Merge pull request #1260 from solliancenet/lino-docs-080

Modified the App registration in Entra ID for all 5 applications

docs/deployment/authentication-authorization/authorization-setup-entra.md

@@ -2,23 +2,6 @@
 
 FoundationaLLM comes with out-of-the-box support for Microsoft Entra ID authorization. This means that you can use your Microsoft Entra ID to setup authorization access to FoundationaLLM's platform.
 
-## Create the Microsoft Entra ID applications
-
-To enable Microsoft Entra ID authorization to the FoundationaLLM platform, you need to register an application in the Microsoft Azure portal Entra ID:
-
-### Pre-requisites
-
-> [!NOTE]
-> Make sure you create this App Registration before you run the [deployment scripts](../../deployment/index.md) using `azd up` as you will need some of the generated information during your `azd env set` calls
-
-#### Setup App Configuration access
-
-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least a Contributor.
-2. Navigate to the Resource Group that was created as part of the deployment.
-> [!NOTE]
-> If you performed an Azure Container Apps (ACA) or Azure Kubernetes Service (AKS) deployment, you will see an extra Resource Group that starts with `ME_` or `MC_` in addition to the Resource Group defined during the deployment. You will need to navigate to the Resource Group that **does not start with** `ME_` or `MC_` to access the App Configuration resource.
-3. Select the **App Configuration** resource and select **Configuration explorer** to view the values. If you cannot access the configurations, add your user account as an **App Configuration Data Owner** through Access Control (IAM). You need this role in order to update the configurations as a required part of the authorization setup. To add your user account to the appropriate role, follow the instructions in the [Configure access control for services](../../deployment/configure-access-control-for-services.md#azure-app-configuration-service) document.
-
 ### Create the client application
 
 #### Register the client application in the Microsoft Entra ID admin center
@@ -29,7 +12,7 @@ To enable Microsoft Entra ID authorization to the FoundationaLLM platform, you n
     ![The app registrations menu item in the left-hand menu is highlighted.](media/entra-app-registrations.png)
 
 3. On the page that appears, select **+ New registration**.
-4. When the **Register an application** page appears, enter a name for your application, such as *FoundationaLLM-Authorization*. 
+4. When the **Register an application** page appears, enter the name *FoundationaLLM-Authorization-API* for your application. 
 5. Under **Supported account types**, select *Accounts in this organizational directory only*.
 6. Select **Register**.
 7. The application's **Overview** pane displays upon successful registration. Record the **Application (client) ID** and **Directory (tenant) ID** to add to your App Configuration settings later.
@@ -38,7 +21,7 @@ To enable Microsoft Entra ID authorization to the FoundationaLLM platform, you n
 
 #### Expose an API for the API application
 
-1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, accept the default or specify a custom one like `api://FoundationaLLM-Authorization-Auth`, then select **Save and continue**, and then enter the following details:
+1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, enter `api://FoundationaLLM-Authorization`, then select **Save and continue**, and then enter the following details:
    - **Scope name**: `Authorization.Manage`
    - **Who can consent?**: **Admins and users**
    - **Admin consent display name**: `Manage Authorization`
@@ -50,7 +33,7 @@ To enable Microsoft Entra ID authorization to the FoundationaLLM platform, you n
 
    ![The Add a scope form is displayed as described in the bulleted list above.](media/entra-authorization-add-scope.png)
 
-3. Copy the **Scope name** value to add to your App Configuration settings later. For example, it should look something like `api://c79a09ce067141d5832b/Data.Manage`.
+3. Copy the **Scope name** value to add to your App Configuration settings later. It should look like `api://FoundationaLLM-Authorization/Authorization.Manage`.
 
    ![The new scope name is displayed with the Copy button highlighted.](media/entra-authorization-copy-scope.png)
 
@@ -81,7 +64,7 @@ To enable Microsoft Entra ID authorization to the FoundationaLLM platform, you n
 4. Enter `authorization` in the search box to filter the results.
 5. Check the box next to **Key** in the header to select all items.
 6. Find the key for `FoundationaLLM:APIs:AuthorizationAPI:APIScope` and click on edit.
-7. Replace the value with the value from the scope we created earlier, like `api://FoundationaLLM-Authorization-Auth` 
+7. Replace the value with the value from the scope we created earlier, as `api://FoundationaLLM-Authorization` 
 8. Select **Apply** to save the changes.
 
