Reputation: 23436
Is it possible to assign multiple roles to a user or group in Azure AD?
When I add an appRoles section to my application manifest in Azure AD, I can assign users and groups to roles in the management portal.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Can read data.",
"displayName": "Data Reader",
"id": "67fba7fa-e54e-4258-b95d-32b082eb771d",
"isEnabled": true,
"value": "reader"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Can create and edit data.",
"displayName": "Data Writer",
"id": "e36736c5-e923-435e-8e44-6cae90792931",
"isEnabled": true,
"value": "writer"
}
],
However, the UI only allows me to assign a single role to a user or group.
I can't find how to assign multiple roles to a user or group. I can add the user to multiple groups and assign roles to members of that group, which will result in multiple role claims in the token for that user, but this seems awkward.
Am I missing something? Is there a way to assign multiple roles to a user or group?
Upvotes: 18
Views: 17870
Answers (3)
Reputation: 1537
Had the same problem and with the current version of the azure portal the workaround was
- Create two groups (group_for_perm1, group_for_perm2)
- Add the same user to both groups ([email protected])
- Go into Azure AD->Enterprise applications
- Change the "Application type" filter to "All applications"
- Search for your app
- Select "Users and Groups"
- Hit "+ Add user/group" at the top, and assign group_for_perm1 permission1
- Hit "+ Add user/group" at the top, Assign group_for_perm2 permission2
Note if the "+ Add user/group" button is greyed out, you either didn't add App Roles to the App registration, or aren't in the owner group for the "Enterprise application". It appears you can be the owner of the App Registration and not be the owner of the Enterprise Application.
The token should now have a roles section with your two permissions. Take the JWT to jwt.io and you should see something like
"rh": "I",
"roles": [
"permission1",
"permission2"
],
Upvotes: 1
Reputation: 1551
You can assign multiple roles to the same user in the same app, but it is very limited. Basically add the same user again and select a different role:
The mechanism is very cumbersome and will not scale. If you have AAD Premium Lvl 2, you can associate application roles with groups and a when you assign a user to that group, they will gain the roles automatically. The automatic assignment only works for Premium Lvl 2 though.
Upvotes: 28
Reputation: 23436
This turns out to be a limitation of the Azure management portal. In this blog comment, the AAD PM explains it is possible to assign multiple roles to a user or group through the GraphAPI.
For more info, see section 'Assigning application roles' in this MSDN blog article.
Upvotes: 7
Related Questions
- Azure custom role: authorize role assignment for a specific set of roles
- Active Directory groups and roles
- Azure AD Assign Roles to Group
- How to assign roles to the users in Azure Active Directory
- How to make group assignments for azure active directory roles?
- Azure Active Directory - Add Users with multiple agencies/roles
- Azure AD: Assign AppRole to multiple users
- Is it possible to set Azure AD directory role via group membership?
- Does Azure Active Directory support having a single user tied to multiple profiles, with each profile belonging to its own groups?
- Assign nested group to role in Azure AD Applications Users and groups