Azure Active Directory tokens missing App Roles in JWT

1
votes

I have an two applications registered in my Active Directory App registrations, a client and an API. Via the "expose an API" blade, the client app has been trusted by the API app. I have additionally added 4 application roles (IE in the manifest allowedMemberTypes: ["Application"]) to the API app, and added them as permissions to the client app.

When I get an access token via client credential flow, for the client app's appid, and decode the token via jwt.io to see the claims, I can see the roles I assigned to the client app just fine, all in a nice neat array.

However, using auth flow, and logging in as myself (belonging to the directory), using the same secret, scope, client id, etc., the app roles are missing from the token that is sent back with that flow, it is in neither the id token nor the auth token.

What am I missing here? Did I forget a step, or is it that authorization flow does not support application member approles?

1
azureoauthoauth-2.0jwtazure-active-directory
App roles only apply to applications.... you can allow users doing something like that: allowedMemberTypes: ["Application", "User"].Thomas
Try to add the User in the allowedMemberTypes as the comment above said, then assign your user account to the app role, navigate to the Enterprise applications in Azure AD in the portal -> find the service principal corresponding to the app -> Users and groups -> add your user account with the app role you want.Joy Wang-MSFT

1 Answers

2
votes

As the official documentation said:

You can define app roles to target users, applications, or both. When available to applications, app roles appear as application permissions in the Required Permissions blade.

And, once you've added app roles (with "user" in allowedMemberTypes) in your application, you can assign users and groups to these roles in enterprise app.

If one user is assigned with any roles, you can get roles information in his id token.