 ## Next steps

docs/deployment/authentication-authorization/core-authentication-setup-entra.md

@@ -9,43 +9,6 @@ To enable Microsoft Entra ID authentication for the Core API and user portal, yo
 - A client application that will be used by the user portal chat interface to authenticate users.
 - An API application that will be used by the Core API to authenticate users.
 
-### Pre-requisites
-
-> [!IMPORTANT]
-> Be aware that after completing this registration and the other app registrations in Entra ID as instructed in the [docs](docs/deployment/authentication-authorization/index.md) you will complete the deployment steps outlined at [deploy the solution](../../deployment/deployment-starter.md) then you will be revisiting your app registrations to complete some of the settings that require the solution to be deployed before the entire app registration is completed successfully.
-
-#### Setup App Configuration access
-
-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least a Contributor.
-2. Navigate to the Resource Group that was created as part of the deployment.
-    > [!NOTE]
-    > If you performed an Azure Container Apps (ACA) or Azure Kubernetes Service (AKS) deployment, you will see an extra Resource Group that starts with `ME_` or `MC_` in addition to the Resource Group defined during the deployment. You will need to navigate to the Resource Group that **does not start with** `ME_` or `MC_` to access the App Configuration resource.
-3. Select the **App Configuration** resource and select **Configuration explorer** to view the values. If you cannot access the configurations, add your user account as an **App Configuration Data Owner** through Access Control (IAM). You need this role in order to update the configurations as a required part of the authentication setup. To add your user account to the appropriate role, follow the instructions in the [Configure access control for services](../../deployment/configure-access-control-for-services.md#azure-app-configuration-service) document.
-
-#### Obtain the URL for the chat UI application
-
-You need this URL to assign the redirect URI for the client application.
-
-If you performed an **Azure Container Apps (ACA)** deployment, follow these steps to obtain the URL for the chat UI application:
-
-1. Within the Resource Group that was created as part of the deployment, select the **Container App** resource whose name ends with `chatuica`.
-
-    ![The Chat UI container app is selected in the deployed resource group.](media/resource-group-aca.png)
-
-2. Within the Overview pane, copy the **Application Url** value. This is the URL for the chat application.
-
-    ![The container app's Application Url is highlighted.](media/aca-application-url.png)
-
-If you performed an **Azure Kubernetes Service (AKS)** deployment, follow these steps to obtain the URL for the chat UI application:
-
-1. Within the Resource Group that was created as part of the deployment, select the **Kubernetes Service** resource.
-
-    ![The Kubernetes service is selected in the deployed resource group.](media/resource-group-aks.png)
-
-2. Select **Properties** in the left-hand menu and copy the **HTTP application routing domain** value. This is the URL for the chat application.
-
-    ![The HTTP application routing domain property is highlighted.](media/aks-http-app-routing-domain.png)
-
 ### Create the client application
 
 #### Register the client application in the Microsoft Entra ID admin center
@@ -56,7 +19,7 @@ If you performed an **Azure Kubernetes Service (AKS)** deployment, follow these
     ![The app registrations menu item in the left-hand menu is highlighted.](media/entra-app-registrations.png)
 
 3. On the page that appears, select **+ New registration**.
-4. When the **Register an application** page appears, enter a name for your application, such as *FoundationaLLM-Client*. You should indicate that this is for the chat client (User Portal) application by appending *-Client* to the name.
+4. When the **Register an application** page appears, enter the following name for your application *FoundationaLLM-User-Portal*. 
 5. Under **Supported account types**, select *Accounts in this organizational directory only*.
 6. Select **Register**.
 
@@ -123,7 +86,7 @@ If you wish to [configure authentication in Postman](../../development/directly-
 
     ![The app registrations menu item in the left-hand menu is highlighted.](media/entra-app-registrations.png)
 
-3. For **Name**, enter a name for the application. For example, enter *FoundationaLLM*. Users of the app will see this name, and can be changed later.
+3. For **Name**, enter the name *FoundationaLLM-Core-API* for the application. 
 4. Under **Supported account types**, select *Accounts in this organizational directory only*.
 5. Select **Register**.
 
