Missing app roles in access token from AzureAD

Question

SPA app signs in the AzureAD and get the access token api:api app id/acces_as_user. However no roles are in the access token.

*created() {
    //this.$msal.signOut();    
     if (!this.$msal.isAuthenticated()) {        
       this.$msal.signIn();    
    }
    else{
      console.log(this.$msal)
      // get access token to webapi
      this.$msal
        .acquireToken({scopes: ["api://58ca819e-/access_as_user"]})
        .then((res)=>{
          console.log(res)
          auth.accessToken = res
        })
        .catch(err=>console.error(err))
    }
  },*

Any idea please?

My configuration:

AzureAD user has been assigned to role admin in api app:

SPA client (Vue): configured to azure ad client app

Vue.use(msal, {
  auth: {
    clientId: 'be7e77ba-',
    tenantId: '3a0cf09b-',
    redirectUri: appInfo.redirectUri,
    autoRefreshToken: true,
  },   
  cache: {
    cacheLocation: 'localStorage',
  },
});

ASPNET Core WebAPI: confiured to azure ad api app

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "ClientId": "58ca819e-",
    "TenantId": "3a0cf09b-"
  },

AzureAD client app: has a permission to api app api:api app id/acces_as_user

API Permissions:

AzureAD api app: has scope api:api app id/acces_as_user, app role admin, token configuration to include groups as roles. Token Configuration:

App roles:

Expose an API:

Answer 1

This is because you select Emit groups as role claims, which covers your app roles.

If you want to get Group claims together with the app roles, unselect Emit groups as role claims and configure "groupMembershipClaims": "SecurityGroup" in the manifest.