microsoft · Whowong · Aug 30, 2023 · Oct 11, 2022 · Oct 11, 2022 · Oct 11, 2022
@@ -0,0 +1,22 @@
+Entra
+EntraIDB
+EntraIDB2B
+EasyAuth
+PKCI
+OpenID
+ServiceNow
+PIM
+authr
+idp
+Authenticator
+Passcode
+aud
+yourtenantname
+EasyAuth
+microsoftonline
+Bappaditya
+Banerjee
+McCollum
+natively
+quickstarts
+QuickStarts
@@ -0,0 +1,66 @@
+# What The Hack - Entra ID B2B - Coach Guide
+
+## Introduction
+
+Welcome to the coach's guide for the Entra ID B2B What The Hack. Here you will find links to specific guidance for coaches for each of the challenges.
+
+
+## Coach's Guides
+
+- Challenge 00: **[Prerequisites - Ready, Set, GO!](./Solution-00.md)**
+     - Create an Entra ID tenant
+     - Entra ID single tenant setup
+- Challenge 01: **[Register new application](./Solution-01.md)**
+     - Register a new application in an Entra ID tenant
+     - Understand the concepts of multi-tenant apps, service principals, authentication vs authorization, security tokens
+- Challenge 02: **[Test the sign-in](./Solution-02.md)**
+	 - Supported account types set to "Accounts in this organizational directory only (single-tenant)" with redirect link to authr.biz
+     - Use an authr.biz link to test the sign in
+- Challenge 03: **[Invite a guest user](./Solution-03.md)**
+     - Complete B2B setup and invite a new guest user
+     - Use an authr.biz link to test the sign in for the guest user and test sign in using the app setup
+- Challenge 04: **[Integrate Entra ID authentication into an Azure App Service (EasyAuth)](./Solution-04.md)**
+	 - Integrate Entra ID authentication into an Azure App Service (EasyAuth)
+- Challenge 05: **[Integrate Entra ID authentication into an application](./Solution-05.md)**
+	 - Integrate Entra ID authentication into an application
+        - ASP.Net (Authorization Code Flow)
+        - SPA (Angular) (PKCI)  
+        - Desktop application (Client Credential Flow)
+- Challenge 06: **[Deploy to Azure](./Solution-06.md)**
+	 - Deploy to Azure
+     - Publish the Web App to the web site and update its app registration redirect URIs to include the App Service URL(s)
+     - Setup Managed identity
+
+## Coach Prerequisites
+
+This hack has pre-reqs that a coach is responsible for understanding and/or setting up BEFORE hosting an event. Please review the [What The Hack Hosting Guide](https://aka.ms/wthhost) for information on how to host a hack event.
+
+The guide covers the common preparation steps a coach needs to do before any What The Hack event, including how to properly configure Microsoft Teams.
+
+### Student Resources
+
+Before the hack, it is the Coach's responsibility to download and package up the contents of the `/Student/Resources` folder of this hack into a "Resources.zip" file. The coach should then provide a copy of the Resources.zip file to all students at the start of the hack.
+
+Always refer students to the [What The Hack website](https://aka.ms/wth) for the student guide: [https://aka.ms/wth](https://aka.ms/wth)
+
+**NOTE:** Students should **not** be given a link to the What The Hack repo before or during a hack. The student guide does **NOT** have any links to the Coach's guide or the What The Hack repo on GitHub.
+
+
+## Azure Requirements
+
+This hack requires students to have access to an Azure subscription where they can create and consume Azure resources. These Azure requirements should be shared with a stakeholder in the organization that will be providing the Azure subscription(s) that will be used by the students.
+
+
+
+## Repository Contents
+
+_The default files & folders are listed below. You may add to this if you want to specify what is in additional sub-folders you may add._
+
+- `./Coach`
+  - Coach's Guide and related files
+- `./Coach/Solutions`
+  - Solution files with completed example answers to a challenge
+- `./Student`
+  - Student's Challenge Guide
+- `./Student/Resources`
+  - Resource files, sample code, scripts, etc meant to be provided to students. (Must be packaged up by the coach and provided to students at start of event)
@@ -0,0 +1,21 @@
+# Challenge 00 - Prerequisites - Ready, Set, GO! - Coach's Guide 
+
+**[Home](./README.md)** - [Next Solution >](./Solution-01.md)
+
+## Notes & Guidance
+
+Login to https://portal.azure.com using your Azure account and in the Home tenant.