@@ -160,7 +123,7 @@ If you wish to [configure authentication in Postman](../../development/directly-
 
 #### Expose an API for the API application
 
-1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, accept the default or specify a custom one, then select **Save and continue**, and then enter the following details:
+1. Under **Manage**, select **Expose an API** > **Add a scope**. For **Application ID URI**, make sure to use `api://FoundationaLLM-Core`, then enter the following details:
    - **Scope name**: `Data.Read`
    - **Who can consent?**: **Admins and users**
    - **Admin consent display name**: `Read data on behalf of users`
@@ -172,7 +135,7 @@ If you wish to [configure authentication in Postman](../../development/directly-
 
    ![The Add a scope form is displayed as described in the bulleted list above.](media/entra-api-app-add-scope.png)
 
-3. Copy the **Scope name** value to add to your App Configuration settings later. For example, it should look something like `api://d85a09ce067141d5807a/Data.Read`.
+3. Copy the **Scope name** value to add to your App Configuration settings later. For example, it should look something like `api://FoundationaLLM-Core/Data.Read`.
 
    ![The new scope name is displayed with the Copy button highlighted.](media/entra-api-app-scope-copy-name.png)
 
@@ -228,7 +191,7 @@ The client application's configured permissions should now look like the followi
 
 7. Replace the values for the following settings with the values that you recorded earlier:
    - `FoundationaLLM:Chat:Entra:ClientId`: The **Application (client) ID** of the client application that you [created earlier](#register-the-client-application-in-the-microsoft-entra-admin-center).
-   - `FoundationaLLM:Chat:Entra:Scopes`: The fully-qualified scopes path for the API application that you [created earlier](#expose-an-api-for-the-api-application). For example, it should look something like `api://d85a09ce067141d5807a/Data.Read`.
+   - `FoundationaLLM:Chat:Entra:Scopes`: The fully-qualified scopes path for the API application that you [created earlier](#expose-an-api-for-the-api-application). For example, it should look something like `api://FoundationaLLM-Core/Data.Read`.
    - `FoundationaLLM:Chat:Entra:TenantId`: The **Directory (tenant) ID** of the client application that you [created earlier](#register-the-client-application-in-the-microsoft-entra-admin-center).
    - `FoundationaLLM:CoreAPI:Entra:ClientId`: The **Application (client) ID** of the API application that you [created earlier](#register-the-api-application-in-the-microsoft-entra-admin-center).
    - `FoundationaLLM:CoreAPI:Entra:TenantId`: The **Directory (tenant) ID** of the API application that you [created earlier](#register-the-api-application-in-the-microsoft-entra-admin-center).

docs/deployment/authentication-authorization/index.md

@@ -7,6 +7,7 @@ FoundationaLLM uses the [Microsoft Entra ID](https://learn.microsoft.com/entra/f
 > [!IMPORTANT]
 > The following steps are required to set up authentication and authorization for the solution. You will need to create app registrations in the Entra ID tenant in the Azure portal.  There are currently **five** app registrations required for the solution as listed below.  After you complete the 5 app registrations, you will need to finish the deployment process of the solution and revisit these app registrations to fill in some missing values that are generated during the deployment itself.
 
+- [Pre-requisites](pre-requisites.md)
 - [Core API and user portal authentication setup - Microsoft Entra ID](core-authentication-setup-entra.md)
 - [Management API and portal authentication setup - Microsoft Entra ID](management-authentication-setup-entra.md)
 - [Authorization setup - Microsoft Entra ID](authorization-setup-entra.md)

docs/deployment/authentication-authorization/management-authentication-setup-entra.md

@@ -9,19 +9,6 @@ To enable Microsoft Entra ID authentication for the Management API and portal, y
 - A client application that will be used by the management portal to authenticate users.
 - An API application that will be used by the Management API to authenticate users.
 
-### Pre-requisites
-
-> [!IMPORTANT]
-> Be aware that after completing this registration and the other app registrations in Entra ID as instructed in the [docs](docs/deployment/authentication-authorization/index.md) you will complete the deployment steps outlined at [deploy the solution](../../deployment/deployment-starter.md) then you will be revisiting your app registrations to complete some of the settings that require the solution to be deployed before the entire app registration is completed successfully.
-
-#### Setup App Configuration access
-
-1. Sign in to the [Azure portal](https://portal.azure.com/) as at least a Contributor.
-2. Navigate to the Resource Group that was created as part of the deployment.
-    > [!NOTE]
-    > If you performed an Azure Container Apps (ACA) or Azure Kubernetes Service (AKS) deployment, you will see an extra Resource Group that starts with `ME_` or `MC_` in addition to the Resource Group defined during the deployment. You will need to navigate to the Resource Group that **does not start with** `ME_` or `MC_` to access the App Configuration resource.
-3. Select the **App Configuration** resource and select **Configuration explorer** to view the values. If you cannot access the configurations, add your user account as an **App Configuration Data Owner** through Access Control (IAM). You need this role in order to update the configurations as a required part of the authentication setup. To add your user account to the appropriate role, follow the instructions in the [Configure access control for services](../../deployment/configure-access-control-for-services.md#azure-app-configuration-service) document.
-
 ### Create the client application
 
