CODEWITHSUNDEEP
azure-active-directoryazure-ad-b2b
Florian Eckert
Florian Eckert

Reputation: 311

Azure Active Directory ServicePrincipal SecurityGroup AppRoleAssignment fails to resolve appRole

Within Azure AD B2B I have created an application registration (the resource) with an appRole for "User" and "Application".

If I assign the servicePrincipal (the client) to this appRole -> the accessToken contains the appRole.

servicePrincipal(client) <-> appRoleAssignment <-> servicePrincipal(resource)

this works as expected

If I assign the serviceprincipal (the client) to a top level security group and assign the security group to the appRole -> the accessToken does NOT contain the appRole.

servicePrincipal(client) <-> security group <-> appRoleAssignment <-> servicePrincipal(resource)

this indirection works for users, am I missing something why this would not work for servicePrincipals?

Upvotes: 1

Views: 254

Answers (2)

Stanley Gong
Stanley Gong

Reputation: 12153

All of your steps are right.If you want to assign an app role to an service principle , you should assign one by one, it not works if you add a service principle into a group that assigned with an app role. As @juunas said , maybe this is something like a bug .

Upvotes: 1

juunas
juunas

Reputation: 58853

I don't think you have missed anything. It does indeed work for users.

It's either a bug or a feature :) Could be that application permissions are not wanted to be assigned via groups. (which is what appRoles of type Application are)

Upvotes: 1

Related Questions