Goal here is to document what was done during the deployment.
Azure AD is required to edit data but the system token (API) to read data.
Need to ensure that email is set on user properties in AD.
Setup Application API in Azure
New app registration
Named UnitPortalAPI
Single-tenant
Redirect web: https://unitportalapi.sauss.net/
Send Devnext “Application (client) ID”
Authentication
Select ID Tokens checkbox
Certs & Secrets
Create new client secret
Description: UnitPortalWebAPI, expires 24 months REMINDER TO RENEW?
Send Devnext “Secret ID”
Token Configuration
Add optional claim
“ID”
Email, family_name, given_name, perfered_username, upn
Add groups claim
Security groups checkbox
ID - On premises Group Security Identifier
Access - On premises Group Security Identifier
SAML - On premises Group Security Identifier
API Permissions
“Add a Permission”
Choose Microsoft Graph
Set options as: delegated, Open ID email, open id HELP - REVIEW RECORDING
Expose an API
Add a scope
Apply default ID
Save & Continue
Scope name “access_as_user”
Who can consent? “Admins Only”
Admin consent “User_Read”
Admin consent desc “Allows user to read data”
Save
Add a client application
Enter client ID provided by Devnext
Select “authorized scope”
Add application
Open front end UnitPortal authentication
Authentication
Uncheck “access tokens” and “ID Tokens”
Now David installed items behind the scenes.
System group testing and issues…not really sure what to write about the troubleshooting they did.
How security is setup:
Admins would need to be in a group mapped to the top level. As long as you are in a group that is mapped to THQ then the user would have access to everything.
If mapped to several groups you’d have edit access to those units and anything below.
As users log into UP they will appear in the User list with default (read-only) permissions.
If set to Tampa group, at location level, user can only edit that location and the units below.