Azure Active Directory – Web app / Api – Step by step

In continuation of my previous blog – Register an app with the Azure Active Directory v2.0 endpoint – demonstrating how to create an Application Type: Web App /API within Azure.

Create Web app / API

    • Step 1: Create
      1. Login to portal.azure.com
      2. Go to Azure Active Directory > App registrations > New Application Registration
      3. In the Name field, give a descriptive name
      4. Choose Web app / API
      5. For Sign-on Url:
        • If you are doing a POC, give a http://localhost:{port number}/
        • If you are planning to host the code on Azure Web App, then provide as follows:  https://{youwebapp}.azurewebsites.net/
      1. Click on Create

    • Step 2: Configure
      1. Once the App is created, click on Settings
      2. Under Keys, we are going to set the “Client Secret”,
        • Enter a Key Name (descriptive)
        • Enter an Expiration Value
        • On Save, the Client Secret will be generated, take a note of it as it gets hidden once you leave the screen.

Now Under Required permissions, based on all available API, set all necessary permissions you need to, please note here that after settings up permissions, you/AAD Admin need to “Grant” them explicitly otherwise it will not work.

    • Step 3: Take Note
      1. Application ID – which is the Client ID
      2. Client Secret as per step 10
      3. Tenant ID => Azure Active Directory > Properties > Directory ID

Web app / API – Usage

In this POC – I am getting the Current User Request [me] using GraphServiceClient.

      1. Download the project (use Nuget Manager to download necessary references).
      2. In the GraphController, update ClientId, ClientSecret, TenantId as per above step 
      3. Update the UriString as per above step 5
      4. Build and run the code
      5. The entry point is the Gettotken responsible for the Authentication  – Access the code using following your local IIS url http://localhost:12345/Graph/Gettoken
A. Get Authorization Code (see the solution for complete code)

AuthenticationContext authContext = new AuthenticationContext(authorityURL, true);
Task redirectUri = authContext.GetAuthorizationRequestUrlAsync(resource, clientId, new Uri(uriString), UserIdentifier.AnyUser, string.Empty);
redirectUri.Wait();
return Redirect(redirectUri.Result.AbsoluteUri);


Please note here that the AbsoluteUri has to match with the UriString otherwise it won’t work – this is an extra layer of security added by Microsoft.
Once successful, it will redirect to the Gettoken method once more to get the access token.
B. Use Authorization Code to request the Access Token (see the solution for complete code)

string code = Request.Params["code"];
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
Task request = authContext.AcquireTokenByAuthorizationCodeAsync(code, new Uri(uriString), clientCredentials);
request.Wait();
Session["code"] = request.Result.AccessToken;
return RedirectToAction("Index");


Once successful, it will redirect to the Index method for further processing.
C. Use Authorization Code to request the Access Token (see the solution for complete code)

public ActionResult Index(string authenticationCode)
{
string code = (string)Session["code"];
GraphServiceClient graphClient = GetGraphClient(code);

//Get User information [me]
Task meRequest = graphClient.Me.Request().GetAsync();
meRequest.Wait();
           
User resultMeRequest = meRequest.Result;
Response.Write(resultMeRequest.AboutMe);

return View();
}

Register an app with the Azure Active Directory v2.0 endpoint

In order to access Microsoft Planner data like Plans and Buckets, the approach taken was to use GraphServiceClient with C# – let us see the implementation step by step.

Develop line-of-business apps for Azure Active Directory

Registering the application means that developers can use Azure AD to authenticate users and request access to User resources such as email, calendar, documents and office 365 application such as Team, Planner, Graph Api.

Note that in AAD App Registrations, we have 2 types of “Application Type”: 

Develop line-of-business apps for Azure Active Directory
    • Native applications are public clients in OAuth2 parlance. Those apps are meant to run on a device and aren’t trusted to maintain a secret – hence, their entry in the directory does not have the corresponding property. Without a secret, there is no way to assert the identity of the app – hence such apps cannot gain app-level permissions and the portal UX reflects that.
    • Conversely, web apps are, again in OAuth2 parlance, confidential clients. They can get delegated tokens for their users, but they can also use client credentials to get tokens themselves. Native apps can obtain tokens for the user via the OAuth2 authorization grant.

You can find a complete overview of all supported topologies at https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/. Each scenario description point to more implementation-oriented guidance. 

The road ahead

Recently I came across Bill Gates’s first book – The Road Ahead – which he published twenty-five years ago, I was interested to read about the predictions which he made in this book such as:

  • The internet transformation – travelling back in time people were still navigating with paper maps, listened to music on CDs, watched movies on VHS tapes – today the adoption of digital technology to transform services or businesses has engaged billions of people – anytime, anywhere – with smarter experiences.
  • Digital agents or Virtual assistants – Alexa, Cortana, and Siri have already given birth, however, the visionary has envisioned a more powerful technology capable of learning human requirements and preferences in much the way that a human assistant does – grab this opportunity, it’s the equivalent of the goose that lays the golden egg.

It is great to see how technology is helping us in unprecedented progress on COVID-19 – for instance of the innovation on rapid tests, a British company LumiraDx has created a device that’s roughly the size of a thick cell phone, with a card reader at one end. A health care worker takes a sample from a patient, inserts it into the machine, and gets results within 15 minutes.

According to Schumpeter, the process of technological change in a free market consists of three parts: invention (conceiving a new idea or process), innovation (arranging the economic requirements for implementing an invention), and diffusion (whereby people observing the new discovery adopt or imitate it) – in layman’s terms, this means Schumpeter argued that anyone seeking profits must innovate.

Knowledge must be used because it multiplies by spending!