Assign custom role to Azure Active Directory System managed identity

Question

Working to establish Azure AD system managed identity between APIS, I have defined a custom role for my target API in the manifest of the application.

"appRoles": [
    {
        "allowedMemberTypes": [
            "Application"
        ],
        "description": "Allow the application to read all things as itself.",
        "displayName": "Read all things",
        "id": "86a914fa-a862-4962-9975-be5c9a05dca3",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "Things.Read.All"
    }

Now I want to assign this role to my api that is going to call it so I can validate it in the access token received from AzureServiceTokenProvider. Problem is that I don't see the System Assigned identity in the app registration.

There is a button under Identity (Where System Assigned Identity is declared) 'Azure Role Assignments' which leads to Add Role assignment. There is a list of Roles available here. I was looking for the custom role I have defined, it is not in the drop down.

How to assign the defined role to the system identity so it can access the api or apis that it is allowed and no more? I expect to get this role in the access token. Is this the correct expectation?

score 4 · Accepted Answer · answered Jul 29 '20 at 02:03

4

What you have defined is an app role. But "Azure Role Assignments" is for assigning role for subscription. They are totally 2 different things.

You can use Microsoft Graph API to Grant an appRoleAssignment to a service principal.

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110

{
  "principalId": "principalId-value",
  "resourceId": "resourceId-value",
  "appRoleId": "appRoleId-value"
}

In this example, {id} and {resourceId-value} would both be the object id of the resource service principal, which is the enterprise app associated with the Azure AD app you have created appRoles in. You can find it like this:

And {principalId-value} would be the id of the Azure resource managed identity. Find it here:

{appRoleId-value} is the id of the app role you created in manifest.

You could use an admin account to log into Microsoft Graph Explorer to call Microsoft Graph API.

If you want to verify if the result is successful, please navigate to Azure Portal -> Azure Active Directory -> Enterprise applications -> All Applications. Enter the name of the Azure resource.

Then you will find the app role (application permission) has been granted.

answered Jul 29 '20 at 02:03

Allen Wu

15,529
1
9
20

Allen, really appreciate your detailed response and thank you very much for pointing exactly where to take every id from. I am testing this, in a corporate env with many layers of authoriztion. When I use an access-token acquired by me, I got an error { "code": "InvalidAuthenticationToken", "message": "Access token validation failure. Invalid audience.", I got an admin to try and he got the same error. Any ideas – Tauqir Jul 30 '20 at 08:06
@Tauqir Looks like you are getting a token for an incorrect resource or scope. The correct one should be `https://graph.microsoft.com/.default`. – Allen Wu Aug 03 '20 at 07:37
Allen, To clarify, my question was about the call to graph api, in the step to grant the appRole. Is there a UI for that step. Finally I want to get the Token for the API where I have defined my appRole. I am using the ApplicationIDURI of that service as resource in azureServiceTokenProvider.GetAccessTokenAsync(resource). That is where I will expect this Role to appear. My solution is working end to end except that I am not able to add role validation in my Target api due to this missing role in the token. – Tauqir Aug 04 '20 at 12:41
@Tauqir There is no UI for this step. If you have followed my steps, the role should be included in the access token. Can you make it more clearer what issue you are still facing now? – Allen Wu Aug 05 '20 at 04:09
I cannot get a Token for .default scope. I can get one for graph.microsoft.com. I will ask a different question. It is useful discussion but not hidden here. – Tauqir Aug 06 '20 at 00:08
@Tauqir Yes. A new post would be better to be paid more attention to. – Allen Wu Aug 06 '20 at 01:41
This worked for me, I'd recommend using https://developer.microsoft.com/en-us/graph/graph-explorer, it automatically asks you to consent to the permissions for the graph app to execute the role assignment – Martijn Nov 04 '21 at 08:20

Assign custom role to Azure Active Directory System managed identity

1 Answers1

Linked