Merge pull request #595 from MicrosoftDocs/main

11/29/2023 AM Publish

docs/external-id/customers/how-to-google-federation-customers.md

@@ -8,15 +8,20 @@ ms.service: active-directory
 
 ms.subservice: ciam
 ms.topic: how-to
-ms.date: 05/24/2023
+ms.date: 11/28/2023
 ms.author: mimart
 ms.custom: it-pro, has-azure-ad-ps-ref
 #Customer intent: As a dev, devops, or it admin, I want to
 ---
 
 # Add Google as an identity provider
 
-By setting up federation with Google, you can allow customers to sign in to your applications with their own Gmail accounts. After you've added Google as one of your application's sign-in options, on the sign-in page, customers can sign in to Microsoft Entra ID for customers with a Google account. (Learn more about [authentication methods and identity providers for customers](concept-authentication-methods-customers.md).)
+By setting up federation with Google, you allow customers to sign in to your applications with their own Google accounts. After you add Google as one of your user flow's sign-in options, customers can sign up and sign in to your application with a Google account. (Learn more about [authentication methods and identity providers for customers](concept-authentication-methods-customers.md).)
+
+## Prerequisites
+
+- A [Microsoft Entra ID for customers tenant](how-to-create-customer-tenant-portal.md).
+- A [sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md).
 
 ## Create a Google application
 
@@ -39,18 +44,17 @@ To enable sign-in for customers with a Google account, you need to create an app
 1. Select **Create credentials**, and then **OAuth client ID**.
 1. Under **Application type**, select **Web application**.
    1. Enter a suitable **Name** for your application, such as "Microsoft Entra ID for customers."
-   1. In **Valid OAuth redirect URIs**, enter the following URIs, replacing `<tenant-ID>` with your customer tenant ID and `<tenant-name>` with your customer tenant name:
+   1. In **Valid OAuth redirect URIs**, enter the following URIs. Replace `<tenant-ID>` with your customer Directory (tenant) ID and `<tenant-subdomain>` with your customer Directory (tenant) subdomain. If you don't have your tenant name, [learn how to read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).  
     - `https://login.microsoftonline.com`
     - `https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp`
-    - `https://login.microsoftonline.com/te/<tenant-name>.onmicrosoft.com/oauth2/authresp`
+    - `https://login.microsoftonline.com/te/<tenant-subdomain>.onmicrosoft.com/oauth2/authresp`
     - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/accounts.google.com`
-    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/accounts.google.com`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oidc/accounts.google.com`
     - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2`
-    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`
-   > [!NOTE]
-   > To find your customer tenant ID, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). Browse to **Identity** > **Overview** and copy the **Tenant ID**.
-2. Select **Create**.
-3. Copy the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant. **Client secret** is an important security credential.
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2`
+
+1. Select **Create**.
+1. Record the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant.
 
 > [!NOTE]
 > In some cases, your app might require verification by Google (for example, if you update the application logo). For more information, check out the [Google's verification status guid](https://support.google.com/cloud/answer/10311615#verification-status).
@@ -63,7 +67,7 @@ After you create the Google application, in this step you set the Google client
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 
 1. Browse to **Identity** > **External Identities** > **All identity providers**.
-2. Select **+ Google**.
+1. Select **+ Google**.
 
    <!-- ![Screenshot that shows how to add Google identity provider in Microsoft Entra ID.](./media/sign-in-with-google/configure-google-idp.png)-->
 
@@ -84,7 +88,7 @@ To configure Google federation by using PowerShell, follow these steps:
     Use the client ID and client secret from the app you created in [Create a Google application](#create-a-google-application) step.
 
 
-## Add Google identity provider to a user flow 
+## Add Google identity provider to a user flow
 
 At this point, the Google identity provider has been set up in your Microsoft Entra ID, but it's not yet available in any of the sign-in pages. To add the Google identity provider to a user flow:
 

docs/external-id/customers/includes/register-app/add-platform-redirect-url-angular.md

@@ -7,9 +7,8 @@ ms.date: 11/22/2023
 ms.author: kengaderdus
 ---
 
-To specify your app type to your app registration, follow these steps:
-
-1. Under **Manage**, select **Authentication**.
-1. On the **Platform configurations** page, select **Add a platform**, and then select **SPA** option.
-1. For the **Redirect URIs** enter `http://localhost:4200`.
+1. Under **Manage**, select **Authentication** 
+1. On the **Platform configurations** page, select **Add a platform**, and then select **Single-page application** option.
+1. For the **Redirect URIs** enter `http://localhost:4200/`.
+1. Under **Front-channel logout URL**, enter `https://localhost:4200/auth`.
 1. Select **Configure** to save your changes.

