I have an MVC Web Application (WebAPI + Angular) deployed to Azure as a Web App (not API App) that is setup to be secured using Settings -> Authentication / Authorization -> AAD -> Express. This created an AD Application with the same name as the Web App, and as a normal web user (in the directory, using OAuth) this works as expected.
But I also have external automation that needs to call the WebAPI controllers directly, so I need to programmatically get a Bearer token to pass along with those requests.
This all works OK when "USER ASSIGNMENT REQUIRED TO ACCESS APP" == NO. But this won't suffice because everyone in the Directory shouldn't have access to this app.
Flipping that switch results in the error:
Application 'AppId' is not assigned to a role for the application 'AppId'.
The code being used:
var aadLoginUri = "http://login.microsoftonline.com/{0}";
var tenantId = "[xxx].onmicrosoft.com";
var authority = String.Format(CultureInfo.InvariantCulture, aadLoginUri, tenantId);
var clientId = ConfigurationManager.AppSettings["ClientId"];
var clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
var authContext = new AuthenticationContext(authority);
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationResult authResult = authContext.AcquireToken(clientId, clientCredential);
How can I add a role assignment for an Application?
(as opposed to for a user)
I tried utilizing the 'permissions to other applications' section, but an app cannot be added to itself. To see if this would solve the problem from another app, I went ahead and created one and was able to add the App & set Delegated Permissions to 'Access [App Name]'. But just as before, this only works if user assignment is not required to access the app. Afterwards AcquireToken()
throws the same exception.
It seems this issue could be solved by decoupling our API from the Angular app, hosting the API as an API App (with a Gateway), but that's not an option at the moment. Also this article says this new Auth feature "replaces the App Service gateway for most applications" and this blog post announcing the feature in November says "We recommend web and mobile applications use this feature instead of the App Service gateway going forward" so I wonder if this just hasn't made it into the UI & perhaps it's possible to add app role assignments via the app manifest (tried, failed), graph/service-mgmt api, powershell, etc.