MSA and non MSA accounts can be used now

Tiago Brenck · Tiago Brenck · commit 654db3543048 · 2020-02-21T11:05:43.000-08:00
diff --git a/3.-Web-api-call-Microsoft-graph-for-personal-accounts/AppCreationScripts/Configure.ps1 b/3.-Web-api-call-Microsoft-graph-for-personal-accounts/AppCreationScripts/Configure.ps1
@@ -337,14 +337,15 @@ Function ConfigureApplications
    $configFile = $pwd.Path + "\..\TodoListClient\App.Config"
    Write-Host "Updating the sample code ($configFile)"
    ReplaceSetting -configFilePath $configFile -key "ida:ClientId" -newValue ($serviceAadApplication.AppId)
-   ReplaceSetting -configFilePath $configFile -key "todo:TodoListScope" -newValue ($serviceAadApplication.AppId+"/access_as_user")
+   ReplaceSetting -configFilePath $configFile -key "todo:TodoListScope" -newValue ('https://'+$tenantName+"/TodoListClient-and-Service/access_as_user")
    ReplaceSetting -configFilePath $configFile -key "todo:TodoListBaseAddress" -newValue ($serviceAadApplication.HomePage)
    Write-Host ""
    Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
    Write-Host "IMPORTANT: Please follow the instructions below to complete a few manual step(s) in the Azure portal":
    Write-Host "- For 'service'"
    Write-Host "  - Navigate to '$servicePortalUrl'"
    Write-Host "  - Navigate to the Authentication blade, click 'Add a platform' then check the option https://login.microsoftonline.com/common/oauth2/nativeclient" -ForegroundColor Red 
+   Write-Host "  - Navigate to the Expose an API blade and change the Application ID URI to use the https pattern. i.e. https://<tenant_domain>/<app_name>" -ForegroundColor Red 
    Write-Host "  - Navigate to the Manifest page and change 'signInAudience' to 'AzureADandPersonalMicrosoftAccount'." -ForegroundColor Red 
    Write-Host "  - Navigate to the Manifest page and change 'accessTokenAcceptedVersion' to 2." -ForegroundColor Red 
    Write-Host "  - [Optional] If you are a tenant admin, you can navigate to the API Permisions page and select 'Grant admin consent for (your tenant)'" -ForegroundColor Red 
diff --git a/3.-Web-api-call-Microsoft-graph-for-personal-accounts/AppCreationScripts/sample.json b/3.-Web-api-call-Microsoft-graph-for-personal-accounts/AppCreationScripts/sample.json
@@ -32,6 +32,9 @@
         {
           "Comment": "Navigate to the Authentication blade, click 'Add a platform' then check the option https://login.microsoftonline.com/common/oauth2/nativeclient"
         },
+        {
+          "Comment": "Navigate to the Expose an API blade and change the Application ID URI to use the https pattern. i.e. https://<tenant_domain>/<app_name>"
+        },
         {
           "Comment": "Navigate to the Manifest page and change 'signInAudience' to 'AzureADandPersonalMicrosoftAccount'."
         },
@@ -83,7 +86,7 @@
         },
         {
           "key": "todo:TodoListScope",
-          "value": "service.AppId+\"/access_as_user\""
+          "value": "'https://'+$tenantName+\"/TodoListClient-and-Service/access_as_user\""
         },
         {
           "key": "todo:TodoListBaseAddress",
diff --git a/3.-Web-api-call-Microsoft-graph-for-personal-accounts/README.md b/3.-Web-api-call-Microsoft-graph-for-personal-accounts/README.md
@@ -127,7 +127,7 @@ As a first step you'll need to:
     it, users will be presented a consent screen enabling them to consent to using the web api.
 1. Select the **Expose an API** section, and:
    - Select **Add a scope**
-   - accept the proposed Application ID URI (api://{clientId}) by selecting **Save and Continue**
+   - Change the Application ID URI to the https pattern, [check AzureADandPersonalMicrosoftAccount restrictions](https://docs.microsoft.com/en-us/azure/active-directory/develop/supported-accounts-validation), (https://{tenant-domain}/{app-name}) and select **Save and Continue**.
    - Enter the following parameters
      - for **Scope name** use `access_as_user`
      - Keep **Admins and users** for **Who can consent**
@@ -179,7 +179,7 @@ Note: if you used the setup scripts, the changes below will have been applied fo
 
