Reputation: 181
Can't assign roles from azure AD app manifest
I was trying to implement role based authorization in my azure application as described in the http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/ article. Unfortunately, after I upload the manifest with the roles I can't assign the roles to the users - the assign button at the bottom of azure management portal is disabled (in the article, the action I want to perform is in the 4th screenshot). Has anyone encountered anything like that? Below is the appRoles part of my application manifest:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Can do some stuff",
"displayName": "AU",
"id": "c400a00b-f67c-42b7-ba9a-f73d8c67e433",
"isEnabled": true,
"origin": "Application",
"value": "au"
}
],
Update Turns out, the reason the button was disabled was pretty simple - I have assigned the user previously and just assumed that if I implemented roles in the manifest, it would let me assign them via "Assign" button even though user has already been assigned.
Still, it doesn't solve the root issue - after removing the user from the app and assigning him once again the prompt with role assignment does not show up, user "Assigned" status simply changes to "Yes", as if no roles were set within the manifest.
Upvotes: 6
Views: 4811
Answers (3)
Reputation: 516
You have to refresh the Azure portal to see the change ( Click where it says Microsoft Azure ). You can also sign out and sign back in.
Upvotes: 0
Reputation: 181
Ok, I should have figured it out sooner - the prompt for role assignment does not show up when there is only one role defined in the app manifest, in which case it automatically assigns the role to the user. I figured it when I looked through all the claims sent to the application and found my single defined role in there.
Dushyant Gill - thank you for the help.
Upvotes: 8
Reputation: 4004
jspi, only global administrators and user account administrators of the directory can assign users and groups to applications - can you confirm that the signed in user is in one of those two directory roles?
Upvotes: 1
Related Questions
- Not able to assign user to new role in Azure App Registration
- Azure AD exception - AADSTS50105 - "The signed in user is not assigned to a role for the application"
- How to add app roles under manifest in Azure Active Directory using Powershell script
- Azure Active Directory App Manifest: getting 'Failed to update manifest: ObjectConflict'
- Unable to update appRoles in azure manifest
- Unable to add roles via PowerShell to Azure App Registration
- Adding users with roles into app registration
- How to assign app to app roles through the Azure portal?
- How to assign user an application role in azure active directory using graph api 1.5?
- Can't find AppPermissons in app manifest (Azure Active directory)