How to include roles in issued token when using multi-tenant Azure AD with Azure AD B2C?

Question

I've set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C, so administrators of the Azure ADs can manage their own users. The sign-in works and I now want to support app roles.

I've defined app roles in the application manifest of the Azure AD B2C application and the roles are selectable in the Azure ADs. So far, so good, but the roles claim isn't included in the obtained token when signing in. I found that the roles claim isn't included by default in tokens issued by Azure AD B2C, but is it somehow possible to include the roles?

The roles are defined in the application manifest:

The roles are selectable in the Azure ADs:

Answer 1

Please check if below references can be worked around:

1. Please try to include assign the user to the same app roles from azure ad tenant by assigning users/groups to the created app roles as you did.Then refresh the portal and app and Then try to get token from b2c endpoint.

2. Please try to check the use of custom claims in azure ad B2C in which the consumer can select required role during the signup process which is returned in the token as well. reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom for more details.

3. Try to create an extension attribute with some name extension_role . read the attribute on sign in/up:

   <TechnicalProfile Id="AAD-UserReadUsingObjectId">
     <Metadata>
       <Item Key="Operation">Read</Item>
       <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
     </Metadata>
     <IncludeInSso>false</IncludeInSso>
     <InputClaims>
       <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
     </InputClaims>
     <OutputClaims>
       <OutputClaim ClaimTypeReferenceId="extension_role" />
     </OutputClaims>
     <IncludeTechnicalProfile ReferenceId="AAD-Common" />
   </TechnicalProfile>
   

reference: custom-roles-on-azure-ad-b2c|SO

4. Other wise you can try to manually configure app to call microsoft graph api and get the role in token:

reference

     public async Task<string> GetUserRoleByObjectId(string objectId)
        {
            return await SendGraphGetRequest("/users/" + objectId + 
            "/$links/memberOf", null);
        }

Other reference:

1. Can a B2C Access Token include app roles assigned to the user(github)

Answer 2

Solved by passing through the roles claim:

1. Open the TrustFrameworkExtensions.xml file and add the following ClaimType element with an identifier of roles to the ClaimsSchema element:

<ClaimType Id="roles">
  <DisplayName>Roles</DisplayName>
  <DataType>stringCollection</DataType>
  <UserInputType>Readonly</UserInputType>   
</ClaimType>       

2. Add the OutputClaim element to the TechnicalProfile element used for configuring Azure AD as an identity provider:

<ClaimsProvider>
  <DisplayName>Common AAD</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="AADCommon-OpenIdConnect">
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="roles" PartnerClaimType="roles" />
      </OutputClaims>
      ...
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

3. Save the TrustFrameworkExtensions.xml file.

4. Open the relying party policy file, such as SignUpOrSignIn.xml, and add the OutputClaim element to the TechnicalProfile:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="roles" />
    </OutputClaims>
    ...
  </TechnicalProfile>
</RelyingParty>

5. Save the policy file.

The token now includes roles:

{
  ...
  "roles": [
    "invoice-approver",
    "invoice-creator"
  ],
  ...
}