ID token from Azure AD federation does not contains “roles” claim

Question

I created a Azure B2C tenant and i created custom IDP for Azure Active Directory (AD). I created the user flow from B2C to federate to the Azure AD and get the access token.

Steps that i have followed.

Created azure AD application
Generated a secret
Created custom roles
Assigned custom roles to users from AD Enterprise Applications
Created an IDP in B2C
Created B2C app
Created a login policy
Added IDP for federation
Run the user flow
Login by federation

The azure AD successfully retrieves the token (idp_access_token) as a result of federation. but the issue is the token that retrieve from the azure AD does not contains roles claim. I have created two app roles and assigned them to user. But i couldn't see any roles inside the token.

I followed following documentation. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Isn't this not valid for federations? What is the exact way to get assigned app roles by federation.

Here is the required details to create B2C IDP.

How to map these details with scope solution?

Use jwt.ms to parse your access token and provide screenshots. — Carl Zhao
@CarlZhao I updated the question with screenshot. This is the idp_access_token that contains in main token. — Buddhika Priyabhashana
The ms graph api uses a v1.0 token. There is no roles claim in the token. You need to use a custom api to obtain a 2.0 token. The token will contain the roles claim. So you need to expose the api protected by Azure. — Carl Zhao
@CarlZhao thank you for your reply. Could you please guide me to the process? Is there a documentation to change the token type or something? — Buddhika Priyabhashana
Wait a minute, I will post the answer and I will list the detailed process. — Carl Zhao

Carl Zhao Carl Zhao · Accepted Answer · 2021-02-25T08:29:57

You need to create two applications in Azure AD, one representing the client application and the other representing the api application, and then use the client application to call the api application.

First, you need to expose the API of the back-end application protected by Azure and add the client application:

Next you need to set the api application AppRole, which is your customized role, and it will be displayed in the manifest.

Then you can assign the role to the user. Go to enterprise application>your api application>Users and groups.

Next, go to the client application, give your client application access to your backend api:

Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your backend application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.

Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.

Parse the v2.0 token, it contains both scp claims and roles claims.

ID token from Azure AD federation does not contains “roles” claim

1 Answers