Search code examples
azureazure-active-directoryazure-rbacazure-service-principalazure-app-registration

App roles & groups claim (emitted as roles) in Azure Active Directory App

I have registered an Azure AD Application with an App role called read.

User Principal

If a user principal is assigned to the app role read and the groups claim (emit_as_roles enabled) is added in the Azure AD App, only the AAD security groups show up in the user's token (roles claim) but not the app roles the user has been assigned to.

This is mentioned in the documentation:

If "emit_as_roles" is used, any application roles configured that the user is assigned won't appear in the role claim.

Service Principal

Apparently, the same seems to apply for Service Principals, even though

Service principals won't have group optional claims emitted in the JWT.

As expected, disabling (default) the emit_as_roles setting in the token configuration allows me to see the information read in the roles claim again.

I assume that this is the expected behaviour for service principals in Azure AD. However, the documentation only mentions this for users but not for service principals.

Solution

  • You are right. This is the expected behavior for both users and service principals in Azure AD.

    As service principals are security principal for a service ,but in user terms it is user principal .

    So when the "emit_as_roles" is enabled for the groups claim, any application roles assigned to the user or service principal will not appear in the roles claim.

    I have checked the token: When enabled emit_as_roles in the groups claim:

    enter image description here

    Authorize url:

    https://login.microsoftonline.com/xxx/oauth2/v2.0/authorize?client_id=xxxbb5&scope=https://graph.microsoft.com/.default&grant_type =authorization_code&response_type=code&redirect_uri=https://jwt.ms

    Token url

    token claims: https://login.microsoftonline.com/xxx/oauth2/v2.0/token

    {
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/4xx/",
  "iat": 1684912827,
  "nbf": 1684912827,
  "exp": 1684917432,
  "acct": 0,
  "acr": "1",
  "aio": "AYQAexxxx",
  "altsecid": "5::100xx14397",
  "amr": [
    "rsa",
    "mfa"
  ],
  "app_displayname": "kavyarepo",
  "appid": "xxx",
  "appidacr": "1",
  "email": "[email protected]",
  "family_name": "Kavya",
  "given_name": "xx",
  "idp": "https://sts.windows.net/xxxx/",
  "idtyp": "user",
  "ipaddr": "115.110.154.186",
  "name": "xxx",
  "oid": "xxx",
  "platf": "3",
  "puid": "100xxxC5",
  "rh": "0.xxxx.",
  "scp": "Directory.AccessAsUser.All openid profile User.Read User.Read.All email",
  "sub": "xxxx",
  "tenant_region_scope": "NA",
  "tid": "xxx",
  "unique_name": "[email protected]",
  "uti": "p6nDIxxxxsjAzAA",
  "ver": "1.0",
  "wids": [
    "xxxx",
    "xxxx",
    "xxx"
  ],

    enter image description here

    If application roles need to be included in token, for both user and service principals, the "emit_as_roles" option must be disabled.