Azure AD v2 roles not included in Access Token

Question

I'm using https://login.microsoftonline.com/.../oauth2/v2.0/token to authenticate (authorization_code grant) to azure Ad using the scopes: offline_access, openid, profile, User.Read

According to the documentation the Access Token I receive should contain the roles of the user: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens

However only the identity token returns the roles:

--Access Token
{
  "typ": "JWT",
  "nonce": "IWTwK2P0vzHoNnv1vvvSsjZSbAYPpSIk8MozY0A4WR0",
  "alg": "RS256",
  "x5t": "nOo3ZDrODXEK1jKWhXslHR_KXEg",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
...
  "rh": "0.ASgASPp-HouAsUyXCdG05vvfeHAoPPG46TFOoWYsil-LDcsoADw.",
  "scp": "User.Read profile openid email",
...
}.[Signature]

---

--Identity Token
{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "nOo3ZDrODXEK1jKWhXslHR_KXEg"
}.{
...
  "rh": "0.ASgASPp-HouAsUyXCdG05vvfeHAoPPG46TFOoWYsil-LDcsoADw.",
  "roles": [
    "MyApp.Read",
    "MyApp.Admin",
    "MyApp.Write",
  ],
...
}.[Signature]

Is there a way to make the access token also include the roles?

Answer 1

Thanks to @juunas for the tip, @juunas is right. If you are using a custom api, the user token can also contain roles claim.

You need to create two applications in Azure, one representing the client application and the other representing the api application, and then use the client application to call the api application.

First, you need to expose the API of the back-end application protected by Azure and add the client application:

Next you need to set the api application AppRole, which is your customized role, and it will be displayed in the manifest.

Then you can assign the role to the user. Go to enterprise application>your api application>Users and groups.

Next, go to the client application, give your client application access to your backend api:

• Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
• Find your backend application and select the appropriate scope.
• Click 'Add permissions'.
• Grant admin consent for your APIs.

Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.

Parse the token, it contains both scp claims and roles claims.

Additional step

As mentioned by @Ekkelenkamp in the comments, another step that may be required to show the roles claim in the access_token is to remove "emit_as_roles" from the "optionalClaims.accessToken" configuration in the server's app registration manifest:

Answer 2

If you are registering an API app in Azure Active Directory's App Registration and exposing that through an SPA app also registered in Azure Active Directory, then-

1. The id token contains roles exposed on the SPA app and
2. The access token contains roles exposed on the API app.

(This was the essential information for me from Carl Zhao's answer)

Answer 3

Unfortunately there is a bug on AAD that only add the roles to the access_token when an API scope is requested when requesting the token.

In order to get the roles to work, your need the following setup:

• Create the application
• Add an scope to the application using the "Expose an API"
• Use the scope created on step above when requesting a token

The end result will be a token

Example:

https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?client_id={appid}&response_type=token&scope={appid}/{scopename}&nonce=678910

The scopes openid, email and profile should only be used with id_tokens