Does Azure AD B2C support "roles" claim in JWT tokens for authorization?

Question

I'm working with Azure AD B2C and I have a requirement regarding the inclusion of "roles" claim in JWT tokens for authorization purposes. My goal is to assign different access levels and permissions based on user roles within my application.

Expected results:

I expect Azure AD B2C to provide native support for the "roles" claim in JWT tokens, allowing me to easily manage and validate user roles during authorization.

Actual results:

However, my research on this topic has not yielded clear information about whether Azure AD B2C supports the "roles" claim. The official Microsoft documentation does not provide recent information specifically addressing this aspect.

What I've tried:

I have thoroughly searched through various resources, including SO, Microsoft documentation, and developer forums, to find any updates or insights on this matter. However, I couldn't find concrete information that definitively states whether Azure AD B2C supports the "roles" claim in JWT tokens or offers any recommended approach to handle user roles.

Why it didn't meet my needs:

The lack of specific information has made it challenging for me to implement role-based authorization using Azure AD B2C. Without clarity on whether Azure AD B2C supports "roles" claim, I am unsure about the best approach to achieve my desired functionality.

Does Azure AD B2C support the "roles" claim in JWT tokens or is there are alternative approaches or workarounds to achieve role-based authorization within Azure AD B2C?

Answer 1

It's not that B2C doesn't support the roles claim, but it doesn't support managing roles within the B2C tenant (sort of).

You could always have an external store of roles, or roles assigned within B2C's AAD directory, and then use an API/Graph API to retrieve those roles and populate a roles claim as part of your B2C journey. However, you're going to need to implement and host that API outside of B2C.

If you're using custom policies and local accounts (i.e. email & password stored in the B2C directory) there's another approach you can take, but it's not documented and not officially supported.

The way local accounts work in custom policies is that B2C makes an ROPC call to the underlying AAD, requesting a token for the IdentityExperienceFramework application. That ROPC call can return roles, and those roles can be mapped to a roles claim in B2C and returned back to the relying party as part of the user's id_token and access_token.

To achieve that you need to update the IdentityExperienceFramework application's manifest to expose user roles (these will be the roles that get assigned to individual users). You then need to assign users to that application, giving them one of the roles. Finally, you need to add the roles claim as an output claim to the ROPC call, to the self-asserted page making the ROPC call, and to the relying party definition.

Answer 2

Assuming I understood your question correctly, the short answer is: No, as of today Azure Active Directory B2C does not support roles within the 'role' claim for custom applications. At least the official documentation for Azure AD B2C does not describe this feature. For more information, see this post.

However, depending on your use case, you could use the regular Azure Active Directory. The regular version allows you to create custom roles within your application, which are sent in the 'roles' claim of the access token. Unfortunately, this will only allow your users to sign in via one of their Microsoft accounts (work, school or personal). See the documentation for this. Hence, it does not provide e.g. Social Logins via other providers like Azure AD B2C does.

See this article for adding roles to your Azure AD application, in case using Azure AD is an option for you.