App roles in Azure AD

Let’s look at app roles in Azure Active directory. Before we get started, let me tell you what this post is NOT about.

It’s not a detailed technical documentation on the nitty gritty of app roles and its implementation in the Azure Active Directory. For that I refer you to the below content from Microsoft.

· How to: Add app roles to your application and receive them in the token

· Asp dotnetcore RBAC code sample

With that out of the way, let’s begin with App roles!

What are app roles?

In very simple terms an app role is just a tag a user, a Group or even an entire application will carry with them! This in turn paves the way for Role-based access control (RBAC) which is a popular mechanism to enforce authorization in applications. When using RBAC, an administrator grants permissions to roles, and not to individual users or groups.

For example, let’s look at a survey application called Survey Donkey. Broadly speaking a survey application will need two types of users.

· Survey Maker : Someone who can create a survey which others can take by filling in the details. This person should be able to define the fields in the survey.

· Survey Taker : Survey taker is someone who can fill in a survey which was created by the Survey Maker.

Now in practice this can be implemented in Azure Active directory with the help of App roles. The two app roles for our two user types will be, * drumrolls * Survey Maker and Survey Taker!

Let’s a look at a couple of scenarios below.

· Alice is our Survey Maker and when Alice logs into Survey Donkey, the Survey Donkey application should be able to know that Alice is a Survey Maker and show her the ‘Make Survey Page’ which is ONLY accessible to the ones with Survey Maker app role! At the end of the day, it’s a tag whose presence in the ID TOKEN identifies entity as belonging to a particular app role which in this case is Survey Maker.

· Bob is a survey taker with app role Survey Taker and when Bob logs into Survey Donkey he WON’T have access to the ‘Make Survey Page’ at all. He will only see the ‘Take Survey Page’ which only needs the app role ‘Survey Taker’ which he has.

Why do we need it?

Suppose Azure AD didn’t provide this mechanism to tag users based on roles. The application developers would have had to implement and maintain the database of roles, create, and maintain the portal to add users and groups to roles and query it whenever a user sign in! Azure AD is providing all of it out of the box.

How to?

The official Microsoft RBAC How to documentation is better equipped to handle the How’s of App roles, but I am just going to update the bare minimum here.

To create an app role by using the Azure portal’s user interface:

1. Sign in to the Azure portal.
2. Select the Directory + subscription filter in top menu, and then choose the Azure Active Directory tenant that contains the app registration to which you want to add an app role.
3. Search for and select Azure Active Directory.
4. Under Manage, select App registrations, and then select the application you want to define app roles in.
5. Select App roles | Preview, and then select Create app role.
6. In the Create app role pane, enter the settings for the role. The table following the image describes each setting and their parameters.

Before we wrap up let’s now look at the App role FAQ

1. As an Application developer, where can I see the roles a particular user, group or an application has?

The list of App roles will show up in the roles claim of the ID TOKEN.

2. What are the differences between App roles and Groups?

Groups are independent of your application. They live on even after the application registration is removed. More details here Add app roles and get them from a token — Microsoft identity platform | Microsoft Docs

3. How do I add users and groups to an app role I just created?

Refer MS docs here Add app roles and get them from a token — Microsoft identity platform | Microsoft Docs

NOTE : Azure AD only providers a mechanism to define an App role, add users and groups or applications to the app role and eventually show the App roles in the roles claim of the ID TOKEN. What needs to be done based on the app role is left entirely up to the application developer.