 1. In the *TodoListClient* project, open `App.config`.
 1. Find the app key `ida:ClientId` and replace the value with the ApplicationID (Client ID) for the *TodoListClient-and-Service* app copied from the app registration page.
-1. Find the app key `todo:TodoListScope` and replace the value with `<ClientId>/access_as_user`, i.e `986b487b-6dc0-492c-8b18-6224e35c5096/access_as_user`.
+1. and replace the value with the scope of the TodoListClient-and-Service application copied from the app registration in the **Expose an API** tab, i.e `https://contoso.onmicrosoft.com/TodoListClient-and-Service/access_as_user`.
 1. [Optional] If you changed the default URL for your service application, find the app key `todo:TodoListBaseAddress` and replace the value with the base address of the TodoListService project.
 
 ### Step 4: Run the sample
@@ -259,11 +259,12 @@ There is one change in the WebApp.Config, and one thing to check
     <add key="ida:Tenant" value="common"/>
     ```
 
-- the thing to draw your attention to, is that you now have the same client ID (Application ID) for the client application and the service. This is not usually the case, which is why your attention is especially drawn here. Therefore the GUID used in `ida:ClientId` is the same as the one used in the Application ID URI for the service: `todo:TodoListScope`
+- The thing to draw your attention to, is that you now have the same client ID (Application ID) for the client application and the service. This is not usually the case, which is why your attention is especially drawn here.
+- The scope must use the https pattern, because of [AzureADandPersonalMicrosoftAccount restrictions](https://docs.microsoft.com/en-us/azure/active-directory/develop/supported-accounts-validation)
 
     ```XML
     <add key="ida:ClientId" value="01234567-89ab-cdef-0123-456789abcdef"/>
-    <add key="todo:TodoListScope" value="01234567-89ab-cdef-0123-456789abcdef/access_as_user"/>
+    <add key="todo:TodoListScope" value="https://contoso.onmicrosoft.com/TodoListClient-and-Service/access_as_user"/>
     ```
 
 ### Have the client let the user consent for the scopes required for the service
diff --git a/3.-Web-api-call-Microsoft-graph-for-personal-accounts/TodoListClient/App.config b/3.-Web-api-call-Microsoft-graph-for-personal-accounts/TodoListClient/App.config
@@ -29,7 +29,7 @@
         for instance <GUID>/access_as_user, where  <GUID> is the
         clientId of the application, created in the https://portal.azure.com portal.
     -->
-    <add key="todo:TodoListScope" value="[Enter_client_ID_Of_TodoListClient-and-Service_from_Azure_Portal,_e.g._01234567-89ab-cdef-0123-456789abcdef]/access_as_user"/>
+    <add key="todo:TodoListScope" value="[Enter_the_scope_of_TodoListClient-and-Service_registered_in_Azure_Portal,_e.g._https://contoso.onmicrosoft.com/TodoListClient-and-Service/access_as_user"/>
     <add key="todo:TodoListBaseAddress" value="https://localhost:44351/" />
   </appSettings>
 </configuration>

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,9 @@`
`32`	`32`	`{`
`33`	`33`	`"Comment": "Navigate to the Authentication blade, click 'Add a platform' then check the option https://login.microsoftonline.com/common/oauth2/nativeclient"`
`34`	`34`	`},`
	`35`	`+ {`
	`36`	`+ "Comment": "Navigate to the Expose an API blade and change the Application ID URI to use the https pattern. i.e. https://<tenant_domain>/<app_name>"`
	`37`	`+ },`
`35`	`38`	`{`
`36`	`39`	`"Comment": "Navigate to the Manifest page and change 'signInAudience' to 'AzureADandPersonalMicrosoftAccount'."`
`37`	`40`	`},`
`@@ -83,7 +86,7 @@`
`83`	`86`	`},`
`84`	`87`	`{`
`85`	`88`	`"key": "todo:TodoListScope",`
`86`		`- "value": "service.AppId+\"/access_as_user\""`
	`89`	`+ "value": "'https://'+$tenantName+\"/TodoListClient-and-Service/access_as_user\""`
`87`	`90`	`},`
`88`	`91`	`{`
`89`	`92`	`"key": "todo:TodoListBaseAddress",`