Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename Azure AD to Microsoft Entra ID in non code section #729

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

## All Samples in This Repo

### Azure Active Directory
### Microsoft Entra ID

| Sample Project | Support Spring Cloud Azure 4.x | Support Spring Cloud Azure 5.x |
|------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|--------------------------------|
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ This sample illustrates how to use `spring-cloud-azure-starter-active-directory-


### Create and consent Application and Delegated permissions
1. On the **Azure AD B2C** Portal, select the application that requires roles to be added, select **Manifest**.
1. On the **Azure Active Directory B2C** Portal, select the application that requires roles to be added, select **Manifest**.
2. Find the `appRoles` configuration item, and add the following configuration, then click the **Save** button.
```json
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ spring:
cloud:
azure:
# Properties like spring.cloud.azure.credential.client-id are global properties.
# Properties like spring.cloud.azure.active-directory.credential.client-id are AAD properties.
# If AAD properties is not configured, global properties will be used.
# Properties like spring.cloud.azure.active-directory.credential.client-id are Microsoft Entra ID properties.
# If Microsoft Entra ID properties is not configured, global properties will be used.
# credential:
# client-id:
# client-secret:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,31 +17,31 @@ This sample illustrates how to use `spring-cloud-azure-starter-active-directory-

### Create your Azure Active Directory B2C tenant

Follow the guide of [AAD B2C tenant creation](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-tenant).
Follow the guide of [Azure Active Directory B2C tenant creation](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-tenant).

### Register your Azure Active Directory B2C application

Follow the guide of [AAD B2C application registry](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-register-applications).
Follow the guide of [Azure Active Directory B2C application registry](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-register-applications).
Please ensure that your b2c application's `Redirect URL` is configured to `http://localhost:8080/login/oauth2/code/`.

### Create user flows

Follow the guide of [AAD B2C user flows creation](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-user-flows).
Follow the guide of [Azure Active Directory B2C user flows creation](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-user-flows).

## Examples
### Configure the sample

#### application.yml

1. Fill in `${AUTHORIZATION_SERVER_BASE_URI}` from **Azure AD B2C** portal `App registrations` blade, select **Endpoints**, copy the base endpoint uri(Global cloud format may looks like
1. Fill in `${AUTHORIZATION_SERVER_BASE_URI}` from **Azure Active Directory B2C** portal `App registrations` blade, select **Endpoints**, copy the base endpoint uri(Global cloud format may looks like
`https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com`, China Cloud looks like `https://{your-tenant-name}.b2clogin.cn/{your-tenant-name}.partner.onmschina.cn`).

**NOTE**: We could copy `Azure AD B2C OAuth 2.0 token endpoint (v2)` and delete `/<policy-name>/oauth2/v2.0/token`.
**NOTE**: We could copy `Azure Active Directory B2C OAuth 2.0 token endpoint (v2)` and delete `/<policy-name>/oauth2/v2.0/token`.

2. Select one registered instance under `Applications` from portal, and then:
1. Fill in `${AZURE_CLIENT_ID}` from `Application ID`.
2. Fill in `${AZURE_CLIENT_SECRET}` from one of `Keys`.
3. Add your user flows defined on the Azure Portal under the `user-flows` configuration, which is a map, you can give each user flow a key and the value will be the name of user flow defined in AAD B2C.
3. Add your user flows defined on the Azure Portal under the `user-flows` configuration, which is a map, you can give each user flow a key and the value will be the name of user flow defined in Azure Active Directory B2C.
By default, we use the key `sign-up-or-sign-in` for a **login** user flow and `password-reset` for the **Password reset** type user flow, you can choose to override them.

**NOTE**: If you override **password-reset** or **profile-edit** in application.yml, make sure to change `${PASSWORD_RESET_USER_FLOW_NAME}` or `${PROFILE_EDIT_FLOW_NAME}` to your configured properties in `resources/templates/home.html`.
Expand Down Expand Up @@ -104,9 +104,9 @@ mvn spring-boot:run
#### Sign in with loops to B2C endpoint ?
This issue almost due to polluted cookies of `localhost`. Clean up cookies of `localhost` and try it again.

#### More identity providers from AAD B2C login ?
Follow the guide of [Set up Google account with AAD B2C](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-goog-app).
And also available for Amazon, Azure AD, FaceBook, Github, Linkedin and Twitter.
#### More identity providers from Azure Active Directory B2C login ?
Follow the guide of [Set up Google account with Azure Active Directory B2C](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-goog-app).
And also available for Amazon, Microsoft Entra ID, FaceBook, Github, Linkedin and Twitter.

## Deploy to Azure Spring Apps

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
<packaging>jar</packaging>

<name>Spring-Cloud-Azure-Starter-Active-Directory-B2C Sample: Web Application</name>
<description>Azure AD B2C Spring Security 5 OAuth2 Integration Spring Boot Sample</description>
<description>Azure Active Directory B2C Spring Security 5 OAuth2 Integration Spring Boot Sample</description>
<url>https://github.com/Azure/azure-sdk-for-java</url>

<dependencies>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ spring:
cloud:
azure:
# Properties like spring.cloud.azure.credential.client-id are global properties.
# Properties like spring.cloud.azure.active-directory.credential.client-id are AAD properties.
# If AAD properties is not configured, global properties will be used.
# Properties like spring.cloud.azure.active-directory.credential.client-id are Microsoft Entra ID properties.
# If Microsoft Entra ID properties is not configured, global properties will be used.
# credential:
# client-id:
# client-secret:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ <h1>Home Page</h1>

<div>
<br/>
<h2>Azure AD B2C OIDC Login Successfully.</h2>
<h2>Azure Active Directory B2C OIDC Login Successfully.</h2>
<h3>Welcome back <span style="color:cyan" th:text="${name}"></span>!</h3>
<table border="1">
<tr><th>Principal</th><th>Value</th></tr>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Stateless authentication filter sample for Azure AD Spring Boot Starter
# Stateless authentication filter sample for Microsoft Entra ID Spring Boot Starter

## Key concepts

Expand All @@ -10,18 +10,18 @@ This project is composed of a vue.js frontend and a simple backend with three en

## Getting started
The sample is composed of two layers: vue.js client and Spring Boot RESTful Web Service. You need to make some changes
to get it working with your Azure AD tenant on both sides.
to get it working with your Microsoft Entra tenant on both sides.



### Register your application with your Azure Active Directory Tenant
### Register your application with your Microsoft Entra Tenant

Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).

### Configure appRoles

In order to use only the `id_token` for our authentication and authorization purposes we will use the
`appRoles` feature which AAD provides. Follow the guide
`appRoles` feature which Microsoft Entra ID provides. Follow the guide
[Add app roles in your application](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)

For the test SPA provided with this example you should create the following roles in your manifest:
Expand Down Expand Up @@ -55,7 +55,7 @@ For the test SPA provided with this example you should create the following role
],
```

