update readmes of aad starter and backend sample (Azure#17855)

yiliuTo · web-flow · commit e68bbf1893f9 · 2020-11-27T15:32:27.000+08:00
diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend-v2/README.md b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend-v2/README.md
@@ -15,14 +15,6 @@ azure.activedirectory.user-group.object-id-key=id
 
 Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).
 
-The sample retrieves user's group membership using Azure AD graph API which requires the registered app to have `Directory.AccessAsUser.All` "Access the directory as the signed-in user" under `Delegated Permissions`. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission. You can follow the below steps:
-
-* In the list of pages for the app, select **API permissions**
-   - Click the **Add a permission** button and then,
-   - Ensure that the **Microsoft APIs** tab is selected
-   - In the *Commonly used Microsoft APIs* section, click on **Microsoft Graph**
-   - In the **Delegated permissions** section, ensure that the right permissions are checked: **Directory.AccessAsUser.All**
-   - Select the **Add permissions** button
 ### Configure groups for sign in user
 
 In order to try the authorization action with this sample with minimum effort, [configure the user and groups in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-create-azure-portal), configure the user with `group1`. 
@@ -34,8 +26,8 @@ In order to try the authorization action with this sample with minimum effort, [
 
 ```properties
 azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
-azure.activedirectory.client-id=xxxxxx-your-client-id-xxxxxx
-azure.activedirectory.client-secret=xxxxxx-your-client-secret-xxxxxx
+spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
+spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx
 # It's suggested the logged in user should at least belong to one of the below groups
 # If not, the logged in user will not be able to access any authorization controller rest APIs
 azure.activedirectory.user-group.allowed-groups=group1, group2
diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md
@@ -9,16 +9,6 @@ This sample illustrates how to use `azure-spring-boot-starter-active-directory`
 
 Follow the guide [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code#register-your-application-with-your-ad-tenant).
 
-The sample retrieves user's group membership using Azure AD graph API which requires the registered app to have `Directory.AccessAsUser.All` "Access the directory as the signed-in user" under `Delegated Permissions`. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission.   
-You can follow the below steps:
-
-* In the list of pages for the app, select **API permissions**
-   - Click the **Add a permission** button 
-   - Ensure that the **Microsoft APIs** tab is selected
-   - In the *Supported legacy APIs* section, click on **Azure Active Directory Graph**
-   - In the **Delegated permissions** section, ensure that the right permissions are checked: **Directory.AccessAsUser.All**
-   - Select the **Add permissions** button
-
 ### Platform configurations
 
 ![Platform configurations](docs/image-platform-configurations.png "Platform configurations")
@@ -35,8 +25,8 @@ In order to try the authorization action with this sample with minimum effort, [
 ### Configure application.properties
 ```properties
 azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
-azure.activedirectory.client-id=xxxxxx-your-client-id-xxxxxx
-azure.activedirectory.client-secret=xxxxxx-your-client-secret-xxxxxx
+spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
+spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx
 # It's suggested the logged in user should at least belong to one of the below groups
 # If not, the logged in user will not be able to access any authorization controller rest APIs
 azure.activedirectory.user-group.allowed-groups=group1, group2
diff --git a/sdk/spring/azure-spring-boot-starter-active-directory/README.md b/sdk/spring/azure-spring-boot-starter-active-directory/README.md
@@ -67,8 +67,8 @@ Please refer to [azure-spring-boot-sample-active-directory-backend](https://gith
 ####  Configure application.properties:
 ```properties
 azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx
-azure.activedirectory.client-id=xxxxxx-your-client-id-xxxxxx
-azure.activedirectory.client-secret=xxxxxx-your-client-secret-xxxxxx
+spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx
+spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx
 azure.activedirectory.user-group.allowed-groups=group1, group2
 ```
 
@@ -184,16 +184,18 @@ The roles you want to use within your application have to be [set up in the mani
 application registration](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps).
 
 ### Using The Microsoft Graph API
-By default, azure-spring-boot is set up to utilize the Azure AD Graph.  If you would prefer, it can be set up to utilize the Microsoft Graph instead.  In order to do this, you will need to update the app registration in Azure to grant the application permissions to the Microsoft Graph API and add some properties to the application.properties file.
+By default, azure-spring-boot is set up to utilize the Microsoft Graph. If you would prefer, it can be set up to utilize the Azure AD Graph instead.  In order to do this, you will need to update the app registration in Azure to grant the application permissions to the Azure AD Graph API and add some properties to the application.properties file.
 
-* **Grant permissions to the application**: After application registration succeeded, go to API permissions - Add a permission, select `Microsoft Graph`, select Delegated permissions,  tick `Directory.AccessAsUser.All - Access the directory as the signed-in user` and `Use.Read - Sign in and read user profile`. Click `Add Permissions` (Note: you will need administrator privilege to grant permission).  Furthermore, you can remove the API permissions to the Azure Active Directory Graph, as these will not be needed.
+* **Grant permissions to the application**: After application registration succeeded, go to API permissions - Add a permission, select `Azure Active Directory Graph`, select Delegated permissions,  tick `Directory.AccessAsUser.All - Access the directory as the signed-in user` and `Use.Read - Sign in and read user profile`. Click `Add Permissions` (Note: you will need administrator privilege to grant permission).  Furthermore, you can remove the API permissions to the Microsoft Graph, as these will not be needed.
 
 * **Configure your `application properties`**:
 ```properties
-azure.activedirectory.environment=global-v2-graph
-azure.activedirectory.user-group.key=@odata.type
-azure.activedirectory.user-group.value=#microsoft.graph.group
-azure.activedirectory.user-group.object-id-key=id
+spring.security.oauth2.client.provider.azure.authorization-uri=https://login.microsoftonline.com/common/oauth2/authorize
+spring.security.oauth2.client.provider.azure.token-uri=https://login.microsoftonline.com/common/oauth2/token
+spring.security.oauth2.client.provider.azure.user-info-uri=https://login.microsoftonline.com/common/openid/userinfo
+spring.security.oauth2.client.provider.azure.jwk-set-uri=https://login.microsoftonline.com/common/discovery/keys
+#
+spring.security.oauth2.client.registration.azure.scope=openid, https://graph.windows.net/user.read, {your-customized-scope}
 ```
 
 If you're using [Azure China](https://docs.microsoft.com/azure/china/china-welcome), please set the environment property in the `application.properties` file to:
@@ -208,7 +210,7 @@ Please refer to [azure-spring-boot-sample-active-directory-backend-v2](https://g
 
 By default, `azure-spring-boot-starter-active-directory` configures scopes of `openid`, `profile` and `https://graph.microsoft.com/user.read` to implement OpenID Connect protocol and access of Microsoft Graph API. For customization of scope, developers need to configure in the `application.properties`:
 ```yaml
-azure.activedirectory.scope = openid, profile, https://graph.microsoft.com/user.read, {your-customized-scope}
+spring.security.oauth2.client.registration.azure.scope = openid, profile, https://graph.microsoft.com/user.read, {your-customized-scope}
 ``` 
 Note, if you don't configure the 3 mentioned permissions, this starter will add them automatically.
 
