1

We have multiple microservices, some of which need to talk to each other without human interaction, and some of which require App Roles in order to grant access.

Instead of using the Resource Owner Password Credentials grant flow which is "not recommended", we'd like for to include App Roles from the registered app within the appropriate JWT tokens.

To do this, we need to include the delegated permission "user_impersonation" as a permission for the API we need to access.

I've figured out how to do this sometimes, but it does not always seem to be available as an API permission for any particular application.

What do I need to do to make this available on an application where it is not already available so I can grant the permission and thereby get the app roles included in the JWT tokens?

Robert Harvey
  • 178,213
  • 47
  • 333
  • 501
Brian Kessler
  • 2,187
  • 6
  • 28
  • 58
  • You're asking how to create a custom delegated permission named user_impersonation? – scottwtang May 27 '22 at 15:42
  • @scottwtang, Not exactly. There seems to be some sort of functionality built into Azure AD to impersonate users, but it does not seem to be available for all applications. – Brian Kessler May 27 '22 at 16:21
  • Perhaps you can explain a bit more. When you say "all applications" are you referring to custom applications created in your tenant, or the readily-available Microsoft APIs? If it's the latter, can you give an example of 1 where it's missing? If it's the former, that leads me back to my 1st comment – scottwtang May 27 '22 at 16:27
  • At least for custom applications. Whether it will be useful for non-custom applications, I'm not presently in any position to say. I am pretty sure nobody created a custom delegated permission for the application where this is possible. It "seems" this should be a standard thing for including the application roles in JWT tokens of connected client applications. – Brian Kessler May 28 '22 at 17:33

1 Answers1

1

Azure Active Directory blade has two App registration options> legacy and preview. In legacy app registrartion when we click on the option ‘Expose an API’ you can see there is a user_impersonation scope created automatically.

But for preview we need to create manually with scope > user_impersonation.

enter image description here

enter image description here

user_impersonation scope name could be anything you because it is a custom scope, as long as your code check for that same scope name that you created.

So after creating that custom scope , you can try to get Get access on behalf of a user - Microsoft Graph | Microsoft Docs if required.

Also please note that when you are using client credential flow and using application permission , you get roles in place of scope i.e; scp claim in the token.

Check this > SO reference.

Also check this github discussion for same point. Also you can reach out to AzureSuport Team for further troubleshooting.

kavyaS
  • 8,026
  • 1
  • 7
  • 19