After you've created the roles, go to **Azure Active Directory** and select **Users** to add two new users named "Admin" and "UserRule". Then back to select **Enterprise applications** in the left-hand navigation pane, click on your created application and select **Users and groups**, finally assign the new roles to your new Users (assignment of roles to groups is not available in the free tier of AAD).
After you've created the roles, go to **Microsoft Entra ID** and select **Users** to add two new users named "Admin" and "UserRule". Then back to select **Enterprise applications** in the left-hand navigation pane, click on your created application and select **Users and groups**, finally assign the new roles to your new Users (assignment of roles to groups is not available in the free tier of Microsoft Entra ID).

Furthermore enable the implicit flow in the manifest for the demo application
(or if you have SPAs calling you):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<packaging>jar</packaging>

<name>Spring-Cloud-Azure-Starter-Active-Directory Sample: Stateless Resource Server by Filter</name>
<description>Sample project using the AAD stateless app-role filter for AAD integration in Spring Security</description>
<description>Sample project using the Microsoft Entra ID stateless app-role filter for Microsoft Entra ID integration in Spring Security</description>
<url>https://github.com/Azure/azure-sdk-for-java</url>

<dependencies>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ spring:
cloud:
azure:
# Properties like spring.cloud.azure.credential.client-id are global properties.
# Properties like spring.cloud.azure.active-directory.credential.client-id are AAD properties.
# If AAD properties is not configured, global properties will be used.
# Properties like spring.cloud.azure.active-directory.credential.client-id are Microsoft Entra ID properties.
# If Microsoft Entra ID properties is not configured, global properties will be used.
# credential:
# client-id:
active-directory:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Spring Boot application with Azure Active Directory
# Spring Boot application with Microsoft Entra ID

## What You Need

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ resource "random_uuid" "role-admin" {
resource "random_uuid" "role-user" {
}

# Configure the Azure Active Directory Provider
# Configure the Microsoft Entra ID Provider
provider "azuread" {
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
# Authentication filter sample for Azure AD Spring Boot Starter
# Authentication filter sample for Microsoft Entra ID Spring Boot Starter

## Key concepts
This sample illustrates how to use `spring-cloud-azure-starter-active-directory` package to plugin JWT token filter into Spring Security filter chain. The filter injects `UserPrincipal` object that is associated with the thread of the current user request. User's AAD membership info, along with token claimsset, JWS object etc. are accessible from the object which can be used for role based authorization. Methods like `isMemberOf` is also supported.
This sample illustrates how to use `spring-cloud-azure-starter-active-directory` package to plugin JWT token filter into Spring Security filter chain. The filter injects `UserPrincipal` object that is associated with the thread of the current user request. User's Microsoft Entra membership info, along with token claimsset, JWS object etc. are accessible from the object which can be used for role based authorization. Methods like `isMemberOf` is also supported.

## Getting started
The sample is composed of two layers: Angular JS client and Spring Boot RESTful Web Service. You need to make some changes to get it working with your Azure AD tenant on both sides.
The sample is composed of two layers: Angular JS client and Spring Boot RESTful Web Service. You need to make some changes to get it working with your Microsoft Entra tenant on both sides.

