I was trying to implement role based authorization in my azure application as described in the http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/ article. Unfortunately, after I upload the manifest with the roles I can't assign the roles to the users - the assign button at the bottom of azure management portal is disabled (in the article, the action I want to perform is in the 4th screenshot). Has anyone encountered anything like that? Below is the appRoles part of my application manifest:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Can do some stuff",
"displayName": "AU",
"id": "c400a00b-f67c-42b7-ba9a-f73d8c67e433",
"isEnabled": true,
"origin": "Application",
"value": "au"
}
],
Update Turns out, the reason the button was disabled was pretty simple - I have assigned the user previously and just assumed that if I implemented roles in the manifest, it would let me assign them via "Assign" button even though user has already been assigned.
Still, it doesn't solve the root issue - after removing the user from the app and assigning him once again the prompt with role assignment does not show up, user "Assigned" status simply changes to "Yes", as if no roles were set within the manifest.
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
Sign in to the Azure portal or Azure AD admin center. Select Azure Active Directory > Roles and administrators. Select the Grant permissions to manage user and group assignments role. Select Add assignment, select the desired user, and then click Select to add role assignment to the user.
Ok, I should have figured it out sooner - the prompt for role assignment does not show up when there is only one role defined in the app manifest, in which case it automatically assigns the role to the user. I figured it when I looked through all the claims sent to the application and found my single defined role in there.
Dushyant Gill - thank you for the help.
jspi, only global administrators and user account administrators of the directory can assign users and groups to applications - can you confirm that the signed in user is in one of those two directory roles?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With