Within Azure AD B2B I have created an application registration (the resource) with an appRole for "User" and "Application".
If I assign the servicePrincipal (the client) to this appRole -> the accessToken contains the appRole.
servicePrincipal(client) <-> appRoleAssignment <-> servicePrincipal(resource)
this works as expected
If I assign the serviceprincipal (the client) to a top level security group and assign the security group to the appRole -> the accessToken does NOT contain the appRole.
servicePrincipal(client) <-> security group <-> appRoleAssignment <-> servicePrincipal(resource)
this indirection works for users, am I missing something why this would not work for servicePrincipals?
All of your steps are right.If you want to assign an app role to an service principle , you should assign one by one, it not works if you add a service principle into a group that assigned with an app role. As @juunas said , maybe this is something like a bug .