When I register an application of type Web App/API in Azure Active Directory (Azure AD), I can add Users and Groups and assign pre-defined application roles to the application in the tenant's Enterprise Applications. However, there is no provision to add Users and Groups for an application of type Native.
Is it possible to add Users and Groups to a native application, and set them with application specific roles via PowerShell or Azure CLI?
As you noticed Users and Groups is hidden in the Enterprise Applications blade in the case of native applications and I believe that the reason is that you don't usually configure role assignments in the native application but instead you do it in the WebApp/WebAPI (that the native application is consuming).
Anyway yes you can configure application roles for a native application. You can do it but editing the manifest and adding the appRole there (the value property will appear in the role claim). Example:
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"displayName": "ReadOnly",
"id": "9cc5ee76-3d7d-4060-8b7f-e734f3917e71",
"isEnabled": true,
"description": "ReadOnly roles have limited query access",
"value": "ReadOnlyUser"
}
]
Then you can add an user to that role by using Powershell:
New-AzureADUserAppRoleAssignment -ObjectId <user's object ID> -PrincipalId <user's object ID> -ResourceId <native app service principal ID> -Id <role ID as it is in the manifest>
Then if you get a token for this application and for that user, you should see the role claim:
"roles": [
"ReadOnlyUser"
]
