Update instructions with third Azure AD app for WebPortal authentication due to removal of ability to add a client secret to native app in Azure portal

API/Web.config

@@ -11,10 +11,8 @@
   <connectionStrings>
   </connectionStrings>
   <appSettings>
-    <!-- Enter your AAD native app settings and tenant details -->
+    <!-- Enter your AAD native app settings -->
     <add key="AAD_ClientID" value="app-client-id" />
-    <add key="AAD_ClientSecret" value="appClientSecret" />
-    <add key="AAD_Domain" value="yourtenant.onmicrosoft.com" />
     <!-- Credentials for a Skype for Business-enabled O365 user -->
     <add key="UCWA_Username" value="name@yourtenant.onmicrosoft.com" />
     <add key="UCWA_Password" value="password" />

README.md

@@ -33,21 +33,35 @@ For local testing, proceed with directions below and use the local testing URLs
 
 
 ### Azure AD application registration
-Two applications are required to deploy the solution. One enables authentication against UCWA and the Web SDK (delegated permissions) in the Web Portal, API and Tray Listener projects, and the other that will be used for the web service implementing the Trusted App API (application permissions).
+Three Azure AD application registrations are required to deploy the solution:
+
+1. Web Portal (Native): Enables use of UCWA and the Web SDK (delegated permissions) in the Web Portal, API and Tray Listener projects
+2. Web Portal (Web/API): Enables AAD user authentication (delegated permissions) for the web portal
+3. Trusted App (Web/API): Enables use of the Skype for Business Trusted App API (application permissions)
 
 #### 1. Web SDK & UCWA
 This AAD application will be used to authenticate the Web SDK and UCWA. In the Azure Portal, go to *Azure Active Directory (AAD) > App Registrations* and configure a new *Native* type application.
-- Under *Reply URLs*, remove the default reply URL and add two more:
+1. Under *Reply URLs*, remove the default reply URL and add two more:
     - `https://WebPortalFQDN/Content/token.html`
     - `https://WebPortalFQDN/`
 
     Refer to the table above for setting `WebPortalFQDN` if testing on a local machine with Visual Studio.
 2. Under *Required Permissions*, select the *Skype for Business Online* API and grant it all available **delegated** permissions. If you can't find that API listed, try entering `Microsoft.Lync` into the search.
-3. Under *Keys*, add a client secret and copy its value - you will need it later.
-4. Close out the *Settings* blade to return to the application's essentials blade, and press the *Manifest* button to edit the application Manifest
+3. Close out the *Settings* blade to return to the application's essentials blade, and press the *Manifest* button to edit the application Manifest
     - Change the `oauth2AllowImplicitFlow` property to `true`, and save the manifest.
 
-#### 2. Trusted Application
+#### 2. Web Portal authentication
+This AAD application will be used to authenticate users of the web portal. In the Azure Portal, go to *Azure Active Directory (AAD) > App Registrations* and configure a new *Web/API* type application.
+
+1. Under *Reply URLs*, remove the default reply URL and add two more:
+    - `https://WebPortalFQDN/Content/token.html`
+    - `https://WebPortalFQDN/`
+    
+    Refer to the table above for setting `WebPortalFQDN` if testing on a local machine with Visual Studio.
+2. Under *Required Permissions*, select the *Skype for Business Online* API and grant it all available **delegated** permissions. If you can't find that API listed, try entering `Microsoft.Lync` into the search.
+3. Under *Keys*, add a client secret and copy its value - you will need it later.
+
+#### 3. Trusted Application
 This AAD application will be used by your Trusted App web service to authenticate against the Skype for Business Trusted Application API.
 
