Assign custom role to Azure Active Directory System managed identity

Question

Working to establish Azure AD system managed identity between APIS, I have defined a custom role for my target API in the manifest of the application.

"appRoles": [
    {
        "allowedMemberTypes": [
            "Application"
        ],
        "description": "Allow the application to read all things as itself.",
        "displayName": "Read all things",
        "id": "86a914fa-a862-4962-9975-be5c9a05dca3",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "Things.Read.All"
    }

Now I want to assign this role to my api that is going to call it so I can validate it in the access token received from AzureServiceTokenProvider. Problem is that I don't see the System Assigned identity in the app registration.

There is a button under Identity (Where System Assigned Identity is declared) 'Azure Role Assignments' which leads to Add Role assignment. There is a list of Roles available here. I was looking for the custom role I have defined, it is not in the drop down.

How to assign the defined role to the system identity so it can access the api or apis that it is allowed and no more? I expect to get this role in the access token. Is this the correct expectation?

Allen Wu Allen Wu · Accepted Answer · 2020-07-29T02:03:05

What you have defined is an app role. But "Azure Role Assignments" is for assigning role for subscription. They are totally 2 different things.

You can use Microsoft Graph API to Grant an appRoleAssignment to a service principal.

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110

{
  "principalId": "principalId-value",
  "resourceId": "resourceId-value",
  "appRoleId": "appRoleId-value"
}

In this example, {id} and {resourceId-value} would both be the object id of the resource service principal, which is the enterprise app associated with the Azure AD app you have created appRoles in. You can find it like this:

And {principalId-value} would be the id of the Azure resource managed identity. Find it here:

{appRoleId-value} is the id of the app role you created in manifest.

You could use an admin account to log into Microsoft Graph Explorer to call Microsoft Graph API.

If you want to verify if the result is successful, please navigate to Azure Portal -> Azure Active Directory -> Enterprise applications -> All Applications. Enter the name of the Azure resource.

Then you will find the app role (application permission) has been granted.

Assign custom role to Azure Active Directory System managed identity

1 Answers