To run this sample, you'll need:
- An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see [How to get an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant).
- A user account in your Azure AD tenant. This sample will not work with a Personal Microsoft account (formerly Windows Live account). Therefore, if you signed in to the [Azure portal](https://portal.azure.com) with a Microsoft account and have never created a user account in your directory before, you need to do that now.
- a Microsoft Entra tenant. For more information on how to get a Microsoft Entra tenant, see [How to get a Microsoft Entra tenant](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant).
- A user account in your Microsoft Entra tenant. This sample will not work with a Personal Microsoft account (formerly Windows Live account). Therefore, if you signed in to the [Azure portal](https://portal.azure.com) with a Microsoft account and have never created a user account in your directory before, you need to do that now.
- A [client secret](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#create-a-new-application-secret) for the registered application.
- Configure groups in your Azure AD tenant with your users in that groups, see [how to create groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).
- The sample retrieves user's group membership using Azure AD graph API which requires the registered app to have `Directory.Read.All` "Access the directory as the signed-in user" under `Delegated Permissions`. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission.
- Configure groups in your Microsoft Entra tenant with your users in that groups, see [how to create groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).
- The sample retrieves user's group membership using Microsoft Entra graph API which requires the registered app to have `Directory.Read.All` "Access the directory as the signed-in user" under `Delegated Permissions`. You need Microsoft Entra ID admin privilege to be able to grant the permission in API ACCESS -> Required permission.



Expand All @@ -33,17 +33,17 @@ git clone https://github.com/Azure/azure-sdk-for-java.git
or download and extract the repository .zip file, and navigate to `spring-cloud-azure-sample-active-directory-resource-server-by-filter` from the list of samples.

---
### Step 2: Register the sample with your Azure Active Directory tenant
### Step 2: Register the sample with your Microsoft Entra tenant

To register it follow the steps below or follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).

#### Choose the Azure AD tenant where you want to create your applications
#### Choose the Microsoft Entra tenant where you want to create your applications

As a first step you'll need to:

1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account.
1. If your account is present in more than one Azure AD tenant, select `your account name` at the top right corner in the menu on top of the page, and switch your portal session to the desired Azure AD tenant.
1. In the left-hand navigation pane, select the **Azure Active Directory** service, and then select **App registrations**
1. If your account is present in more than one Microsoft Entra tenant, select `your account name` at the top right corner in the menu on top of the page, and switch your portal session to the desired Microsoft Entra tenant.
1. In the left-hand navigation pane, select the **Microsoft Entra ID** service, and then select **App registrations**

#### Register the client app

Expand Down Expand Up @@ -75,12 +75,12 @@ As a first step you'll need to:
Therefore no consent can be presented via a UI and accepted to use the service app.
Click the **Grant/revoke admin consent for {tenant}** button, and then select **Yes** when you are asked if you want to grant consent for the
requested permissions for all account in the tenant. ![grant admin consent](docs/grant-admin-consent.png "grant admin consent")
You need to be an Azure AD tenant admin to do this.
You need to be a Microsoft Entra tenant admin to do this.

1. Then back to **Azure Active Directory**, in the left-hand navigation pane, select **Groups**, and then set `user` as member of `group1`.
1. Then back to **Microsoft Entra ID**, in the left-hand navigation pane, select **Groups**, and then set `user` as member of `group1`.

---
### Step 3: Configure the sample to use your Azure AD tenant
### Step 3: Configure the sample to use your Microsoft Entra tenant

In the steps below, "client-id" is the same as "Application ID" or "AppId".

Expand Down Expand Up @@ -109,9 +109,9 @@ tenant-id: xxxxxx-your-client-id-xxxxxx
client-id: xxxxxx-your-client-secret-xxxxxx
```

2. List all the AAD groups `ActiveDirectoryGroups` that you want to have a Spring Security role object mapping to it. The role objects can then be used to manage access to resources that is behind Spring Security. e.g.
2. List all the Microsoft Entra groups `ActiveDirectoryGroups` that you want to have a Spring Security role object mapping to it. The role objects can then be used to manage access to resources that is behind Spring Security. e.g.
```properties
# groups that you created in your Azure AD tenant
# groups that you created in your Microsoft Entra tenant
allowed-group-names: group1,group2
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
<packaging>jar</packaging>

<name>Spring-Cloud-Azure-Starter-Active-Directory Sample: Resource Server by Filter</name>
<description>Azure AD Spring Security Integration Spring Boot Sample</description>
<description>Microsoft Entra ID Spring Security Integration Spring Boot Sample</description>
<url>https://github.com/Azure/azure-sdk-for-java</url>

<dependencies>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ spring:
cloud:
azure:
# Properties like spring.cloud.azure.credential.client-id are global properties.
# Properties like spring.cloud.azure.active-directory.credential.client-id are AAD properties.
# If AAD properties is not configured, global properties will be used.
# Properties like spring.cloud.azure.active-directory.credential.client-id are Microsoft Entra ID properties.
# If Microsoft Entra ID properties is not configured, global properties will be used.
# credential:
# client-id:
# client-secret:
Expand Down
Loading
Loading