docs/external-id/customers/toc.yml

@@ -112,6 +112,18 @@ items:
                     href: tutorial-single-page-app-react-sign-in-configure-authentication.md 
                   - name: Sign in and sign out
                     href: tutorial-single-page-app-react-sign-in-sign-out.md
+          - name: Angular
+            items:
+              - name: Sign in users
+                items:
+                  - name: Prepare tenant
+                    href: tutorial-single-page-app-angular-sign-in-prepare-tenant.md
+                  - name: Prepare app
+                    href: tutorial-single-page-app-angular-sign-in-prepare-app.md
+                  - name: Configure app for authentication
+                    href: tutorial-single-page-app-angular-sign-in-configure-authentication.md 
+                  - name: Sign in and sign out
+                    href: tutorial-single-page-app-angular-sign-in-sign-out.md
       - name: Web app
         items: 
           - name: Node/Express.js

docs/external-id/customers/tutorial-single-page-app-angular-sign-in-configure-authentication.md

@@ -0,0 +1,242 @@
+---
+title: Tutorial - Handle authentication flows in an Angular single-page app
+description: Learn how to configure authentication for an Angular single-page app (SPA) with your Microsoft Entra External ID for customers tenant.
+services: active-directory
+author: garrodonnell
+manager: CelesteDG
+
+ms.author: godonnell
+ms.service: active-directory
+ms.subservice: ciam
+ms.topic: tutorial
+ms.date: 10/27/2023
+
+#Customer intent: As a developer, I want to learn how to configure an Angular single-page app (SPA) to sign in and sign out users with my Microsoft Entra External ID for customers tenant.
+---
+
+# Tutorial: Handle authentication flows in an Angular single-page app 
+
+In the previous article, [Prepare an Angular single-page app for authentication](./tutorial-single-page-app-angular-sign-in-prepare-app.md), you created an Angular single-page app (SPA) and prepared it for authentication with your Microsoft Entra External ID for customers tenant. In this article, you'll learn how to handle authentication flows in your app by adding MSAL components and creating authentication configuration files.
+
+In this tutorial;
+
+> [!div class="checklist"]
+> * Add authentication flows to your application
+> * Import MSAL components
+> * Add routes to home and guarded components of the application.
+
+## Create the authentication configuration file, auth-config.ts
+
+1. Create a new file called _auth-config.ts_ in the folder _src/app/_ and add the following code snippet. This file contains authentication parameters. These parameters are used to initialize Angular and MSAL Angular configurations.
+
+    ```JavaScript
+
+    /**
+     * This file contains authentication parameters. Contents of this file
+     * is roughly the same across other MSAL.js libraries. These parameters
+     * are used to initialize Angular and MSAL Angular configurations in
+     * in app.module.ts file.
+     */
+
+    import {
+      LogLevel,
+      Configuration,
+      BrowserCacheLocation,
+    } from '@azure/msal-browser';
+
+    /**
+     * Configuration object to be passed to MSAL instance on creation.
+     * For a full list of MSAL.js configuration parameters, visit:
+     * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md
+     */
+    export const msalConfig: Configuration = {
+      auth: {
+        clientId: 'Enter_the_Application_Id_Here', // This is the ONLY mandatory field that you need to supply.
+        authority: 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace the placeholder with your tenant subdomain
+        redirectUri: '/', // Points to window.location.origin by default. You must register this URI on Azure portal/App Registration.
+        postLogoutRedirectUri: '/', // Points to window.location.origin by default.
+      },
+      cache: {
+        cacheLocation: BrowserCacheLocation.LocalStorage, // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO between tabs.
+      },
+      system: {
+        loggerOptions: {
+          loggerCallback(logLevel: LogLevel, message: string) {
+            console.log(message);
+          },
+          logLevel: LogLevel.Verbose,
+          piiLoggingEnabled: false,
+        },
+      },
+    };
+
+    /**
+     * Scopes you add here will be prompted for user consent during sign-in.
+     * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.
+     * For more information about OIDC scopes, visit:
+     * https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview#openid-connect-scopes
+     */
+    export const loginRequest = {
+      scopes: [],
+    };
+    ```
+
+1. Replace the following values with the values from the Microsoft Entra admin center:
+    - Find the `Enter_the_Application_Id_Here` value and replace it with the **Application ID (clientId)** of the app you registered in the Microsoft Entra admin center.
+    - In **authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, [learn how to read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).
+1. Save the file.
+
+## Import MSAL components
+
+1. Open _src/app/app.module.ts_ and add the following code snippet.
+
+    ```JavaScript
+    import { NgModule } from '@angular/core';
+    import { BrowserModule } from '@angular/platform-browser';
+    import { HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http';
+    
+    import { MatToolbarModule } from "@angular/material/toolbar";
+    import { MatButtonModule } from '@angular/material/button';
+    import { MatCardModule } from '@angular/material/card';
+    import { MatTableModule } from '@angular/material/table';
+    import { MatMenuModule } from '@angular/material/menu';
+    import { MatDialogModule } from '@angular/material/dialog';
+    import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
+    import { MatIconModule } from '@angular/material/icon';
+    
+    import { AppRoutingModule } from './app-routing.module';
+    import { AppComponent } from './app.component';
+    import { HomeComponent } from './home/home.component';
+    import { GuardedComponent } from './guarded/guarded.component';
+    
+    import {
+        IPublicClientApplication,
+        PublicClientApplication,
+        InteractionType,
+    } from '@azure/msal-browser';
+    
+    import {
+        MSAL_INSTANCE,
+        MsalGuardConfiguration,
+        MSAL_GUARD_CONFIG,
+        MsalService,
+        MsalBroadcastService,
+        MsalGuard,
+        MsalRedirectComponent,
+        MsalInterceptor,
+        MsalModule,
+    } from '@azure/msal-angular';
+    
+    import { msalConfig, loginRequest } from './auth-config';
+    
+    /**
+     * Here we pass the configuration parameters to create an MSAL instance.
+        * For more info, visit: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md
+        */
+    export function MSALInstanceFactory(): IPublicClientApplication {
+        return new PublicClientApplication(msalConfig);
+    }
+    
+    /**
+     * Set your default interaction type for MSALGuard here. If you have any
+        * additional scopes you want the user to consent upon login, add them here as well.
+        */
+    export function MsalGuardConfigurationFactory(): MsalGuardConfiguration {
+        return {
+        interactionType: InteractionType.Redirect,
+        authRequest: loginRequest
+        };
+    }
+    
+    @NgModule({
+        declarations: [
+        AppComponent,
+        HomeComponent,
+        GuardedComponent,
+        ],
+        imports: [
+        BrowserModule,
+        BrowserAnimationsModule,
+        AppRoutingModule,
+        MatToolbarModule,
+        MatButtonModule,
+        MatCardModule,
+        MatTableModule,
+        MatMenuModule,
+        HttpClientModule,
+        BrowserAnimationsModule,
+        MatDialogModule,
+        MatIconModule,
+        MsalModule,
+        ],
+        providers: [
+        {
+            provide: HTTP_INTERCEPTORS,
+            useClass: MsalInterceptor,
+            multi: true,
+        },
+        {
+            provide: MSAL_INSTANCE,
+            useFactory: MSALInstanceFactory,
+        },
+        {
+            provide: MSAL_GUARD_CONFIG,
+            useFactory: MsalGuardConfigurationFactory,
+        },
+        MsalService,
+        MsalBroadcastService,
+        MsalGuard,
+        ],
+        bootstrap: [AppComponent, MsalRedirectComponent],
+    })
+    export class AppModule { }
+    ```
+1. Open _src/app/app-routing.module.ts_ and replace the entire contents of the file with the following snippet. This will add routes to the `home` and `guarded` components. 
+
+    ```JavaScript	
+    import { NgModule } from '@angular/core';
+    import { RouterModule, Routes } from '@angular/router';
+    import { BrowserUtils } from '@azure/msal-browser';
+    import { MsalGuard } from '@azure/msal-angular';
+    
+    import { HomeComponent } from './home/home.component';
+    import { GuardedComponent } from './guarded/guarded.component';
+    
+    /**
+     * MSAL Angular can protect routes in your application
+        * using MsalGuard. For more info, visit:
+        * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/initialization.md#secure-the-routes-in-your-application
+        */
+    const routes: Routes = [
+        {
+        path: 'guarded',
+        component: GuardedComponent,
+        canActivate: [
+            MsalGuard
+        ]
+        },
+        {
+        path: '',
+        component: HomeComponent,
+        },
+    ];
+    
+    @NgModule({
+        imports: [
+        RouterModule.forRoot(routes, {
+            // Don't perform initial navigation in iframes or popups
+            initialNavigation:
+            !BrowserUtils.isInIframe() && !BrowserUtils.isInPopup()
+                ? 'enabledNonBlocking'
+                : 'disabled', // Set to enabledBlocking to use Angular Universal
+        }),
+        ],
+        exports: [RouterModule],
+    })
+    export class AppRoutingModule { }
+    ```
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Add sign-in and sign-out](./tutorial-single-page-app-angular-sign-in-sign-out.md)