+
+Create a new tenant 
+
+Select the checkbox beside the newly created tenant and hit the Switch button.
+
+You should be switched to the newly created tenant.
+
+When you create a new Entra ID tenant, you become the first user of that tenant. As the first user, you're automatically assigned the Global Administrator role. 
+
+Create another new user by navigating to the Users page and add the Global Administrator role with it.
+
+  - Create an authenticator entry for the newly created user
+
+
@@ -0,0 +1,14 @@
+# Challenge 01 - Register the app - Coach's Guide 
+
+[< Previous Solution](./Solution-00.md) - **[Home](./README.md)** - [Next Solution >](./Solution-02.md)
+
+## Notes & Guidance
+
+
+Register the app in the newly created tenant by navigating to App Registration.
+
+Select Accounts in this organizational directory only (Single Tenant)
+
+Enter https://authr.biz/ as the Redirect URIs.
+
+Select the Access Token and ID Token checkbox in the Authentication tab
@@ -0,0 +1,26 @@
+# Challenge 02 - Sign Me In! - Coach's Guide 
+
+[< Previous Solution](./Solution-01.md) - **[Home](./README.md)** - [Next Solution >](./Solution-03.md)
+
+## Notes & Guidance
+
+Open the [authr](https://authr.biz/?requesttype=OpenIdConnect&scope=openid+profile&responsetype=id_token&responsemode=form_post&additionalparameters=prompt%3dlogin&importtype=AzureAD&tenant=microsoft.onmicrosoft.com&clientid=your-client-id) link.
+
+Make sure to change the tenant=microsoft.onmicrosoft.com in the query parameter to the newly created tenant. It should be tenant=yourtenantname.onmicrosoft.com
+
+Verify that the Authorization Endpoint and the Token Endpoint reflects the change.
+
+Copy the Client ID from the Azure Portal by navigation Entra ID - App Registration - Overview - Application (client) ID.
+
+No need to put the Client Secret in the form.
+
+Verify the Additional Parameters textbox. It should be populated as prompt=login.
+
+Everything else should remain as default.
+
+Login using the newly created user in the new tenant.
+
+Verify the claims in the JWT. Check the "aud", "iss", "idp" claims specifically.
+
+
+
@@ -0,0 +1,37 @@
+# Challenge 03 - Invite Guest Users in Entra ID tenant - Coach's Guide 
+
+[< Previous Solution](./Solution-02.md) - **[Home](./README.md)** - [Next Solution >](./Solution-04.md)
+
+## Notes & Guidance
+
+Create a new guest user in your Entra ID tenant by clicking Invite guest user in the User screen.
+
+Use a personal email address while creating the guest user. They should get an invitation email from Microsoft.
+
+They can put a personal message while inviting the user.
+
+They can accept the invitation by opening the email and click the Accept Invitation button. 
+
+Open the [authr](https://authr.biz/?requesttype=OpenIdConnect&scope=openid+profile&responsetype=id_token&responsemode=form_post&additionalparameters=prompt%3dlogin&importtype=AzureAD&tenant=microsoft.onmicrosoft.com&clientid=your-client-id) link.
+
+Make sure to change the tenant=microsoft.onmicrosoft.com in the query parameter to the newly created tenant. It should be tenant=yourtenantname.onmicrosoft.com
+
+Verify that the Authorization Endpoint and the Token Endpoint reflects the change.
+
+Copy the Client ID from the Azure Portal by navigating to Entra ID - App Registration - Overview - Application (client) ID.
+
+Sign In using the personal email address. A One Time Passcode should be sent to the personal email address.
+
+Once they enter the Passcode, they might be asked to create the account in the Authenticator app on their phone. Go ahead and do that.
+
+Once they sign in, you should see the ID Token in the authr.biz site.
