Azure AD App Authorization with active roles

Question

I've got some trouble with Azure AD authorization for APIs with active roles. Here are my steps:

1. I've created an Azure AD App and activated the option "User assignment required"
2. In the manifest I've created the roles
3. In my WebApp I've used ADAL and my assigned users can log in. Everything works fine

My problem: Now I have another API/Batch which should "log in" into my AD-App. Easy I thought -> I've created an secret key and my Parameters for my request looks like:

URL for Login: https://login.microsoftonline.com/MyTenantID

ClientID: myAppID of the AD-App

Key: MyKey

ResourceID: MyAppID of the AD-App

-> Error: Application 'xxx' is not assigned to a role for the ...

So what I am doing wrong? How can I assign the APP to login 'by itself'?

Answer 1

As User assignment required option noted as follows:

If this option is set to yes, then users must first be assigned to this application before being able to access it. If this option is set to no, then any users who navigate to the application will be granted access. This option is only enabled when the application is configured for the following sign-on modes: SAML-based SSO or WIA with Azure AD Authentication.

So what I am doing wrong? How can I assign the APP to login 'by itself'?

Based on your description, I assumed that you are using the Service to Service Client Credentials Grant Flow without user interaction. For your scenario, you need to define the Application roles for Application member, details you could follow this similar issue.

Moreover, you could refer to my test steps as follows:

Define the Application roles:

Create another AAD app and configure required permissions to access another AAD app:

Acquire the token: