0

I have registered an Azure AD Application with an App role called read.

User Principal

If a user principal is assigned to the app role read and the groups claim (emit_as_roles enabled) is added in the Azure AD App, only the AAD security groups show up in the user's token (roles claim) but not the app roles the user has been assigned to.

This is mentioned in the documentation:

If "emit_as_roles" is used, any application roles configured that the user is assigned won't appear in the role claim.

Service Principal

Apparently, the same seems to apply for Service Principals, even though

Service principals won't have group optional claims emitted in the JWT.

As expected, disabling (default) the emit_as_roles setting in the token configuration allows me to see the information read in the roles claim again.

I assume that this is the expected behaviour for service principals in Azure AD. However, the documentation only mentions this for users but not for service principals.

Johannes Schmidt
  • 371
  • 3
  • 12

1 Answers1

1

You are right. This is the expected behavior for both users and service principals in Azure AD.

As service principals are security principal for a service ,but in user terms it is user principal .

So when the "emit_as_roles" is enabled for the groups claim, any application roles assigned to the user or service principal will not appear in the roles claim.

I have checked the token: When enabled emit_as_roles in the groups claim:

enter image description here

Authorize url:

https://login.microsoftonline.com/xxx/oauth2/v2.0/authorize?client_id=xxxbb5&scope=https://graph.microsoft.com/.default&grant_type =authorization_code&response_type=code&redirect_uri=https://jwt.ms

Token url

token claims: https://login.microsoftonline.com/xxx/oauth2/v2.0/token

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/4xx/",
  "iat": 1684912827,
  "nbf": 1684912827,
  "exp": 1684917432,
  "acct": 0,
  "acr": "1",
  "aio": "AYQAexxxx",
  "altsecid": "5::100xx14397",
  "amr": [
    "rsa",
    "mfa"
  ],
  "app_displayname": "kavyarepo",
  "appid": "xxx",
  "appidacr": "1",
  "email": "xxx@microsoft.com",
  "family_name": "Kavya",
  "given_name": "xx",
  "idp": "https://sts.windows.net/xxxx/",
  "idtyp": "user",
  "ipaddr": "115.110.154.186",
  "name": "xxx",
  "oid": "xxx",
  "platf": "3",
  "puid": "100xxxC5",
  "rh": "0.xxxx.",
  "scp": "Directory.AccessAsUser.All openid profile User.Read User.Read.All email",
  "sub": "xxxx",
  "tenant_region_scope": "NA",
  "tid": "xxx",
  "unique_name": "xxx@microsoft.com",
  "uti": "p6nDIxxxxsjAzAA",
  "ver": "1.0",
  "wids": [
    "xxxx",
    "xxxx",
    "xxx"
  ],

enter image description here

If application roles need to be included in token, for both user and service principals, the "emit_as_roles" option must be disabled.

kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • Thanks for confirming this! What's the right channel to suggest changes in the docs? The MS docs GitHub repo? Instead of `user`, `security principal` would be more correct as this includes both, user & service principals. – Johannes Schmidt May 24 '23 at 17:27