+
+Check the "idp" claim. It should be "mail". Check the "iss" claim. It is still the tenant. So, for the B2B user, the Identity provider is the third party provider based on the email address they provide, but the token would be generated by the Entra ID Tenant.
+
+Enable guest self-service sign up via user flows by navigating to External Identities - External collaboration settings.
+
+Create the sign-up user flow for the B2B user.
+
+Navigate to the user flow. They can add external identity providers, custom user attributes, etc. 
+
+They could associate their application with the user flow to show to the users.
@@ -0,0 +1,31 @@
+# Challenge 04 - Integrate Entra ID authentication into an Azure App Service (EasyAuth) - Coach's Guide 
+
+[< Previous Solution](./Solution-03.md) - **[Home](./README.md)** - [Next Solution >](./Solution-05.md)
+
+## Notes & Guidance
+
+For this tutorial, they need a web app deployed to App Service. They can use an existing web app, or they can follow one of the quickstarts to create and publish a new web app to App Service.
+
+  - [ASP.Net Core](https://learn.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?pivots=development-environment-vs&tabs=net70)
+  - [Node.js](https://learn.microsoft.com/en-us/azure/app-service/quickstart-nodejs?pivots=development-environment-vscode&tabs=windows)
+  - [Java](https://learn.microsoft.com/en-us/azure/app-service/quickstart-java?pivots=platform-linux-development-environment-maven&tabs=javase)
+
+Create the Web app in the Microsoft tenant using a Microsoft account. Please note that they will not be able to create the web app in their newly created Entra ID tenant as there is no subscription associated with it.
+
+Whether they use an existing web app or create a new one, take note of the following:
+
+ - Web app name
+ - Resource group that the web app is deployed to
+
+Enable authentication and authorization for the web app by navigating to Authentication - Add Identity Provider. Select Microsoft as the identity provider.
+
+In the App registration type, select "Provide the details of an existing app registration".
+
+ - Copy and paste the Client Id from the registered app from Challenge #1.
+ - Create a client secret for the app by navigating to App registration - Certificates & Secrets. Copy the value of the secret and put in the previous screen
+ - Issuer URL should be https://login.microsoftonline.com/tenant-id
+
+
+Add the redirect URL in the app registration as https://web-app-name.azurewebsites.net/.auth/login/aad/callback.
+
+Sign In with the web app with their user or a guest user.
@@ -0,0 +1,19 @@
+# Challenge 05 - Integrate your application with Entra ID - Coach's Guide 
+
+[< Previous Solution](./Solution-04.md) - **[Home](./README.md)** - [Next Solution >](./Solution-06.md)
+
+## Notes & Guidance
+
+Follow the Quickstart tutorial.
+
+They can skip the register the application section and re-use the app registered in the previous challenge in their tenant.
+
+For ASP.NET Core, [Download](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/aspnetcore3-1-callsgraph.zip) the ASP.NET Core Project and Configure their ASP.NET Core Project. 
+
+For ASP.NET, [Download](https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet/archive/master.zip) the ASP.NET project and Configure an ASP.NET Project.
+
+For Single Page Application, follow the tutorials for any of the Javascript frameworks such as Angular, React etc.
+
+Build and run the application.
+
+Sign In with the users they created in the previous challenge.
@@ -0,0 +1,19 @@
+# Challenge 06 - Deploy your app to Azure!! - Coach's Guide 
+
+[< Previous Solution](./Solution-05.md) - **[Home](./README.md)**
+
+## Notes & Guidance
+
+Follow the QuickStart for the deployment of the app.
+
+QuickStarts are available for ASP.NET and other languages.
+
+For Angular or any other SPA app, build the Angular app, create an Azure App Service, configure the App Service. Under the "Settings" section, click on "Configuration". Here, they need to set the Node.js version to match the Angular app's requirements. Select the "General Settings" tab and choose the desired Node.js version.
+
+Deploy the Angular app using the Azure CLI or the Azure Portal.
+
+If they have a desktop application that they want to deploy, Azure App Service is not the appropriate service for that purpose.
+
+Add the App Service Url as the Redirect Url in the registered app in your tenant as part of the previous challenge.
+
+Sign In with the users they created in the previous challenge.