Reputation: 5870
Azure AD attribute user.assignedroles not being sent in SAML response, null
Why is "user.assignedroles" null, and resulting in not being sent in token?
I am encountering this scenario know. And even though I can see that I am assigned roles within azure and Active Directory, this value still must be set to null.
that it states that with respect to user.assignedroles "If the role claim value is null, then Azure AD will not send this value in the token and this is default as per design."
This is how I know that it is null. (because it is not being sent)
Upvotes: 2
Views: 2807
Answers (1)
Reputation: 16448
You assigned your user a role whose value is "null".
You can check it in Microsoft Graph Explorer:
https://graph.microsoft.com/beta/servicePrincipals/{Object ID of your Enterprise App}
In the response, check the role you have assigned. If the the value of "value" is null, Azure AD will not send this value in the token.
So when you update an existing role, remember to set the "value" to a meaningful value.
Upvotes: 2
Related Questions
- Azure AD does not emit group claims
- Assigned Azure AD Roles missing in User Claims in Blazor Client App
- ASP.NET Core MVC, Azure Role based Authentication - Authorize Attribute failure - no Role claim returned?
- Azure AD exception - AADSTS50105 - "The signed in user is not assigned to a role for the application"
- Azure AD user role claims with SAML
- User attributes mapping for Azure Active Directory SAML2.0 authenticated web app
- Azure Ad Returning Roles in Claims but User.IsInRole returns false
- AzureAD SAML response
- user_role not returned by AD OIDC
- Can't assign roles from azure AD app manifest