration files in the sample projects.
   - creates a summary file named `createdApps.html` in the folder from which you ran the script, and containing, for each Azure AD application it created:
     - the identifier of the application
     - the AppId of the application
     - the url of its registration in the [Azure portal](https://portal.azure.com).
 
-- `Cleanup.ps1` which cleans-up the Azure AD objects created by `Configure.ps1`. Note that this script does not revert the changes done in the configuration files, though. You will need to undo the change from source control (from Visual Studio, or from the command line using, for instance, git reset).
+- `Cleanup.ps1` which cleans-up the Azure AD objects created by `Configure.ps1`. Note that this script does not revert the changes done in the configuration files, though. You will need to undo the change from source control (from Visual Studio, or from the command line using, for instance, `git reset`).
 
 ### Usage pattern for tests and DevOps scenarios
 
@@ -56,53 +60,60 @@ The `Configure.ps1` will stop if it tries to create an Azure AD application whic
 ### Pre-requisites
 
 1. Open PowerShell (On Windows, press  `Windows-R` and type `PowerShell` in the search window)
-2. Navigate to the root directory of the project.
-3. Until you change it, the default [Execution Policy](https:/go.microsoft.com/fwlink/?LinkID=135170) for scripts is usually `Restricted`. In order to run the PowerShell script you need to set the Execution Policy to `RemoteSigned`. You can set this just for the current PowerShell process by running the command:
+1. Navigate to the root directory of the project.
+1. Until you change it, the default [Execution Policy](https:/go.microsoft.com/fwlink/?LinkID=135170) for scripts is usually `Restricted`. In order to run the PowerShell script you need to set the Execution Policy to `RemoteSigned`. You can set this just for the current PowerShell process by running the command:
+
     ```PowerShell
     Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
     ```
+
 ### (Optionally) install AzureAD PowerShell modules
+
 The scripts install the required PowerShell module (AzureAD) for the current user if needed. However, if you want to install if for all users on the machine, you can follow the following steps:
 
-4. If you have never done it already, in the PowerShell window, install the AzureAD PowerShell modules. For this:
+1. If you have never done it already, in the PowerShell window, install the AzureAD PowerShell modules. For this:
 
-   1. Open PowerShell as admin (On Windows, Search Powershell in the search bar, right click on it and select Run as administrator).
+   1. Open PowerShell as admin (On Windows, Search Powershell in the search bar, right click on it and select **Run as administrator**).
    2. Type:
+
       ```PowerShell
       Install-Module AzureAD
       ```
 
       or if you cannot be administrator on your machine, run:
+
       ```PowerShell
       Install-Module AzureAD -Scope CurrentUser
       ```
 
 ### Run the script and start running
 
-5. Go to the `AppCreationScripts` sub-folder. From the folder where you cloned the repo,
+1. Go to the `AppCreationScripts` sub-folder. From the folder where you cloned the repo,
+
     ```PowerShell
     cd AppCreationScripts
     ```
-6. Run the scripts. See below for the [four options](#four-ways-to-run-the-script) to do that.
-7. Open the Visual Studio solution, and in the solution's context menu, choose **Set Startup Projects**.
-8. select **Start** for the projects
 
-You're done. this just works!
+1. Run the scripts. See below for the [four options](#four-ways-to-run-the-script) to do that.
+1. Open the Visual Studio solution, and in the solution's context menu, choose **Set Startup Projects**.
+1. select **Start** for the projects
+
+You're done!
 
 ### Four ways to run the script
 
 We advise four ways of running the script:
 
 - Interactive: you will be prompted for credentials, and the scripts decide in which tenant to create the objects,
 - non-interactive: you will provide credentials, and the scripts decide in which tenant to create the objects,
-- Interactive in specific tenant:  you will provide the tenant in which you want to create the objects and then you will be prompted for credentials, and the scripts will create the objects,
-- non-interactive in specific tenant: you will provide tenant in which you want to create the objects and credentials, and the scripts will create the objects.
+- Interactive in specific tenant: you will provide the tenant in which you want to create the objects and then you will be prompted for credentials, and the scripts will create the objects,
+- non-interactive in specific tenant: you will provide the tenant in which you want to create the objects and credentials, and the scripts will create the objects.
 
 Here are the details on how to do this.
 
 #### Option 1 (interactive)
 
-- Just run ``. .\Configure.ps1``, and you will be prompted to sign-in (email address, password, and if needed MFA).
+- Just run ``.\Configure.ps1``, and you will be prompted to sign-in (email address, password, and if needed MFA).
 - The script will be run as the signed-in user and will use the tenant in which the user is defined.
 
 Note that the script will choose the tenant in which to create the applications, based on the user. Also to run the `Cleanup.ps1` script, you will need to re-sign-in.
@@ -118,12 +129,13 @@ $mycreds = New-Object System.Management.Automation.PSCredential ("[login@tenantN
 . .\Configure.ps1 -Credential $mycreds
 ```
 
-Of course, in real life, you might already get the password as a `SecureString`. You might also want to get the password from KeyVault.
+Of course, in real life, you might already get the password as a `SecureString`. You might also want to get the password from **Azure Key Vault**.
 
 #### Option 3 (Interactive, but create apps in a specified tenant)
 
   if you want to create the apps in a particular tenant, you can use the following option:
-- open the [Azure portal](https://portal.azure.com)
+  
+- Open the [Azure portal](https://portal.azure.com)
 - Select the Azure Active directory you are interested in (in the combo-box below your name on the top right of the browser window)
 - Find the "Active Directory" object in this tenant
 - Go to **Properties** and copy the content of the **Directory Id** property
@@ -149,7 +161,7 @@ $tenantId = "yourTenantIdGuid"
 
 ### Running the script on Azure Sovereign clouds
 
-All the four options listed above, can be used on any Azure Sovereign clouds. By default, the script targets `AzureCloud`, but it can be changed using the parameter `-AzureEnvironmentName`.
+All the four options listed above can be used on any Azure Sovereign clouds. By default, the script targets `AzureCloud`, but it can be changed using the parameter `-AzureEnvironmentName`.
 
 The acceptable values for this parameter are:
 

AppCreationScripts/Cleanup.ps1

@@ -7,8 +7,11 @@ param(
     [string] $azureEnvironmentName
 )
 
+#Requires -Modules AzureAD -RunAsAdministrator
+
+
 if ($null -eq (Get-Module -ListAvailable -Name "AzureAD")) { 
-    Install-Module "AzureAD" -Scope CurrentUser 
+    Install-Module "AzureAD" -Scope CurrentUser                                            
 } 
 Import-Module AzureAD
 $ErrorActionPreference = "Stop"
@@ -57,7 +60,14 @@ Function Cleanup
     Write-Host "Cleaning-up applications from tenant '$tenantName'"
 
     Write-Host "Removing 'service' (TodoListService-ManualJwt) if needed"
-    Get-AzureADApplication -Filter "DisplayName eq 'TodoListService-ManualJwt'"  | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+    try
+    {
+        Get-AzureADApplication -Filter "DisplayName eq 'TodoListService-ManualJwt'"  | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+    }
+    catch
+    {
+	    Write-Host "Unable to remove the 'TodoListService-ManualJwt' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
+    }
     $apps = Get-AzureADApplication -Filter "DisplayName eq 'TodoListService-ManualJwt'"
     if ($apps)
     {
@@ -70,10 +80,23 @@ Function Cleanup
         Write-Host "Removed TodoListService-ManualJwt.."
     }
     # also remove service principals of this app
-    Get-AzureADServicePrincipal -filter "DisplayName eq 'TodoListService-ManualJwt'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
-    
+    try
+    {
+        Get-AzureADServicePrincipal -filter "DisplayName eq 'TodoListService-ManualJwt'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
+    }
+    catch
+    {
+	    Write-Host "Unable to remove ServicePrincipal 'TodoListService-ManualJwt' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
+    }
     Write-Host "Removing 'client' (TodoListClient-ManualJwt) if needed"
-    Get-AzureADApplication -Filter "DisplayName eq 'TodoListClient-ManualJwt'"  | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+    try
+    {
+        Get-AzureADApplication -Filter "DisplayName eq 'TodoListClient-ManualJwt'"  | ForEach-Object {Remove-AzureADApplication -ObjectId $_.ObjectId }
+    }
+    catch
+    {
+	    Write-Host "Unable to remove the 'TodoListClient-ManualJwt' . Try deleting manually." -ForegroundColor White -BackgroundColor Red
+    }
     $apps = Get-AzureADApplication -Filter "DisplayName eq 'TodoListClient-ManualJwt'"
     if ($apps)
     {
@@ -86,8 +109,15 @@ Function Cleanup
         Write-Host "Removed TodoListClient-ManualJwt.."
     }
     # also remove service principals of this app
-    Get-AzureADServicePrincipal -filter "DisplayName eq 'TodoListClient-ManualJwt'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
-    
+    try
+    {
+        Get-AzureADServicePrincipal -filter "DisplayName eq 'TodoListClient-ManualJwt'" | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.Id -Confirm:$false}
+    }
+    catch
+    {
+	    Write-Host "Unable to remove ServicePrincipal 'TodoListClient-ManualJwt' . Try deleting manually from Enterprise applications." -ForegroundColor White -BackgroundColor Red
+    }
 }
 
-Cleanup -Credential $Credential -tenantId $TenantId
+Cleanup -Credential $Credential -tenantId $TenantId
+

AppCreationScripts/Configure.ps1

@@ -7,6 +7,8 @@ param(
     [string] $azureEnvironmentName
 )
 
+#Requires -Modules AzureAD -RunAsAdministrator
+
 <#
  This script creates the Azure AD applications needed for this sample and updates the configuration files
  for the visual Studio projects from the data in the Azure AD applications.
@@ -187,6 +189,7 @@ Function ConfigureApplications
    $serviceAadApplication = New-AzureADApplication -DisplayName "TodoListService-ManualJwt" `
                                                    -HomePage "https://localhost:44324" `
                                                    -PublicClient $False
+
    $serviceIdentifierUri = 'api://'+$serviceAadApplication.AppId
    Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -IdentifierUris $serviceIdentifierUri
 
@@ -205,28 +208,30 @@ Function ConfigureApplications
     # rename the user_impersonation scope if it exists to match the readme steps or add a new scope
     $scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
 
-    if ($scopes.Count -ge 0) 
+    # delete default scope i.e. User_impersonation
+    $scope = $serviceAadApplication.Oauth2Permissions | Where-Object { $_.Value -eq "User_impersonation" }
+    if($scope -ne $null)
     {
-        # add all existing scopes first
-        $serviceAadApplication.Oauth2Permissions | foreach-object { $scopes.Add($_) }
-
-        $scope = $serviceAadApplication.Oauth2Permissions | Where-Object { $_.Value -eq "User_impersonation" }
+       # disable the scope
+       $scope.IsEnabled = $false
+       $scopes.Add($scope)
+       Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -Oauth2Permissions $scopes
+
+       # clear the scope
+       $scopes.Clear()
+       Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -Oauth2Permissions $scopes
+    }
 
-        if ($scope -ne $null) 
-        {
-            $scope.Value = "access_as_user"
-        }
-        else 
-        {
-            # Add scope
-            $scope = CreateScope -value "access_as_user"  `
+    if ($scopes.Count -ge 0) 
+    {
+             $scope = CreateScope -value access_as_user  `
                 -userConsentDisplayName "Access TodoListService-ManualJwt"  `
                 -userConsentDescription "Allow the application to access TodoListService-ManualJwt on your behalf."  `
                 -adminConsentDisplayName "Access TodoListService-ManualJwt"  `
                 -adminConsentDescription "Allows the app to have the same access to information in the directory on behalf of the signed-in user."
 
-            $scopes.Add($scope)
-        }        
+                $scopes.Add($scope)
+    
     }
 
     # add/update scopes
@@ -294,7 +299,13 @@ Function ConfigureApplications
    ReplaceSetting -configFilePath $configFile -key "ida:ClientId" -newValue ($clientAadApplication.AppId)
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListResourceId" -newValue ($serviceIdentifierUri)
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListBaseAddress" -newValue ($serviceAadApplication.HomePage)
-  
+   if($isOpenSSL -eq 'Y')
+   {
+        Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+        Write-Host "You have generated certificate using OpenSSL so follow below steps: "
+        Write-Host "Install the certificate on your system from current folder."
+        Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
+   }
    Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html  
 }
 

AppCreationScripts/sample.json

@@ -1,6 +1,6 @@
 {
   "Sample": {
-    "Title": "How to manually validate a JWT access token using Microsoft identity platform (formerly Azure Active Directory for developers)",
+    "Title": "How to manually validate a JWT access token using the Microsoft identity platform ",
     "Level": 300,
     "Client": ".NET Desktop App (WPF)",
     "Service": "ASP.NET Web API",