tailspin | Reversible Javascript interpreter | Interpreter library

We are building a ASP.net core Web API with Angular SPA client. For Authentication we have implemented Azure AD with multi tenants. For the Web API authentication/authorization we have followed this Microsoft sample. This uses the Microsoft.Identity.Web MSAL library for authenticating the authorisation code that originated from the Angular SPA. On the Azure AD application registration we manage the correct scope of the application, but we are not able to understand how claims are managed.

In previous applications I had run the authentication server IdentityServer4 as middleware in my application, allowing the authentication and issuing of claims in my application. I was using UserManager to add or remove claims on the User. Claims information was stored in the User tables of my database, and were then included in the issued cookie and available to the SPA and the Web API.

In the current application we are fully relying on Azure AD, and now I feel I am missing a piece of the puzzle to manage the user claims (and their inclusion on the cookie/token). Question: How can I manage claims that are specific to our application while user management and authentication takes place on Azure AD rather than in my application?

To clarify: This Microsoft document mentions three ways of using application roles: Azure AD App roles, Azure AD Security Groups and Application Role manager. It's the last one I feel is the correct functionality I need:

With this approach, application roles are not stored in Azure AD at all. Instead, the application stores the role assignments for each user in its own DB — for example, using the RoleManager class in ASP.NET Identity.

A small selection of the documentation I have reviewed but didn't give me the answers:

• This previously linked Microsoft document does mention using the RoleManager class in ASP.NET Identity, but does not explain how to implement this as integration with Azure AD such that the cookies/tokens include the roles (or roles converted to claims).

• I have read about using MS Graph schema extensions and including these in claims however, the article also states that any application with consent can read and write these extended properties. Implying this is not a secure way to provide any claim to the application as the values could be touched from outside the application

• Documentation explaining how to verify user claims.

• Tailspin scenario, mentions using roles on the application rather than security groups. But there is no indication or hint how this is included as claims in Azure AD. And following this it's clear that it's not controlled in the application.

• This document and this explains about transforming claims or adding custom claims, but this is basis conditions on the user account rather than the application setting the claims. These conditions would also need to be managed on the domain rather than in the application.

• Similar question? But no answer.

I have a Multistage YAML pipeline containing two stages 1) Build and 2) Deploy. Deploy stage is mentioned below and I want to add pre deploy approvals in that stage before deploy task. How can I add pre deployment and Post deployment approvals in multistage YAML pipeline?

I'm trying to setup a custom screen in the mobile app, and there are a few things that are still a mystery.

One of them is how to get a PXTextEdit field to show multiple lines, or even allow entry into that field without it just highlighting the field and no way to add to it.

The other is how to add a Rich Text control to the mobile app ala the Cases screen. I've tried using the code to add it the way the Cases screen does. I have a PXRichTextEdit field, called 'Details', but this doesn't show up on the mobile app at all:

I'm doing the Microsoft tutorial "Create Multi-stage Pipeline", exercise "Promote to Dev Stage": https://docs.microsoft.com/en-us/learn/modules/create-multi-stage-pipeline/4-promote-dev

This involves creating an Azure App Service, in my case named "tailspin-space-game-web-dev-4960.azurewebsites.net", and a multi-stage pipeline in Azure DevOps to build a web application project and deploy it to the App Service.

When I go to run the pipeline the deployment stage fails with the following message in the log:

Error: Resource 'tailspin-space-game-web-dev-4960.azurewebsites.net' doesn't exist. Resource should exist before deployment.

I've copied and pasted the URL http://tailspin-space-game-web-dev-4960.azurewebsites.net into another browser window to confirm the App Service exists and is running (although it's currently just showing the default app page since I haven't been able to deploy my application to it).

My question is: How do I test the service connection in Azure DevOps that should connect to the App Service? Alternatively, how do I debug the issue?

I haven't been able to find anything online about this error, and the only debugging info from Microsoft is about errors in creating service connections, not using them. I also can't find anything about testing service connections - the only advice I've found is to run them in the pipeline, which is a bit circular since that is where the error is occurring.

I've turned on verbose logging on the pipeline. This is the log from the failing deployment task (blank line added to highlight where it's attempting to get connection details):

I am trying to build a scalable multi-tenant b2b SAAS in Azure AD using Angular in the front end and node + Azure MS SQL sharded db design.

I've spend a week going through the MS documentation and examples (tailspin, survey apps) and have started testing the multi-tenant behaviour in an angular7 app that has nothing other than authentication with adal-angular4 on it which I've used for ~5 other projects that are currently in production.

So far, I can't for the life of me figure out the reason behind this unpredictable behaviour. I have 3 tenants: A - B - C

A is the developer tenant + my admin account, B is another company's tenant + my normal user account and C is a AD Free tier tenant with my personal account.

I have done nothing else to my app in Azure AD on the developer AD other than switch that multi-tenant setting to on and changing Oauth2implicitflow to true.

• If I login with Tenant A into the app, all is good, in the console I can see tenant A's GUID under TID.

• If I login with Tenant B - it asks for permissions the first time and then lets me in (why??).

• If I login with Tenant C 'work' account it throws no errors, does not ask for permission, returns back to the page without actually being logged in and with nothing on the console.
• If I login with Tenant C 'personal' account it tells me the tenant live.com is not provisioned for the app.

My questions are:

1. Why did it even let Tenant B to log into the app? They were definitely not provisioned to be able to access it and on the console the tid is clearly of the second tenant meaning (I think) that the account is NOT a guest on tenant A to be able to login.
2. I have no idea why the tenant C throws no error on the Azure side but instead just returns back to the page without actually being logged in.
3. Is there any documentation that I'm missing on which tenants can sign up into the app? I have looked at Tenant sign-up and onboarding article but it doesn't really address the issue.

Based on the documentation that I have read, the behaviour of Tenant B and C trying to log into the app makes no sense.

In my date column when dates are not set or blank I want to display the string "Not Set". I also want it to sort correctly so Not Set dates are highest in value and shown last when sorted ascending. How do you guys handle this scenario in your apps. Right now I am showing some high value like 09/09/9999 just so it sorts correctly but user is confused since it should really say "Not Set". I cannot assign strings to a date column and cannot put dates in a string column for the sorting to work right so in a tailspin right now. Please advise.