Azure AD Application - Require Role Assignment + Add a role assignment for an Application?

Question

I have an MVC Web Application (WebAPI + Angular) deployed to Azure as a Web App (not API App) that is setup to be secured using Settings -> Authentication / Authorization -> AAD -> Express. This created an AD Application with the same name as the Web App, and as a normal web user (in the directory, using OAuth) this works as expected.

But I also have external automation that needs to call the WebAPI controllers directly, so I need to programmatically get a Bearer token to pass along with those requests.

This all works OK when "USER ASSIGNMENT REQUIRED TO ACCESS APP" == NO. But this won't suffice because everyone in the Directory shouldn't have access to this app.

Flipping that switch results in the error:

Application 'AppId' is not assigned to a role for the application 'AppId'.

The code being used:

    var aadLoginUri = "http://login.microsoftonline.com/{0}";
    var tenantId = "[xxx].onmicrosoft.com";
    var authority = String.Format(CultureInfo.InvariantCulture, aadLoginUri, tenantId);
    var clientId = ConfigurationManager.AppSettings["ClientId"];
    var clientSecret = ConfigurationManager.AppSettings["ClientSecret"];

    var authContext = new AuthenticationContext(authority);
    ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
    AuthenticationResult authResult = authContext.AcquireToken(clientId, clientCredential);

How can I add a role assignment for an Application?
(as opposed to for a user)

I tried utilizing the 'permissions to other applications' section, but an app cannot be added to itself. To see if this would solve the problem from another app, I went ahead and created one and was able to add the App & set Delegated Permissions to 'Access [App Name]'. But just as before, this only works if user assignment is not required to access the app. Afterwards AcquireToken() throws the same exception.

It seems this issue could be solved by decoupling our API from the Angular app, hosting the API as an API App (with a Gateway), but that's not an option at the moment. Also this article says this new Auth feature "replaces the App Service gateway for most applications" and this blog post announcing the feature in November says "We recommend web and mobile applications use this feature instead of the App Service gateway going forward" so I wonder if this just hasn't made it into the UI & perhaps it's possible to add app role assignments via the app manifest (tried, failed), graph/service-mgmt api, powershell, etc.

Answer 1

The key is to define the correct appRoles (with the correct allowedMemberType) in the manifest.

In the Azure Portal, configure the following:

In the resource that needs to be accessed, open the manifest ('App Registrations' blade). In the appRoles array, add two roles:

• One of allowedMemberType 'Application'
• One of allowedMemberType 'User'

Save the manifest.

Next, in the client app that needs to access the resource:

• Browse to 'Required Permissions' and click 'Add'
• Search for the resource you want to access
• In the 'Enable Access' section, under 'Application Permissions', select the role you just configured
• Save and click 'Grant permissions'

To configure the user permissions:

• Browse to the 'Enterprise Applications' blade
• Select 'All Application', then select the correct app
• Click 'Users and Groups'
• Assign users to roles

In the Properties section, keep the 'User assignment required?' checkbox enabled. This will restrict access to configured users only.

Now you can access the resource both as a user and as an application.