Is it possible to assign multiple roles to a user or group in Azure AD?

Question

When I add an appRoles section to my application manifest in Azure AD, I can assign users and groups to roles in the management portal.

  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "description": "Can read data.",
      "displayName": "Data Reader",
      "id": "67fba7fa-e54e-4258-b95d-32b082eb771d",
      "isEnabled": true,
      "value": "reader"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "description": "Can create and edit data.",
      "displayName": "Data Writer",
      "id": "e36736c5-e923-435e-8e44-6cae90792931",
      "isEnabled": true,
      "value": "writer"
    }
  ],

However, the UI only allows me to assign a single role to a user or group.

I can't find how to assign multiple roles to a user or group. I can add the user to multiple groups and assign roles to members of that group, which will result in multiple role claims in the token for that user, but this seems awkward.

Am I missing something? Is there a way to assign multiple roles to a user or group?

Answer 1

You can assign multiple roles to the same user in the same app, but it is very limited. Basically add the same user again and select a different role:

The mechanism is very cumbersome and will not scale. If you have AAD Premium Lvl 2, you can associate application roles with groups and a when you assign a user to that group, they will gain the roles automatically. The automatic assignment only works for Premium Lvl 2 though.

Answer 2

This turns out to be a limitation of the Azure management portal. In this blog comment, the AAD PM explains it is possible to assign multiple roles to a user or group through the GraphAPI.

For more info, see section 'Assigning application roles' in this MSDN blog article.