5
votes

I've created an application in an Azure AD from a manifest with several appRoles inside of it, and I can assign users to these roles. After a user completes the single sign on, returns to my application and I then request a JSON Web Token from their login. The problem is, there are no assigned roles listed in the token I get back from Azure, as it would suggest there's supposed to be here.

Is there a configuration option I'm missing or is there an alternate way to find out their assigned role through the Azure Graph API?


Update:

After specifying the resource as the App ID URI when requesting the authorisation URL I've managed to get a little further.

I'm now getting back the following error (in the return URL):

"The signed in user '<user email>' is not assigned to a role for the application '<app client id>'."

The user has definitely been assigned a role in the Azure AD control panel for the app, and the app client id in the error message matches the app's client id exactly.


Application config:

Azure AD Application config screen

User assigned a role:

Azure AD Application user role assignments

Error message after logging in and returning to app:

Azure AD Authentication error message

3
Here is a guide dushyantgill.com/blog/2014/12/10/…, whether it will help you.Gary Liu
Thanks Gary, but that's actually the guide I've already been using and as far as I'm aware I've followed it exactly. Only exception being is my web app is written in PHP.Philip

3 Answers

1
votes

@Phlip,Could you please try to set your application permission using PowerShell?

#1.down load Azure AD powershell and login in using your user in AD
$msolcred=get-credential
connect-msolservice -credential $msolcred

#2. get principal Id 
$ClientIdWebApp = '5b597c35-**-**-ad05-***'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp

# 3. use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

For more information, please refer to this page: https://msdn.microsoft.com/en-us/library/azure/dn919663.aspx and Use this methods to add member into role:

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "[email protected]"

Any updates or results, please let me know.

1
votes

Probably not the answer people want to hear if they're coming across this thread looking for a solution to the issue, but we switched from using OAuth to SAML and we now successfully get app roles in the SAML response.

I can only assume the OAuth implementation of app roles on Azure AD is completely broken because we changed nothing except switching to SAML.

0
votes

The below C# code can query the assigned users your application have using AppRoleAssignedTo attribute. I am not family with php, but I believe it has the similar method. The ActiveDirectoryClient class comes from the Active Directory Graph Client Library.

var Serprincipal = activeDirectoryClient.ServicePrincipals.Where(IServicePrincipal => IServicePrincipal.AppId.Equals("app client id")).ExecuteAsync().Result.CurrentPage.ToList();
            var sp = Serprincipal.FirstOrDefault();
            var userAssignments = (sp as IServicePrincipalFetcher).AppRoleAssignedTo.ExecuteAsync().Result.CurrentPage.ToList();
           foreach (IAppRoleAssignment assignedUser in userAssignments)
            {
               Console.WriteLine("UserId: {0}  Name: {1} ObjectType: {2} ", assignedUser.PrincipalId, assignedUser.PrincipalDisplayName, assignedUser.ObjectType);
           }