CODEWITHSUNDEEP
azureazure-active-directorymicrosoft-graph-api
Sammy Cakes
Sammy Cakes

Reputation: 162

Azure AD-Linking Roles to Groups

In Azure AD, I have tenant-wide groups, but then for applications, I have roles defined in the app's manifest, in the "appRoles" area.

Where do I find or setup the mapping between the application's roles and the tenant's groups?

Is there a call I can make to Microsoft Graph to see the ID for the role, the ID for the group, and the ID for the association between the group and the role?

I thought calling servicePrincipal in Microsoft Graph might provide this association ID for the mapping, but I don't see the association info, maybe because I need to specifically setup the mapping.

My understanding is there can be a mapping between the tenant-wide groups and the application-specific roles, so if the tenant has a hundred groups but only 3 groups relate to an application, those three groups can be in the application as roles under "appRoles", and when a user logs into that app, only those 3 roles/groups would be potentially in the user's JWT token, instead of 100 groups that might not relate to the application.

Upvotes: 0

Views: 89

Answers (1)

Allen Wu
Allen Wu

Reputation: 16438

What you need is Get appRoleAssignment. (Note that use of /beta APIs in production applications is not supported.)

https://graph.microsoft.com/beta/groups/{group id}/appRoleAssignments

Here is an example of the response:

{
  "id": "vYC9THsQiUaIO0_OAVavTkhETv6Zy7pKlmGdjahzx6o",
  "creationTimestamp": "2019-09-25T03:30:02.739514Z",
  "appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
  "principalDisplayName": "TestAllenG",
  "principalId": "4cbd80bd-107b-4689-883b-4fce0156af4e",
  "principalType": "Group",
  "resourceDisplayName": "AllenTestBot001",
  "resourceId": "f958f02e-6d83-43f0-8a86-a08fe42f1aab"
}

"appRoleId" is the id of the appRole. "resourceId" is the id of the servicePrincipal.

Upvotes: 1

Related Questions