Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't assign roles from azure AD app manifest

I was trying to implement role based authorization in my azure application as described in the http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/ article. Unfortunately, after I upload the manifest with the roles I can't assign the roles to the users - the assign button at the bottom of azure management portal is disabled (in the article, the action I want to perform is in the 4th screenshot). Has anyone encountered anything like that? Below is the appRoles part of my application manifest:

  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "description": "Can do some stuff",
      "displayName": "AU",
      "id": "c400a00b-f67c-42b7-ba9a-f73d8c67e433",
      "isEnabled": true,
      "origin": "Application",
      "value": "au"
    }
  ],

Update Turns out, the reason the button was disabled was pretty simple - I have assigned the user previously and just assumed that if I implemented roles in the manifest, it would let me assign them via "Assign" button even though user has already been assigned.

Still, it doesn't solve the root issue - after removing the user from the app and assigning him once again the prompt with role assignment does not show up, user "Assigned" status simply changes to "Yes", as if no roles were set within the manifest.

like image 961
jspi Avatar asked Mar 01 '15 10:03

jspi


People also ask

Why is add role assignment disabled Azure?

If you don't have permissions to assign roles, the Add role assignment option will be disabled.

How do I assign app roles Azure?

Sign in to the Azure portal or Azure AD admin center. Select Azure Active Directory > Roles and administrators. Select the Grant permissions to manage user and group assignments role. Select Add assignment, select the desired user, and then click Select to add role assignment to the user.


2 Answers

Ok, I should have figured it out sooner - the prompt for role assignment does not show up when there is only one role defined in the app manifest, in which case it automatically assigns the role to the user. I figured it when I looked through all the claims sent to the application and found my single defined role in there.

Dushyant Gill - thank you for the help.

like image 100
jspi Avatar answered Oct 13 '22 16:10

jspi


jspi, only global administrators and user account administrators of the directory can assign users and groups to applications - can you confirm that the signed in user is in one of those two directory roles?

like image 34
Dushyant Gill Avatar answered Oct 13 '22 17:10

Dushyant Gill