Assume I am the manager of 10 different teams who create services defined as AAD Apps that use App Roles. Is there any tool that would help with managing the set of App Roles defined by each service, or would that have to be put together using the REST interface or PowerShell?
Asked
Active
Viewed 1,914 times
1 Answers
6
Application Roles are very specific to the application they are created/defined for. You define them as part of app registration manifest and then even assign these roles to users/groups specifically for this app. In case different apps are using the same API and your app roles are defined for API app, you could think of some reuse/common management.
So application roles don't really go across different applications. AFAIK there isn't any tool that would help with managing the set of App Roles defined by each service, as you have asked.
Another concept that sometimes gets used for authorization decisions is Azure AD Group membership. Groups do go across multiple applications and that's the only reason I even mention them here, so you could check for group claims for incoming users. Although using app specific roles usually works out better, because of their closer relationship with application. Groups tend to hang around much longer than individual applications and many times people managing or owning these groups and their membership are different than application owners (so their decision making criteria can be very different too).
Managing Application Roles
Please take a look at this related SO Post - How to manage Azure AD App Roles for Azure AD Users
Here are a few options.
PowerShell -
You can do this while creating a new app using
New-AzureADApplicationor for an existing application usingSet-AzureADApplication.For assigning these roles to existing users, you can use
New-AzureADUserAppRoleAssignmentPlease see the PowerShell script at the end.
Azure AD Graph API -
You can work with AppRole Type and Application entity for managing app roles themselves. Documentation here
You can work with AppRoleAssignment Entity for assigning these roles to existing Azure AD users etc. Documentation here
Microsoft Graph API -
Documentation here - Please notice this is available only in beta version - so it's not yet good for production applications.
Look here for working with App Role Assignments
For your production applications, you could read application roles from a json file (part of source control like git etc.) and feed that into one of the programmatic options like PowerShell or Azure AD Graph API.
Here is the PowerShell script and other related SO Posts
SO Post 2 (This question discusses parsing json file and updating Application manifest using PowerShell)
Connect-AzureAD -TenantId <Tenant GUID>
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles
$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
Once you are done with above script to add AppRole, then assigning roles to a user could be done like this -
# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Rohit Saigal
- 9,317
- 2
- 20
- 32
-
Thank you for this great response. If you don't mind let me push my question 1 step further. Imagine I have a service returning records. In its implementation I have access to a ClaimsPrincipal that I can use to either access the appRoles or the groups and based on that decide to return content or not. I think that would work for a human user as they can be associated with both appRoles and AAD groups, but that wouldn't work for applications which can only be associated with appRoles but not AAD groups. Is this correct? – ppbitb Jun 07 '19 at 17:57
-
1@Pierre You're welcome! About applications, yes that's my understanding too, so you should make use of appRoles/permissions in case of Applications. Usually it's a smaller number of applications, so you could even maintain your own custom Access Control List (ACL) which checks for specific "appId" in incoming tokens. Using appRoles is a little more declarative though.. Here is an SO thread where I have discussed both apporaches to some extent https://stackoverflow.com/questions/55407966/is-there-a-way-to-secure-an-azure-function-that-will-only-be-called-from-a-speci/55411680#55411680 – Rohit Saigal Jun 11 '19 at 23:42
-
1@Pierre Also, in case you make use of Group claims, do know that there are some limitations on the number of group claims that can be returned as part of token (so that token size doesn't exceed HTTP header size limits. So in case of high number of groups you may need to fall back to Microsoft Graph API instead.. I have described this and other related info in detail here https://stackoverflow.com/questions/55288567/how-to-check-if-a-user-is-in-an-ad-group-via-azure-ad/55289376#55289376 – Rohit Saigal Jun 11 '19 at 23:45