Overview
- ADatum Corporation develops a software as a service (SaaS) application named E-invoicing.
Existing Environment -
Application Architecture -
- E-invoicing consists of a single-page application (SPA) and a backend web service that provides invoice management and processing functionality.
- E-invoicing stores all the details of each invoicing operation in a backend cloud database. E-invoicing generates invoices in PDF format and provides users with the ability to download the PDF after it is generated. Each invoice has a unique identifier named invoiceid.
- The users have a common workflow where they sign in to E-invoicing, and then open E-invoicing in multiple tabs of a web browser so they can use different parts of the application simultaneously.
Security Architecture -
- ADatum uses the principle of least privilege whenever possible. ADatum always uses the latest libraries and integration endpoints.
Requirements -
Business Goals -
ADatum wants to integrate E-invoicing, Azure Active Directory (Azure AD), and Microsoft Graph so that their customers can leverage Microsoft Office 365 services directly from within E-invoicing.
Planned Changes -
ADatum plans to add the following capabilities to E-invoicing:
- Email the generated invoices to customers on behalf of the current signed-in user. Any emails generated by the system will contain the invoiced.
- Perform as many operations as possible in the browser without having to leave the E-invoicing application.
- Use Azure AD to manage identities, authentication, and authorization.
- Display all emails that contain a specific invoiceid.
Technical Requirements -
ADatum identifies the following technical requirements for the planned E-invoicing capabilities:
- Ensure that all operations performed by E-invoicing against Office 365 are initiated by a user. Require that the user authorize E-invoicing to access the Office 365 data the first time the application attempts to access Office 365 data on the user's behalf.
- Send scheduled reminders to customers before a payment due date. Create an administration user interface to enable the scheduled reminders.
- Implement Microsoft Graph change notifications to detect emails from vendors that arrive in a designated mailbox.
- Implement single sign-on (SSO) and minimize login prompts across browser tabs.
- Secure access to the backend web service by using Azure AD.
- Ensure that all solutions use secure coding practices.
- Backend Security Planned Changes ADatum wants to use custom application roles to map user functionality to permissions granted to users.
- E-invoicing will have internal logic that will dynamically identify whether the user should be allowed to call the backend API.
SSO JavaScript Script -
You plan to implement SSO with Microsoft Authentication Library (MSAL) by using the following code:
Access Token JavaScript Script -
You have the following JavaScript code to obtain an access token.
Change Notification JSON -
You have the following JSON message that will be sent by the Microsoft Graph service to detect the vendor emails.