Skip to content

Commit

Permalink
Add PowerShell workflow header and edit Graph admin consent property …
Browse files Browse the repository at this point in the history
…to 'expiryTime' to resolve error.
  • Loading branch information
nickpinheiro committed Sep 26, 2022
1 parent 14d1f53 commit d9510a9
Showing 1 changed file with 33 additions and 29 deletions.
62 changes: 33 additions & 29 deletions src/Saas.Identity/Saas.IdentityProvider/scripts/B2C-Create.ps1
Original file line number Diff line number Diff line change
@@ -1,16 +1,35 @@
<#
.SYNOPSIS
The script will create the Identity Framework required for the Azure SaaS Development Kit (ASDK)
.DESCRIPTION
The ASDK uses Azure Active Directory B2C for an IdP (Identity Provider). The first step in setting up this project is to configure a new Azure AD B2C instance to house your local user accounts. You will also need to deploy the Permissions API, as Azure AD B2C will have a dependency on it. To setup the Identity Framework, we have provided an interactive PowerShell script that automates the setup for you by calling the necessary Microsoft Graph API endpoints. Upon running, it will ask you to sign into your home azure account, ask you a few questions, and then begin the setup process. This PowerShell script will output a parameters file that you’ll need to provide when deploying the solution to Azure in step 2.b.
.INPUTS
The following are sample inputs to prepare for running the script:
B2CTenantName = "asdk001"
B2CTenantLocation = "United States"
CountryCode = "US"
AzureResourceLocation = "eastus"
IdentityFrameworkResourceGroupName = "rg-asdk-dev-001"
SaasEnvironment = "dev"
ProviderName = "asdk"
InstanceNumber = "001"
SqlAdministratorLogin = "sqladmin"
SqlAdministratorLoginPassword = "P@ssW0rD!"
.OUTPUTS
Upon script completion this script will output a parameters.json file that is required for step 2.b
.NOTES
Windows PowerShell and PowerShell Core are supported.
Microsoft.Graph PowerShell module needs to be installed.
Azure CLI needs to be installed and authenticated for the owning tenant.
Usage:
dot-source in a PS script: . ./Create-AzureB2C.ps1
invoke individual functions, or the main one: Initialize-B2CTenant -B2CTenantName mytenant -ResourceGroupName myrg -Location "Europe" -CountryCode "CZ"
#>

#### Settings ####
$ErrorActionPreference = "Stop"
#### /Settings ####


# Windows PowerShell and PowerShell Core are supported.
# - Microsoft.Graph PowerShell module needs to be installed.
# - Azure CLI needs to be installed and authenticated for the owning tenant.
#
# Usage:
# - dot-source in a PS script: . ./Create-AzureB2C.ps1
# - invoke individual functions, or the main one: Initialize-B2CTenant -B2CTenantName mytenant -ResourceGroupName myrg -Location "Europe" -CountryCode "CZ"

function New-SaaSIdentityProvider {
[CmdletBinding()] # indicate that this is advanced function (with additional params automatically added)
param (
Expand Down Expand Up @@ -56,12 +75,10 @@ function New-SaaSIdentityProvider {
-SaasAppFQDN $userInputParams.SaasAppFQDN `
-CurrentB2CUserId $currentB2CUser.Id `


# Create Api Key
$permissionsApiKey = Get-RandomPassword -Length 32

# Deploy Bicep here

Invoke-IdentityBicepDeployment `
-IdentityFrameworkResourceGroupName $userInputParams.IdentityFrameworkResourceGroupName `
-B2CDomain "$($userInputParams.B2CTenantName).onmicrosoft.com" `
Expand All @@ -76,7 +93,6 @@ function New-SaaSIdentityProvider {
-SqlAdministratorLogin $userInputParams.SqlAdministratorLogin `
-SqlAdministratorPassword $userInputParams.SqlAdministratorLoginPassword `


#Create Signing and Encrpytion Keys
$trustFrameworkKeySetSigningKeyId = New-TrustFrameworkSigningKey
$trustFrameworkKeySetEncryptionKeyId = New-TrustFrameworkEncryptionKey
Expand All @@ -96,8 +112,6 @@ function New-SaaSIdentityProvider {

Import-IEFPolicies -configTokens $configTokens



# Output parameters.json
$outputParams = [ordered]@{
'$schema' = "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#"
Expand All @@ -121,9 +135,7 @@ function New-SaaSIdentityProvider {
saasInstanceNumber = @{ value = $userInputParams.InstanceNumber }
sqlAdministratorLogin = @{ value = $userInputParams.SqlAdministratorLogin }
sqlAdministratorLoginPassword = @{ value = ConvertFrom-SecureString -SecureString $userInputParams.SqlAdministratorLoginPassword -AsPlainText }

}

}

Write-OutputFile -OutputParams $outputParams
Expand Down Expand Up @@ -171,6 +183,7 @@ function Invoke-Login {
}

}

function Get-UserInputParameters {

$userInputParams = @{
Expand Down Expand Up @@ -203,7 +216,6 @@ function Get-UserInputParameters {
-SqlAdministratorLoginPassword $userInputParams.SqlAdministratorLoginPassword `

return $userInputParams

}

# Validate Input Parameters
Expand Down Expand Up @@ -246,8 +258,6 @@ function Confirm-UserInputParameters {

[Parameter(Mandatory=$true)]
[securestring] $SqlAdministratorLoginPassword


)
return
}
Expand All @@ -274,7 +284,6 @@ function New-AzureADB2CTenant {

# Under which Azure resource group will this B2C tenant reside.
[string] $AzureResourceGroup

)

$aadProviderRegState = $(az provider show -n Microsoft.AzureActiveDirectory --query "registrationState" -o tsv)
Expand Down Expand Up @@ -368,8 +377,6 @@ function New-AzureADB2CTenant {
return $tenantGuid
}



function New-TrustFrameworkSigningKey {
Write-Host "Creating new signing key..."
$trustFrameworkKeySetName = "TokenSigningKeyContainer"
Expand Down Expand Up @@ -524,7 +531,6 @@ function Invoke-IdentityBicepDeployment {
[string] $SaasInstanceNumber,
[string] $SqlAdministratorLogin,
[securestring] $SqlAdministratorPassword

)

$params = @{
Expand Down Expand Up @@ -554,7 +560,6 @@ function Invoke-IdentityBicepDeployment {

}


# Helper Function called by Install-AppRegistrations
function New-AppRegistration {
param (
Expand Down Expand Up @@ -666,6 +671,7 @@ function New-SPAppRoleAssignment {
}

}

function New-UserAppRoleAssignment {
param(
[Parameter(Mandatory = $true, HelpMessage = "The identifier of the application that consent is being granted on.")]
Expand All @@ -691,6 +697,7 @@ function New-UserAppRoleAssignment {
If not, you will need to manually grant consent in the B2C Admin portal. Error: $_"
}
}

# Helper Function called by Install-AppRegistrations
function New-AdminConsent {
param(
Expand Down Expand Up @@ -720,8 +727,7 @@ function New-AdminConsent {
ResourceId = $ApiObjectId
Scope = $ApiScopes -Join " " #"tenant.delete tenant.write tenant.global.delete tenant.global.write tenant.read tenant.global.read"
StartTime = $StartTime
ExpiryTime = $ExpiryTime

expiryTime = $ExpiryTime
}

$permissionGrant = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($ClientObjectId)' and resourceId eq '$($ApiObjectId)'and ConsentType eq 'AllPrincipals'" -Top 1
Expand Down Expand Up @@ -1089,7 +1095,6 @@ function Install-AppRegistrations {
IEFProxyAppReg = $iefProxyAppReg
}
}

function ConvertTo-AzJsonParams {
param(
[Parameter(Mandatory = $true)]
Expand All @@ -1104,7 +1109,6 @@ function ConvertTo-AzJsonParams {

}


# Outputs parameters.json file with the information from the b2c setup.
function Write-OutputFile {
param (
Expand Down Expand Up @@ -1153,4 +1157,4 @@ function Get-RandomPassword {
return (-join $result)
}

New-SaaSIdentityProvider
New-SaaSIdentityProvider

0 comments on commit d9510a9

Please sign in to comment.