More enhancements

.gitignore

@@ -111,3 +111,5 @@ UpgradeLog*.XML
 /WebApp-GroupClaims-DotNet/Web.config.backup.1
 /AppCreationScripts/Steps.md
 /AppCreationScripts/createdApps.html
+/WebApp-GroupClaims-DotNet/App_Data
+*.saz

AppCreationScripts/Cleanup.ps1

@@ -1,7 +1,7 @@
 [CmdletBinding()]
-param(
-    [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+param(    
     [PSCredential] $Credential,
+    [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
     [string] $tenantId
 )
 

AppCreationScripts/Configure.ps1

@@ -1,7 +1,7 @@
 [CmdletBinding()]
 param(
     [PSCredential] $Credential,
-    [Parameter(HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
+    [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
     [string] $tenantId
 )
 
@@ -97,6 +97,42 @@ Function GetRequiredPermissions([string] $applicationDisplayName, [string] $requ
     return $requiredAccess
 }
 
+# Appends a permission in an existing RequiredResourceAccess object.
+# Exemple: AppendRequiredPermission "Microsoft Graph"  "Graph.Read|User.Read"
+Function AppendRequiredPermission([Microsoft.Open.AzureAD.Model.RequiredResourceAccess] $requiredAccess, [string] $applicationDisplayName, [string] $requiredDelegatedPermissions, [string]$requiredApplicationPermissions, $servicePrincipal)
+{
+    # If we are passed the service principal we use it directly, otherwise we find it from the display name (which might not be unique)
+    if ($servicePrincipal)
+    {
+        $sp = $servicePrincipal
+    }
+    else
+    {
+        $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$applicationDisplayName'"
+    }
+    [string]$appid = $sp.AppId
+
+    # Create a new RequiredResourceAccess object only if it does not belong to the same application as the permission ..    
+    if($requiredAccess.ResourceAppId -ne $appid)
+    {
+        $requiredAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
+        $requiredAccess.ResourceAppId = $appid 
+        $requiredAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
+    }
+
+    # $sp.Oauth2Permissions | Select Id,AdminConsentDisplayName,Value: To see the list of all the Delegated permissions for the application:
+    if ($requiredDelegatedPermissions)
+    {
+        AddResourcePermission $requiredAccess -exposedPermissions $sp.Oauth2Permissions -requiredAccesses $requiredDelegatedPermissions -permissionType "Scope"
+    }
+
+    # $sp.AppRoles | Select Id,AdminConsentDisplayName,Value: To see the list of all the Application permissions for the application
+    if ($requiredApplicationPermissions)
+    {
+        AddResourcePermission $requiredAccess -exposedPermissions $sp.AppRoles -requiredAccesses $requiredApplicationPermissions -permissionType "Role"
+    }
+}
+
 
 # Replace the value of an appsettings of a given key in an XML App.Config file.
 Function ReplaceSetting([string] $configFilePath, [string] $key, [string] $newValue)
@@ -156,13 +192,8 @@ Function ConfigureApplications
     $tenant = Get-AzureADTenantDetail
     $tenantName =  ($tenant.VerifiedDomains | Where { $_._Default -eq $True }).Name
 
-    $perm = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
-    ResourceAppId  = "00000002-0000-0000-c000-000000000000"; # Windows Azure Active Directory/Microsoft.Azure.ActiveDirectory
-    ResourceAccess = [Microsoft.Open.AzureAD.Model.ResourceAccess]@{
-        Id   = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"; #access scope: Delegated permission to sign in and read user profile
-        Type = "Scope"
-        }
-    }
+   $perm = GetRequiredPermissions  -applicationDisplayName "Microsoft Graph" `
+                                   -requiredDelegatedPermissions "User.Read";
    # Create the service AAD application
    Write-Host "Creating the AAD application (TaskTrackerWebApp-GroupClaims)"
    # Get a 2 years application key for the service Application
@@ -177,7 +208,6 @@ Function ConfigureApplications
                                                    -IdentifierUris "https://$tenantName/TaskTrackerWebApp-GroupClaims" `
                                                    -PasswordCredentials $key `
                                                    -RequiredResourceAccess $perm `
-                                                   -GroupMembershipClaims "All" `
                                                    -PublicClient $False
 
