alexander7567
alexander7567

Reputation: 664

Get assigned roles in Azure Web App with PHP

I have created a Azure Web App using PHP. I enabled AAD Authentication, and got it all worked out where you have to login as a company user to access the site.

Then I created new App Roles using the App Registration --> Manifest. I have assigned myself that role, logged off, and back on, and within the $_SERVER variable I cannot find any reference to that role. I can find my username, tokens, principle_id, etc. but nothing referencing the AppRole I just created.

My question is, how do I get the App Roles that the logged in user is assigned? The only documentation I find on this is for .net or really old Azure classic stuff.

Any ideas?

Upvotes: 0

Views: 1168

Answers (2)

Jack Jia
Jack Jia

Reputation: 5549

Based on the official documentation, the defined AppRole will be returned in id_token.

enter image description here

To get user's id_token, you can use Azure AD OAuth 2.0 authorization code flow, and add openid to scope. Here I use postman to acquire access_token and id_token:

enter image description here

And then I can get the id_token

enter image description here

By analyzing the id token, you can get the role of the user:

enter image description here

Upvotes: 1

Mohit Verma
Mohit Verma

Reputation: 5294

Simplest way i can think of utilizing Microsoft Graph API for this kind of operation.

Here is a sample Github Repo for reference:

https://github.com/Azure-Samples/active-directory-php-graphapi-directoryextensions-web

For getting the user role , you can simply call below graph api :

GET /me/memberOf
or
GET /users/{id | userPrincipalName}/memberOf

You can check below doc for further reference:

https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http

Overall this is how the flow would look like:

  • Register an application with required set of permission
  • Get authorized from Azure AD using above create application
  • Use the token form step 2 and call the graph api to get user roles
  • Proceed with the validation

Sample response look like below:

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "@odata.type": "#microsoft.graph.group",
      "id": "id-value",
      "createdDateTime": null,
      "description": "All users at the company",
      "displayName": "All Users",
      "groupTypes": [],
      "mailEnabled": false,
      "securityEnabled": true,
    }
  ]
}

Hope it helps.

Upvotes: 0

Related Questions