Azure AD and Azure AD B2C application roles using Application role manager with Microsoft Identity platform

[Ogglas]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

Using Microsoft Identity platform is very powerful but I'm missing roles when using Azure AD B2C. Using normal Azure AD it works very smooth with either Azure AD App Roles or Azure AD security groups. Tried searching for Role Based Access Control / RBAC for AD B2C but I could not find any official sample. I also tried to add "groupMembershipClaims": "SecurityGroup" to AD B2C manifest but nothing is added to access_token, id_token, profile_info or refresh_token on login.

There are no samples for this in the https://github.com/azure-ad-b2c/samples either.

Azure AD docs has a section about application roles and gives a theoretic example with Roles using an application role manager but no code examples how it could be implemented.

With this approach, application roles are not stored in Azure AD at all. Instead, the application stores the role assignments for each user in its own DB — for example, using the RoleManager class in ASP.NET Identity.

https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-an-application-role-manager

I know you can create extension attributes like this example:

https://stackoverflow.com/a/70427209/3850405

Use API connectors to augment tokens:

https://github.com/azure-ad-b2c/api-connector-samples

Get groups via Microsoft Graph and add them via OnTokenValidated

https://stackoverflow.com/a/71054154/3850405

Custom (IEF) policies:

https://devblogs.microsoft.com/premier-developer/using-groups-in-azure-ad-b2c/ -> URL then leads to a stopped web abb

Since AD B2C does not expose any functionality related to Security Groups out-of-the-box I think this is a big drawback and obstacle for adopting AD B2C. Azure AD App Roles requires Azure AD Premium and is out of the question in this case.

Describe the solution you'd like

Write a complete example with application roles using Application role manager where the application stores the role assignments for each user in its own DB.

https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-an-application-role-manager

Additional context

No response

[rafikiassumani-msft]

@jmprieur can you help investigate this issue?

[jmprieur]

@Ogglas, to my knowledge there are not roles in Azure AD B2C (I mean in the service).

[Ogglas]

@jmprieur Azure AD B2C Users can be part of groups (Microsoft 365 or Security) but it is hard to get a token with a users groups. See my original post for some alternatives. Given that you can simply enable "groupMembershipClaims": "SecurityGroup" in a normal Azure AD manifest I would prefer if the same functionality was there for Azure AD B2C.

At the moment when that functionality is not there it would be very helpful with a complete example for application roles with Application role manager where the application stores the role assignments for each user in its own DB. Like the theoretical example in the URL below:

https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-an-application-role-manager

This example would be very helpful for any SSO solution including normal Azure AD that wants the application to store the role assignments for each user in its own DB.

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

[Ogglas]

@rafikiassumani-msft @jmprieur I'm missing an answer on my comment. Please remove Resolution: Answered label and open again.