1

Within Azure AD B2B I have created an application registration (the resource) with an appRole for "User" and "Application".

If I assign the servicePrincipal (the client) to this appRole -> the accessToken contains the appRole.

servicePrincipal(client) <-> appRoleAssignment <-> servicePrincipal(resource)

this works as expected

If I assign the serviceprincipal (the client) to a top level security group and assign the security group to the appRole -> the accessToken does NOT contain the appRole.

servicePrincipal(client) <-> security group <-> appRoleAssignment <-> servicePrincipal(resource)

this indirection works for users, am I missing something why this would not work for servicePrincipals?

Florian Eckert
  • 301
  • 2
  • 9
  • you mean, there is an app "app1" with API permissions "Application.Read.All" and "User.Read.All" and a separate Service Principal(client) with a different Role assignment ? – Prashant Nov 01 '19 at 03:31

2 Answers2

1

I don't think you have missed anything. It does indeed work for users.

It's either a bug or a feature :) Could be that application permissions are not wanted to be assigned via groups. (which is what appRoles of type Application are)

juunas
  • 54,244
  • 13
  • 113
  • 149
  • In a scenario where Azure Managed identities are heavily used, the administrative overhead would be reduced if the servicePrincipal-securityGroup-appRoleAssignment-appRole-appRegistration would work... Managed identity/user/servicePrincipal... entities... principals... ;) – Florian Eckert Nov 05 '19 at 13:17
1

All of your steps are right.If you want to assign an app role to an service principle , you should assign one by one, it not works if you add a service principle into a group that assigned with an app role. As @juunas said , maybe this is something like a bug .

Stanley Gong
  • 11,522
  • 1
  • 8
  • 16