 #### Register the client application in the Microsoft Entra ID admin center
@@ -32,7 +19,7 @@ To enable Microsoft Entra ID authentication for the Management API and portal, y
     ![The app registrations menu item in the left-hand menu is highlighted.](media/entra-app-registrations.png)
 
 3. On the page that appears, select **+ New registration**.
-4. When the **Register an application** page appears, enter a name for your application, such as *FoundationaLLM-ManagementClient*. You should indicate that this is for the management client application by appending *-ManagementClient* to the name.
+4. When the **Register an application** page appears, enter the name *FoundationaLLM-Management-Portal* for your application.
 5. Under **Supported account types**, select *Accounts in this organizational directory only*.
 6. Select **Register**.
 
@@ -148,7 +135,7 @@ If you wish to [configure authentication in Postman](../../development/directly-
 
    ![The Add a scope form is displayed as described in the bulleted list above.](media/entra-management-management-api-app-add-scope.png)
 
-3. Copy the **Scope name** value to add to your App Configuration settings later. For example, it should look something like `api://c79a09ce067141d5832b/Data.Manage`.
+3. Copy the **Scope name** value to add to your App Configuration settings later. It should look like `api://FoundationaLLM-Management/Data.Manage`.
 
    ![The new scope name is displayed with the Copy button highlighted.](media/entra-management-api-app-scope-copy-name.png)
 
@@ -176,10 +163,10 @@ If you wish to [configure authentication in Postman](../../development/directly-
 
     ![The app registrations menu item in the left-hand menu is highlighted.](media/entra-app-registrations.png)
 
-2. Select the `FoundationaLLM-ManagementClient` application that you [created earlier](#register-the-client-application-in-the-microsoft-entra-admin-center).
+2. Select the `FoundationaLLM-Management-Portal` application that you [created earlier](#register-the-client-application-in-the-microsoft-entra-admin-center).
 3. Select **API permissions**.
 4. Select **+ Add a permission** under the "Configured permissions" section.
-5. In the "Request API permissions" pan, select the **My APIs** tab, then select the `FoundationaLLM-Management` API application.
+5. In the "Request API permissions" pan, select the **My APIs** tab, then select the `FoundationaLLM-Management-API` application.
 
     ![The FoundationaLLM API is selected under My APIs.](media/entra-app-add-management-api-permission.png)
 
@@ -204,7 +191,7 @@ The client application's configured permissions should now look like the followi
 
 7. Replace the values for the following settings with the values that you recorded earlier:
    - `FoundationaLLM:Management:Entra:ClientId`: The **Application (client) ID** of the client application that you [created earlier](#register-the-client-application-in-the-microsoft-entra-admin-center).
-   - `FoundationaLLM:Management:Entra:Scopes`: The fully-qualified scopes path for the API application that you [created earlier](#expose-an-api-for-the-api-application). For example, it should look something like `api://d85a09ce067141d5807a/Data.Manage`.
+   - `FoundationaLLM:Management:Entra:Scopes`: The fully-qualified scopes path for the API application that you [created earlier](#expose-an-api-for-the-api-application). It should look like `api://FoundationaLLM.Management-API/Data.Manage`.
    - `FoundationaLLM:Management:Entra:TenantId`: The **Directory (tenant) ID** of the client application that you [created earlier](#register-the-client-application-in-the-microsoft-entra-admin-center).
    - `FoundationaLLM:ManagementAPI:Entra:ClientId`: The **Application (client) ID** of the API application that you [created earlier](#register-the-api-application-in-the-microsoft-entra-admin-center).
    - `FoundationaLLM:ManagementAPI:Entra:TenantId`: The **Directory (tenant) ID** of the API application that you [created earlier](#register-the-api-application-in-the-microsoft-entra-admin-center).