Azure Active Directory tokens missing App Roles in JWT

Question

I have an two applications registered in my Active Directory App registrations, a client and an API. Via the "expose an API" blade, the client app has been trusted by the API app. I have additionally added 4 application roles (IE in the manifest allowedMemberTypes: ["Application"]) to the API app, and added them as permissions to the client app.

When I get an access token via client credential flow, for the client app's appid, and decode the token via jwt.io to see the claims, I can see the roles I assigned to the client app just fine, all in a nice neat array.

However, using auth flow, and logging in as myself (belonging to the directory), using the same secret, scope, client id, etc., the app roles are missing from the token that is sent back with that flow, it is in neither the id token nor the auth token.

What am I missing here? Did I forget a step, or is it that authorization flow does not support application member approles?

Answer 1

As the official documentation said:

You can define app roles to target users, applications, or both. When available to applications, app roles appear as application permissions in the Required Permissions blade.

And, once you've added app roles (with "user" in allowedMemberTypes) in your application, you can assign users and groups to these roles in enterprise app.

If one user is assigned with any roles, you can get roles information in his id token.