How to get user role claims in postman from Azure active directory?

2
votes

I have a few users added to my Azure AD account, I would like to get the roles and user information on these users by calling an Azure API from Postman in the form of claims. I tried calling the following URL with the parameters as :

https://login.microsoftonline.com/myTenantId/oauth2/token

Body: grant_type : password, client_id : client id, client secret : client secret

I receive the access_token in the encoded format in the response, When I decode it on https://jwt.io/ I see the decoded data, but there's no user roles in the access_token.

I would like to get the user information and the roles in the form of claims in same response.

What approach would I need to take on this ?

1
azureazure-active-directory
Do you mean Azure AD directory roles? Those aren't included in tokens.juunas
I mean, the user info and the roles(s) in which the user is inside Azure ADMukkuP
If you mean directory roles like Global Administrator, those are not returned in tokens. They need to be queried from MS Graph API separately.juunas
Can't the user info and roles be retrieved in the same response ?MukkuP
That you might be able to do. If you call https://graph.microsoft.com/v1.0/users/user-id-here?$expand=memberOf it might work. That'd return you the user info + groups and directory roles they are in. Expands have some limits though so you might need to call memberOf separately if a user has a lot of groups (or if the expand doesn't work).juunas

1 Answers

2
votes

If the role you mentioned refers to directory role, the answer is no, it won't be returned in the token. Just like juunas said, you can call graph api to get directory role information.

enter image description here

If the role you mentioned refers to application role, the answer is yes, you can get the role information in id_token. The prerequisite is that you have assigned some roles to the user.

enter image description here

Here are the detailed steps. You can also refer to this article.

  1. edit the manifest to add some custom roles.

enter image description here

Something like this.

{
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Test",
      "id": "c200e304-fff3-49f1-a4df-e406741ea680",
      "isEnabled": true,
      "description": "Bla bla",
      "value": "test"
    }

2.assign users to roles. Click Enterprise applications->All applications-> enter image description here

Click your application->click Users and groups->click Add user enter image description here

role assign.

enter image description here

Here is the request to get id_token. enter image description here

You will find the roles in id_token. enter image description here