Skip to content

Instantly share code, notes, and snippets.

@hossambarakat

hossambarakat/Readme.md

Created July 9, 2020 02:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hossambarakat/df63312879b36f9d868f9ef5ea43da68 to your computer and use it in GitHub Desktop.
Save hossambarakat/df63312879b36f9d868f9ef5ea43da68 to your computer and use it in GitHub Desktop.
Download ZIP
B2C Client Credentials
Raw
Readme.md

As a first step you'll need to:

  1. Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
  2. If your account is present in more than one Azure AD tenant, select Directory + Subscription at the top right corner in the menu on top of the page, and switch your portal session to the desired Azure AD tenant.
  3. In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations (Preview).

Register the service app (TodoList-webapi-daemon-v2)

  1. Navigate to the Microsoft identity platform for developers App registrations page.
  2. Select New registration.
  3. When the Register an application page appears, enter your application's registration information:
    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example TodoList-webapi-daemon-v2.
    • Leave Supported account types on the default setting of Accounts in this organizational directory only.
  4. Select Register to create the application.
  5. On the app Overview page, find the Application (client) ID value and record it for later. You'll need it to configure the Visual Studio configuration file for this project.
  6. Select the Expose an API section, and:
    • On Application ID URI, click on Set. Keep the suggested value, for example api://<web api client id>
    • Click Save
  7. Select the Manifest section, and:
    • Edit the manifest by locating the appRoles. The role definition is provided in the JSON code block below. Leave the allowedMemberTypes to Application only. Each role definition in this manifest must have a different valid Guid for the "id" property.
    • Save the manifest.

The content of appRoles should be the following (the id can be any unique Guid)

{
  ...
    "appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Daemon apps in this role can consume the web api.",
            "displayName": "DaemonAppRole",
            "id": "7489c77e-0f34-4fe9-bf84-0ce8b74a03c4",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "DaemonAppRole"
        }
    ],
 ...
}

Register the client app (daemon-console)

  1. Navigate to the Microsoft identity platform for developers App registrations page.

  2. Select New registration.

    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example daemon-console-v2.
    • In the Supported account types section, select Accounts in this organizational directory only ({tenant name}).
    • Select Register to create the application.

  3. On the app Overview page, find the Application (client) ID value and record it for later. You'll need it to configure the Visual Studio configuration file for this project.

  4. From the Certificates & secrets page, in the Client secrets section, choose New client secret:

    • Type a key description (of instance app secret),
    • Select a key duration of either In 1 year, In 2 years, or Never Expires.
    • When you press the Add button, the key value will be displayed, copy, and save the value in a safe location.
    • You'll need this key later to configure the project in Visual Studio. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.

  5. In the list of pages for the app, select API permissions

    • Click the Add a permission button and then,
    • Ensure that the My APIs tab is selected
    • Select the API created in the previous step, for example TodoList-webapi-daemon-v2
    • In the Application permissions section, ensure that the right permissions are checked: DaemonAppRole
    • Select the Add permissions button

  6. At this stage permissions are assigned correctly but the client app does not allow interaction. Therefore no consent can be presented via a UI and accepted to use the service app. Click the Grant/revoke admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be an Azure AD tenant admin to do this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment