IrrwlSrk mz

Th

Hey any idea how to make this app a dashboard for monitor my tenant security and compliance ? i can extract the data from graph API security and azure ad but I don't know whats the right logic / architecture to do I my app??

@@gadour97 Do you want to convert this app to a dash board? If you want to prepare dashboard, you can use Tableu or Power BI which are best visual representation tools.

in case you already posted how to CRUD up and MSAL with angular +node.js API i`d love it!!!! thanks in advance.

Thanks for your words. It motivates me a lot in making content like this :-)

just had a query how can we do SSO using jwt.. any reference on that

Thanks a lot for coming to my channel and thanks to your friend too for suggesting. I make video tutorials on Azure, .Net and angular. Please subscribe if your have not subscribed yet.

Do you have any video how to protect access to angular frontend depends on azure ad roles?

@@davorinkocbek4779 I dont have one. But you have to implement Angular Guard to protect your routes. Here in this video also we have used roles, Guard (MSALGuard - default azure one) but that is on API.

Have you ever used quarkus as backend api? I have registered 2 applications (backend api and frontend angular) in azure as you did in your video. But response from backend to angular frontend is 401.

@@davorinkocbek4779 I am sorry. I am primarily a .Net senior Fullstack developer. I think quarkus is related to Java and I dont have idea on that.

Thank you. There are more in the channel. Please take a look and subscribe if they are relevant to you. Here is the link - kzbin.info/door/jT5Tn4qMkVkSYeP-L6gLVwvideos

did you find any fix for this?

Thanks for the feedback. Right now I dont have any videos which shows angualr refresh token with Azure AD. will make video soon.

In your app registration authentication section, add All microsoft accounts as Identity provider. This video may help - kzbin.info/www/bejne/qZWZoaCjg75khrs Please subscribe to the channel, if you have not subscribed yet. Thank you.

Thanks for the feedback. I will do it in the future videos. This video was created after many other videos which have explanations. So I thought telling the same point again and again will be redundant and waste viewers time. However, I will try to fix it. Thanks

you can get the logged in user account details by using this.authService.instance.getAllAccounts()[0]. Please refer to the github code. It will return account info object and from that you can get all the related roles of the user. Based on that you can hide the link. Please subscribe to the channel if you have not subscribed yet. Thank you.

@@azureteachnet Hello, does it mean even at angular app reg we need to create an app role and assign to user? Same like we did for web api side?

@@dhee26 Roles do exist only for Apis. You should not add them to client applications unless you are using the client app registration for an api too... Please subscribe to the channel if you have not subscribed yet. Thanks.

@@azureteachnet ok well noted. but as you mentioned on this first comment once we get account details you can get the roles of the user, this details actually from angular app right (which do not have roles) ? Currently roles do define at API app registration, how to get information about the roles from angular app? (In order to define hide/show for some links)

I have not added this to Git Repo yet. Will share it soon. Thank you for your interest.

yes please add it!!!

Here is the source code - github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization

In this video, for home page, in routes module, I have not added MSALGuard. If we add MSALGuard on the route, it should redirect to the login page.

@@azureteachnet Thanks you very much, do you have any tutorial where you have angular app which gets the jwt token and pass it to the API, and how token refresh works like after 1 hour if token expires how to get the refreshed token and pass it to the api as part of the request, and in order to get token how to access azure key vault for client secret in angular app ?

@@vijenderreddy1475 I have Web api tutorial with jwt and refresh token.I have a video on Azure key vault too. not the angular one. In future, I will create a video for angular with jwt.

No

Thanks a lot for taking time in providing the feedback in a constructive way. Sorry for the annoying bell sound. Actually I have added that because of desperation. Viewers are appreciating my content in comments and in likes however, forgetting to subscribe to the channel. So I thought of reminding them in every important moment of the video 🙂 . Sorry for that. I will reduce adding them. Regarding MSAL redirect Component - In the demo, we have used Redirect based Azure Ad for angular. MSAL is the library to add Azure Ad to angular app and we are using Redirect Based AzureAd so we used MSALRedirectComponent. App-Redirect - This is needed in the index.html. As we are using Azure AD we must include its related components. It is like, I am a .net guy. If I want to use Azure AD in .net core I must add Azure related dlls to my project. It is also the same. There are more azure videos in my channel. Please take a look and if you feel they are relevant, please subscribe 🙂 .

