Registering the sample apps with the Microsoft identity platform and updating the configuration files using PowerShell
-
Open the Azure portal. Navigate to the 'Portal settings' page. Copy and save the Directory ID somewhere for later use.
-
Open the Azure portal. Navigate to the 'Subscription' page. Copy and save the Subsription ID under that directory somewhere for later use.
-
Download PowerShell, PowerShellGet and Bicep tool
-
Run PowerShell navigate to the directory
-
Run the script to create your Azure AD tenant and enter the parameters (tenantId - Directory ID ; subscriptionId - Subsription ID) accordingly. During this process, two pop-ups will appear asking you to enter your identity information.
cd .\Scripts\ .\1-authentication.ps1
Now you have done the following work by script:
- Create a CIAM tenant.
- Create the app registration with offline_access and open_id permission under admin grant.
- Create a service principal for the app.
- Create a user flow as the default one.
- Create a customized localization branding as the default one.
- Download PowerShell, PowerShellGet and Bicep tool
- Open PowerShell (On Windows, press
Windows-Rand typePowerShellin the search window) - Navigate to the root directory of the project.
-
Open the Azure portal. Navigate to the 'Portal settings' page. Copy and save the Directory ID somewhere for later use.
-
Open the Azure portal. Navigate to the 'Subscription' page. Copy and save the Subsription ID under that directory somewhere for later use.
-
Download PowerShell, PowerShellGet and Bicep tool
-
From the folder where you cloned the repo, go to the
Scriptsfolder. Run the script to create your Azure AD tenant and enter the parameters accordingly (tenantId - Directory ID ; subscriptionId - Subsription ID). During this process, two pop-ups will appear asking you to enter your identity information.cd .\Scripts\ .\1-authentication.ps1
-
After finishing running the creation script, go to the application page in the portal, open the Azure portal and navigate to the 'Portal settings' page. Switch to the tenant newly created by the script.
-
Copy the link appeared in the PowerShell interface and visit that link through browser (If you did not switch to the correspond tenant in the previous step, you are likely to meet problem in this step). Copy Application (client) ID and Directory (tenant) ID which are used in later steps.
-
You can use Javascript sample appliation to test functionality. Under "ms-identity-javascript-tutorial\1-Authentication\1-sign-in\App", open authConfig file to replace the Application (client) ID and Directory (tenant) ID as figure showed.
-
Start the sample application using the lines below in the PowerShell. This step require Node.js installed.
cd ms-identity-javascript-tutorial\1-Authentication\1-sign-in\App npm install npm start
-
Open your browser and visit http://localhost:3000/. You will see the page as the figure showed (recommended to use Edge private view mode).
-
Click Sign-in at the right-up corner to start the authentication flow. If choose Have an account? Sign in instead, you are going to jump into sign-up flow.
-
After filing in your email, one time passcode and new password, you complete the whole sign-up flow. The page will show your newly created information as the figure showed.
-
Click the Sign-out at the right-up corner to sign-out. The following pages are showed below.
-
From the folder where you cloned the repo, go to the
Scriptsfolder. Run the script to create your Azure AD tenant and enter the parameters accordingly (tenantId - the directory ID you want to delete).cd .\Scripts\ .\1-authentication-cleanup-except-last-CIAM.ps1
You will You will encounter some errors due to the issue2 but this script still works fine to achieve our goal.
-
After running the deletion script, all initial checks in the portal should pass except 'Users' & 'Users Flow' because of the issue4.
-
Back to the 'Deletion tenant' page and then click Refresh button. The Delete button will be activated after refreshing. You do not need to worry about the 'Delete all user flows' hint due to the issue4. Click Delete button to complete the last action to delete the tenant.
This sample comes with 5 PowerShell scripts and 1 bicep file, which automate the creation of the Azure Active Directory tenant, and the configuration of the code for this sample. Once you run them, you will only need to build the solution and you are good to test.
These scripts are:
-
1-authentication.ps1which is a overall script combining the following scripts together except from1-authentication-cleanup-except-last-CIAM.ps1 -
1-authentication-setup-context-CIAM.ps1which:- check and install the required modules.
- set the policy and unblock the scripts to run.
- set the account context to run the AzAccount PowerShell lines.
-
1-authentication-create-tenant-CIAM.ps1which use New-AzResourceGroupDeployment with bicep file to deploy tenant. A tenant will be created in a resrouce group. -
1-authentication-configurate-app-CIAM.ps1which:- create the app registration
- create a service principal for the app
- add microsoft graph permission of offline_access and openid
- create Oauth2 permission grant
- create a user flow
- customize the branding of the text information
- creates a summary containing:
- the identifier of the application
- the AppId of the application
- the url of its registration in the Azure portal.
-
1-authentication-cleanup-except-last-CIAM.ps1which cleans-up the Azure AD objects created by1-authentication.ps1. Note that this script delete applications, service principals, user flows and elevate the role but does not delete resource group. It prepare for the last delete click in the portal to delete tenant.
The 1-authentication.ps1 contain resource existence checking logic. It will skip the creation step for an existing resource and exit if the creation fails or an error occurs. So you can re-run the script. The 1-authentication-cleanup-app-CIAM can be re-run as well.
Mandatory parameters:
| parameters | explanation |
|---|---|
| tenantId | Tenant ID where the subscription ID is located |
| subscriptionID | Subscription ID used to pay for the new tenant |
References:
- Install the Azure Az PowerShell module | Microsoft Learn
- Install the Microsoft Graph PowerShell SDK | Microsoft Learn
- Set-ExecutionPolicy (Microsoft.PowerShell.Security) - PowerShell | Microsoft Learn
Optional parameters:
| parameters | explanation |
|---|---|
| resourceGroupName | Resource Group Name (Default: "ciamtest") |
| tenantPrefix | Prefix for Tenant (Default: "ciamtest" + 5-digit random string) |
| resourceGroupLocation | Location for Resource Group if it is created (Default: "northeurope") |
References:
Mandatory parameter:
| parameters | explanation |
|---|---|
| tenantId | Tenant ID newly created |
Optional parameters:
| parameters | explanation |
|---|---|
| applicationName | Display Name for application (Default: "CIAM Test App") |
| environmentName | Graph environment to use while running the script (Default: "Global") |
References:
-
Establish connection.
Using Microsoft Graph PowerShell authentication commands | Microsoft Learn
-
Create the app registration.
Get-MgApplication (Microsoft.Graph.Applications) | Microsoft Learn
-
Create a service principal for the app.
Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Learn
-
Add Microsoft Graph permission of offline_access and openid.
-
Create Oauth2 permission grant.
Grant tenant-wide admin consent to an application
Grant consent on behalf of a single user by using PowerShell
-
Create a user flow (MS Graph API, no available command line).
ciam/API#3-CIAM-user-flows.md at main · microsoft-entra/ciam (github.com)
-
Customize the experience.
Get organizationalBrandingLocalization - Microsoft Graph beta | Microsoft Learn
Mandatory parameter:
| parameters | explanation |
|---|---|
| tenantId | Tenant ID newly created |
Optional parameters:
| parameters | explanation |
|---|---|
| applicationName | Display Name for application (Default: "CIAM Test App") |
| environmentName | Graph environment to use while running the script (Default: "Global") |
References:
- Delete an Azure Active Directory tenant - Microsoft Entra | Microsoft Learn
- Clean up resources and delete a tenant - Azure Active Directory B2C | Microsoft Learn
-
Remove applications.
-
Remove user flows (MS Graph API, no available PowerShell). ciam/API#3-CIAM-user-flows.md at main · microsoft-entra/ciam (github.com)
-
Remove service principals of the app.
Remove-AzADServicePrincipal (Az.Resources) | Microsoft Learn
-
Remove all users of the tenant.
-
Elevate role (API/CLI, no available PowerShell).
Elevate access to manage all Azure subscriptions and management groups | Microsoft Learnissue1
Global Administrator - Elevate Access - REST API (Azure Authorization) | Microsoft Learn
- Bug 2175335: [Tenant Creation] New-AzResourceGroupDeployment related bugs - Boards (visualstudio.com)
- Bug 2175345: [PowerShell] MS Graph Enterprise Applications Deletion - Boards (visualstudio.com)
- Bug 2175348: [User Flow] Unstable MS Graph user flow API endpoints - Boards (visualstudio.com)
- Bug 2175350: [User Flow PowerShell] Always shows “No user flows found” in the portal - Boards (visualstudio.com)
- Bug 2175371: [Portal] Delete button bug in the portal - Boards (visualstudio.com)
- Bug 2175385: [Branding] No image removal PowerShell - Boards (visualstudio.com)
- Bug 2181319: [Branding PowerShell] API / PowerShell invalid when try to upload the background image - Boards (visualstudio.com)
- Bug 2175410: [PowerShell] Currently only APIs no PowerShell command lines - Boards (visualstudio.com)