 
@@ -204,11 +234,14 @@ Function ConfigureApplications
    $requiredResourcesAccess.Add($requiredPermissions)
 
 
-   # Re-insert the existing Sign-in and read user profile permission to the permissions collection
-   $requiredResourcesAccess.Add($perm)
+   # Re-insert the existing Sign-in and read user profile permission to the permissions collection.
+   AppendRequiredPermission -requiredAccess $requiredPermissions `
+                            -applicationDisplayName "Microsoft Graph" `
+                            -requiredDelegatedPermissions "User.Read";
+
 
    Set-AzureADApplication -ObjectId $serviceAadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
-   Write-Host "Granted ."
+   Write-Host "Granted permissions."
 
    # Update config file for 'service'
    $configFile = $pwd.Path + "\..\WebApp-GroupClaims-DotNet\Web.Config"
@@ -218,6 +251,11 @@ Function ConfigureApplications
    ReplaceSetting -configFilePath $configFile -key "ida:Domain" -newValue $tenantName
    ReplaceSetting -configFilePath $configFile -key "ida:TenantId" -newValue $tenantId
    ReplaceSetting -configFilePath $configFile -key "ida:PostLogoutRedirectUri" -newValue $serviceAadApplication.HomePage
+   Write-Host ""
+   Write-Host "IMPORTANT: Think of completing the following manual step(s) in the Azure portal":
+   Write-Host "- For 'service'"
+   Write-Host "  - Navigate to '$servicePortalUrl'"
+   Write-Host "  - Follow the instructions in Readme oh how to change the manifest to include GroupMembershipClaims."
 
    Add-Content -Value "</tbody></table></body></html>" -Path createdApps.html  
 }

README.md

@@ -92,6 +92,7 @@ If you want to use this automation, read the instructions in [App Creation Scrip
   ...
 }
 ```
+4. To receive the `groups` claim with the objectId of the security groups, make sure that the user accounts you plan to sign-in in is assigned to a few security groups in this AAD tenant.
 
 ### Step 4:  Configure the sample to use your Azure AD tenant
 
@@ -104,7 +105,7 @@ Open the solution in Visual Studio to configure the projects
 1. Open the `WebApp-GroupClaims-DotNet\Web.Config` file
 1. Find the app key `ida:ClientId` and replace the existing value with the application ID (clientId) of the `TaskTrackerWebApp-GroupClaims` application copied from the Azure portal.
 1. Find the app key `ida:AppKey` and replace the existing value with the key you saved during the creation of the `TaskTrackerWebApp-GroupClaims` app, in the Azure portal.
-1. Find the app key `ida:Tenant` and replace the existing value with your Azure AD tenant name.
+1. Find the app key `ida:Domain` and replace the existing value with your Azure AD tenant's domain name.
 1. Find the app key `ida:PostLogoutRedirectUri` and replace the existing value with the base address of the TaskTrackerWebApp-GroupClaims project (by default `https://localhost:44322/`).
 
 ### Step 5:  Run the sample
@@ -121,7 +122,7 @@ To deploy this application to Azure, you will publish it to an Azure Website.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1.  Click **Create a resource** in the top left-hand corner, select **Web + Mobile** --> **Web App**, select the hosting plan and region, and give your web site a name, for example, `TaskTrackerWebApp-GroupClaims-contoso.azurewebsites.net`.  Click Create Web Site.
-1.Choose "SQL Database", click on "Create a new database", enter "GroupClaimContext" as the **DB Connection String Name**.
+1.Choose **SQL Database**, click on "Create a new database", enter `GroupClaimContext` as the **DB Connection String Name**.
 1. Select or create a database server, and enter server login credentials.
 1. Once the web site is created, click on it to manage it.  For this set of steps, download the publish profile by clicking **Get publish profile** and save it.  Other deployment mechanisms, such as from source control, can also be used.
 1. Switch to Visual Studio and go to the TaskTrackerWebApp-GroupClaims project.  Right click on the project in the Solution Explorer and select **Publish**.  Click **Import Profile** on the bottom bar, and import the publish profile that you downloaded earlier.
@@ -133,9 +134,10 @@ To deploy this application to Azure, you will publish it to an Azure Website.
 ## Code Walk-Through
 
 1. **UserProfileController** - Explore the code in this file on how to fetch a user's directory (App) roles and security group assignments.
-1. **AuthenticationHelper** - It has examples of how to obtain access tokens via the cache or from AAD.
-1. **MSGraphClient** - A small implementation of a client for [Microsoft Graph](https://graph.microsoft.com)
+1. **AuthenticationHelper** - It has examples of how to obtain access tokens from AAD and how to effectivel;y cache them.
+1. **MSGraphClient** - A small implementation of a client for [Microsoft Graph](https://graph.microsoft.com). Includes examples on how to call MS Graph endpoints and how to paginate through results.
 1. **TokenHelper** - This class has the code that shown you how to inspect the '_claim_names' and use the value in '_claim_sources' to fetch the security groups when an overage occurs.
+1. **TasksController** - Contains a few examples of how to use the security groups in the code.
 
 ## Community Help and Support
 

WebApp-GroupClaims-DotNet/Content/Site.css

@@ -22,3 +22,166 @@ select,
 textarea {
     max-width: 280px;
 }
+
+/* styles for validation helpers */
+.field-validation-error {
+    color: #b94a48;
+}
+
+.field-validation-valid {
+    display: none;
+}
+
+input.input-validation-error {
+    border: 1px solid #b94a48;
+}
+
+input[type="checkbox"].input-validation-error {
+    border: 0 none;
+}
+
+.validation-summary-errors {
+    color: #b94a48;
+}
+
+.validation-summary-valid {
+    display: none;
+}
+
+.assign-role {
+    float:left;
+}
+
+.search-hint {
+    width:200px;    
+}
+
+#search {
+    width:300px;
+}
+
+#assign-role {
+    padding-bottom: 20px;
+}
+
+#assign-role-form {
+    padding-right: 20px;
+    display:inline-block;
+    vertical-align:top;
+}
+
+#assign-role-search {
+
+}
+
+.assign-role-label {
+    float:left;
+    width:175px;
+    text-align:right;
+    padding-right: 10px;
+}
+
+#assign-role-select {
+
+}
+
+.search-results-label {
+    width:inherit;
+    text-align:center;
+    border-bottom:solid;
+    border-bottom-width:thin;
+}
+
+#search-results {
+    display:inline-block;
+}
+
+.assign-role-row {
+    padding-bottom:10px;
+}
+
+#submit-button {
+    width:100px;
+}
+
+#assign-role-dropdown {
+    width:100px;
+}
+
+/*####################################*/
+
+.task-text {
+    width:auto;
+}
+
+.task-status {
+    width:auto;
+
+}
+
+.task-owner {
+}
+
+.task-share {
+    font-size:small;
+    float:left;
+}
+
+.share-list {
+    padding-bottom:30px;
+}
+
+.remove-button {
+    border:none;
+    background-color:transparent;
+    color:blue;
+    text-decoration:underline;
+    padding:0px;
+    padding-left:10px;
+}
+
+.task {
+    padding-bottom:10px;
+}
+
+.task-actions {
+    padding-top: 20px;
+
+}
+
+.task-action-label {
+    padding-right:10px;
+    float:left;
+}
+
+.add-task {
+    display:inline-block;
+    padding-bottom:5px;
+}
+
+.add-task-input {
+    float:left;
+    padding-right:10px;
+}
+
+.add-task-input-box {
+    width:190px;
+}
+
+.update-tasks {
+    display:inline-block;
+}
+
+.update-spacer {
+    height:0px;
+    float:left;
+    width:200px;
+}
+
+.share-link {
+    cursor:pointer;
+    color:blue;
+    text-decoration:underline;
+    padding-left:5px;
+}
+