@@azureteachnet Thanks for acknowledgement and response. Can you please help me in understanding scopes and what if I don't want to decorate controller with scopes

@@kanupriyagoel2257 using scopes we can make the api granular and give the permissions. You can understand it like Roles are for the users and scopes are for the applications. Assume from a .net client app you are trying to access an api. first of all, the client app should be known to your api. there can be multiple client apps which can access the api. assume, there are 3 clients. each client can access a specific controller only and it cannot access other controllers. we can use scopes to restrict the client apps. Here is a video in which I demoed using scopes on different client applications for an api - kzbin.info/www/bejne/poSUmXiIaZuDh6s

Once the user logs in to the angular app using azure ad, azure returns the token. It will be preserved in browser cache. As we have mentioned the Web Api scope in app.module.ts , azure includes claims related to the api in token. When angular app send request to the api, MSAL interceptor (we have mentioned it in app.module.ts) includes the token in request header. As we have used azure AD at web api end too, it decodes the token and authenticates the user.

@@azureteachnet makes sense. Thanks a lot brother.

If your question is on Front End, you can see the method which is in MSAL. If it is API, you can use Identity User Object to see the claims or even ITokenAquisation to get the entire token itself which you can decode using JWT classes.

This is angular code let allAccounts = this.msalService.instance.getAllAccounts(); if (allAccounts.length > 0) { let account = allAccounts[0]; let roles = account.idTokenClaims.roles; }

@azureteachnet yes! I have two apps, a frontend and a backend, but I declared the roles in the backend according to the docs, then I get the token in the frontend, I need it there, but the roles are not being received :(

@@franciscosalazar8116 check if you are using proper scope while generating the token.

sure. I will give a try in my machine and if it works share you the code over github.

Creating roles and assigning them is shown in video. If you want to create the users, Go to Active directory in azure portal, click on Users tab (left side menu). In that you can create users.

@@azureteachnet thanks I will have a re-look. Already watched the video twice. Appreciate your efforts.

I have a plan to post a video in future. Thanks.

can you please eloborate.

Thanks for your feedback. Do you need the flow of the components, that has been shown in this video or azure front end and backend?

@@azureteachnet Yes, all of this. For example how frontend communicate with Azure AD when user try to login, what is happening in the background when we try to login, how Azure AD know which user is trying to login, things like that. Can you draw or explain entire logic?

@@aleksastokanic4221 I hope you know how JWT authentication works. Please refer this kzbin.info/www/bejne/aqqTpJpvpNKEa6c 12 minute video, if you dont know that. This entire flow use JWT authentication with oAuth2.0. Every application, which uses Azure AD authentication is identified with a client ID (Id of app registration). When the user access the application which has Azure AD authentication, it will redirect the user to the azure login page. Once user provides the credentials, azure generates the JWT token and returns it back to the application. How this work? - When the application redirect the user to azure login page, It sends ClientId, Scope and credential type as parameters. Scope means, the criteria that azure needs to consider while generating the token. For example, In an organization, it can have 100s of apis. However, the client application (here angular app) may need to access only few apis. Based on the scope, azure will limit the scopes in the token generation. IF YOU DECODE THE TOKEN OF AZURE, you can easily understand what I mean. In this example, angular app is passing scopes of azure graph api and web api. so it passed two scopes. If this client app is authorized to access these two apis, Azure validates them and generates the token with a scope array of these two apis. Here is the key thing is, most of the information that is needed is embedded inside the token itself. so once the token is generated and it will be returned to the client app and it stores the token in the local storage. Client app uses the token to call the downstream apis. I know it is lengthy answer. There is more I can explain. Please let me know If you want me to make a video. Thanks

@@azureteachnet Thank you mate for this!! Now it's clear!

​@@azureteachnetcan you plz shortly explain how to use that token to call an api?

yup. If you use Azure AD on API, you have to use MSAL on client side. You can write your own logic to call Azure AD authorize end point to get the token, however it is a kind of re-inventing the wheel. Please subscribe to the channel, if you have not subscribed yet.

@@azureteachnet thank you

Thanks for the feedback. That is msal component. Please check github.com/AzureTeachNet/AzureTeachTutorials/blob/Angular_WebAPI_AzureAD_Authentication_Authorization/azuread-angular-demo/src/index.html file. you have to add it in index.html. Please subscribe to the channel if you have not subscribed yet. Thanks.

what it is showing in console?

sure. will create a video soon.

Here is the video - kzbin.info/www/bejne/oKfCp5xnfJuYfaM . Please watch it if you are still looking for it. Also please subscribe to the channel. Thank you.

@@azureteachnet Yes, thank you!

could you please let me know what you are looking for in .net 6. I will create tutorial. I am creating tutorials on .net 5 or .net 3.1 because most of the big enterprises are still using it. 🙂

github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization This is complete code of the video which has both backend and UI. Please subscribe to the channel if you have not subscribed yet. Thanks

we can, but not recommended. Also, it depends on the way you are developing/configuring. App registrations are free and it is better to create an app registration for each app

@@azureteachnet quick response, thank you so much.

@@azureteachnet if I download your code from git repo and make necessary changes for app regis part, then it will work with single app regis ?

@@tipsandhacksbygaurav nope. It need two app registrations. Also , you have to configure app registrations with roles, authentication url etc. may I know what preventing you in creating a separate app registration for each app.

Are you trying out this demo using regular .net or with .net core. If your project is not .net core, Startup.cs may not be there. Please check your project .net framework. In the video, the changes related to Startup.cs is there. I will add this project to Git by Monday and let you know.

Changing token life time may need Azure AD Premium license. Here is the information - docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes "request to authorize on a specific api" - Do you mean adding authorization globally for entire api? We can specify the authorization, On an Action, On a Controller and at complete API level too. You can create a custom authorization filter or define a policy. Or even create a base controller and inherit all your controllers from it. Decorate your base controller with Authorize filter with roles. This will ensure that all your controllers can only be accessed if the user has certain roles.

@@azureteachnet Thanks a lot for your reply. But I have some more questions, if you can answer them I would be very grateful 1. Why do we need 2 redirectUri: one in Azure and one in Angular code? What can we do if we have multiple environments (dev, stage, live)? 2. Is the permission "User.Read" from Api permissions needed if I've created custom roles for the users? 3. Why do we need 2 app registrations (the WebApiAzureAngularDemoApp and angularazureadapp) and I didn't understand why we need a scope if we create custom roles? 4. Can we somehow get the roles from Azure in Angular? I have tried some methods, but I only managed to get the name, username, scopes and all other configs, but not the roles 5. Can we update more directly the user roles in app when changing/deleting/adding a role in User roles in Azure? Cuz now if I change a role I need to logout and clear cache and login again so that the roles are updated with the last changes.

@@ramonastoica9042 1. Understand it with a scenario. Your angular app exposes client Id which anybody can read from the url. If any malicious person want to use the same app id he can do so. Then we can make azure AD to redirect to any web site we want. Assume, actual website is www.abc.com. an malicous person want to redirect the request to www.xyz.com. he can easily do it. To avoid it, we must set the redirect uri. Azure will validate the url and check if it is the same url that is configured in it or not. Otherwise simply returns an error.

@@ramonastoica9042 2. It all depends on your need. This video has the use of Azure Graph API. With Every App registration, by default you will get User.Read permission with in app registration. If you dont need it, you can remove it.

​@@ramonastoica9042 3. General rule of thumb - number of app registrations = number of applications which uses Azure AD. However we can use a few app registrations for all the applications which is not recommended. Scope is needed because, Azure needs to validate the app which is accessing it. Other thing is, Assume your organization has 1000 applications and all of them have various roles defined in azure. A user, may be an admin user who has access to all the applications. Now user login to Application-1. How will azure know which roles to include in the access token (jwt)? It cannot include roles of 1000 apps rite? So it will check the scope and based on the scope it will include the roles which are specific to that application. You can assume like , Roles are for the users and scopes are for the client applications. You can check this video - kzbin.info/www/bejne/poSUmXiIaZuDh6s . It has web api authentication and authorization using Azure AD and the client applications which has scopes

I worked on Java for sometime but too less. I am primarily a dotnet developer/lead from past 11 years. If I have to create a video on quarkus, I need to spend time in learning the basics instead of directly creating a tutorial 😁

You dont have to learn quarkus 🙂 Angular part is enough for me to try Azure SSO. Btw, is it possible to automatically redirect an unauthenticated user to the MS login page when a user visit the site (without clicking the login button)?

@@matjazhafner2000 yes. we can do that. In this video, in routes module, I did not add MSALGuard to Home route. so it is not redirecting to login. But If you add MSALGuard to any route, if somebody who is not logged and open the page, it will redirect to login page.

Thank you. I will try. I am choosing between MSAL and angular-oauth2-oidc library. I dont have much experiences with Azure SSO so I need to find a proper library which will suit my needs.

Is it possible to get the name of logged in user without calling the graph/me endpoint? I would like to display the name of logged in user in page header. What would be the best way to do that (another Subject like isUserloggedIn in app.component.ts)?

Clear the browser cache and try again. Also check, if you have added MSAL guard on the landing page.

please check the configuration in app.module.ts. Did you add it in protected resource map. Please comapre with github code and let me know if you still face the issue.

@@azureteachnet All looks good, Infact the User Profile information is working and I am getting that data, but just the Profile Pic endpoint is erroring out with 401

@@naresh1253 are you using Azure AD B2C?

sure

Even I am thinking to create a video on that. Soon will upload. Please subscribe to the channel if you have not subscribed yet. Thanks.

@@azureteachnet subscribed

.Net 5. you can use the same code in 6 as well.

Sure. By Monday, I will share the github link

Here is the source code - github.com/AzureTeachNet/AzureTeachTutorials/tree/Angular_WebAPI_AzureAD_Authentication_Authorization