 Use the [quick registration tool](https://aka.ms/skypeappregistration) to register a new Trusted Application (detailed registration instructions [here](https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/sfbregistration)):
@@ -128,7 +142,7 @@ Doctor clicks the admit link on the clinic join page to kick off the meeting. Th
 ## FAQ
 #### 1. What's the difference between an Azure AD Application, Trusted Application and the Trusted Application API?
 This documentation has taken care to use careful wording given the ambiguous nature of the word *Application*.
-- Azure AD Application: Used to authenticate against Azure AD and provide access to Skype APIs.
+- Azure AD Application: Used to authenticate users with Azure AD and request access to user resources, e.g. access to Skype for Business Online APIs.
 - Trusted Application: Web service that implements (consumes) the Trusted App API so that it can interact with your tenant's users and Skype for Business meetings autonomously. In this code sample, it interacts with Skype for Business meetings upon request via a high-level REST API.
 - Trusted Application API: API offered by Microsoft with Skype for Business Online
 

TrayListener/App.config

@@ -5,7 +5,7 @@
     </startup>
   <appSettings>
     <add key="AAD_AuthorityUri" value="https://login.microsoftonline.com/{0}/" />
-    <!-- Enter your AAD native app settings and tenant details -->
+    <!-- Enter your AAD web app settings and tenant details -->
     <add key="AAD_ClientId" value="app-client-id" />
     <add key="AAD_Domain" value="yourtenant.onmicrosoft.com" />
     <!-- Change these to match your deployment URL. Trailing slash required. -->

WebPortal/App_Start/Startup.Auth.cs

@@ -19,8 +19,8 @@ namespace CSETHSamples_WebPortal
 {
     public partial class Startup
     {
-        private static string clientId = ConfigurationManager.AppSettings["AAD_ClientId"];
-        private static string appKey = ConfigurationManager.AppSettings["AAD_ClientSecret"];
+        private static string clientId = ConfigurationManager.AppSettings["AAD_Web_ClientId"];
+        private static string appKey = ConfigurationManager.AppSettings["AAD_Web_ClientSecret"];
         private static string aadInstance = ConfigurationManager.AppSettings["AAD_AuthorityUri"];
         private static string tenantId = ConfigurationManager.AppSettings["AAD_TenantId"];
         private static string domain = ConfigurationManager.AppSettings["AAD_Domain"];

WebPortal/Controllers/MeetingPortalController.cs

@@ -60,7 +60,7 @@ namespace CSETHSamples_WebPortal.Controllers
             ViewBag.MeetingConferenceUri = meetingConferenceUri;
             ViewBag.MeetingJoinUrl = meetingJoinUrlStr;
             ViewBag.MeetingId = meetingId;
-            ViewBag.ClientId = WebConfigurationManager.AppSettings["AAD_ClientId"];
+            ViewBag.ClientId = WebConfigurationManager.AppSettings["AAD_Native_ClientId"];
             ViewBag.SkypeUseConversationControl = WebConfigurationManager.AppSettings["SkypeUseConversationControl"];
             ViewBag.SkypeServiceUrl = WebConfigurationManager.AppSettings["SkypeServiceUrl"];
             ViewBag.WebPortalBaseUrl = WebConfigurationManager.AppSettings["WebPortalBaseUrl"];

WebPortal/Web.config

@@ -20,12 +20,16 @@
     <add key="ValidMeetingJoinHosts" value="meet.lync.com" />
     <!-- Change to "true" if you would like to use the built-in conversation control (UI will not be customizable) -->
     <add key="SkypeUseConversationControl" value="false" />
-    <!-- Enter your AAD native app settings and tenant details -->
-    <add key="AAD_ClientId" value="app-client-id" />
-    <add key="AAD_AuthorityUri" value="https://login.microsoftonline.com/" />
-    <add key="AAD_ClientSecret" value="appsecret" />
+    <!-- Enter your AAD tenant details -->
     <add key="AAD_Domain" value="yourtenant.onmicrosoft.com" />
     <add key="AAD_TenantId" value="tenant-id" />
+    <add key="AAD_AuthorityUri" value="https://login.microsoftonline.com/" />
+    <!-- Enter your AAD native app settings (used for Skype Web SDK) -->
+    <add key="AAD_Native_ClientId" value="app-client-id" />
+    <!-- Enter your AAD web app settings (used for AAD login) -->
+    <add key="AAD_Web_ClientId" value="app-client-id" />
+    <add key="AAD_Web_ClientSecret" value="appsecret" />
+    
     <!-- Change these to match your deployment URLs. Trailing slash required. -->
     <add key="AAD_PostLogoutRedirectUri" value="https://localhost:44315/" />
     <add key="AAD_RedirectURI" value="https://localhost:44315/" />