PHP Azure OAuth JWT App Roles

Question

I've created an application in an Azure AD from a manifest with several appRoles inside of it, and I can assign users to these roles. After a user completes the single sign on, returns to my application and I then request a JSON Web Token from their login. The problem is, there are no assigned roles listed in the token I get back from Azure, as it would suggest there's supposed to be here.

Is there a configuration option I'm missing or is there an alternate way to find out their assigned role through the Azure Graph API?

---

Update:

After specifying the resource as the App ID URI when requesting the authorisation URL I've managed to get a little further.

I'm now getting back the following error (in the return URL):

"The signed in user '<user email>' is not assigned to a role for the application '<app client id>'."

The user has definitely been assigned a role in the Azure AD control panel for the app, and the app client id in the error message matches the app's client id exactly.

---

Application config:

User assigned a role:

Error message after logging in and returning to app:

Answer 1

@Phlip,Could you please try to set your application permission using PowerShell?

#1.down load Azure AD powershell and login in using your user in AD
$msolcred=get-credential
connect-msolservice -credential $msolcred

#2. get principal Id 
$ClientIdWebApp = '5b597c35-**-**-ad05-***'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp

# 3. use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

For more information, please refer to this page: https://msdn.microsoft.com/en-us/library/azure/dn919663.aspx and Use this methods to add member into role:

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "[email protected]"

Any updates or results, please let me know.