Azure AD roles claim missing in Token
I have an app where the AzureAD login is working fine. However, I would like to identify if the user is in a custom role defined on the App Registration.
I have added my user account to the custom role in the Enterprise Application linked to the App Registration.
The App Registration is set up with ID Token checked.
I have my program.cs with the following code:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
Yet when look at the User object, it has all my user information but no claim for roles.
Any idea why?
Thanks in advance, Jake.
EDIT: Claims token screenshot (url instead of friendly name for roles, tid, etc.)
To get the Azure AD role claims in ID token, check the below:
Create App roles in Azure AD Application:
In Enterprise Application, I added the role for a user:
Now, I generated tokens via Postman using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
scope:ClientID/.default openid
code:code
redirect_uri:https://jwt.ms
grant_type:authorization_code
client_secret:ClientSecret
When I decoded the ID token, roles are displayed successfully:
The role claims will also be displayed in access token:
Now, I tried to sign-in with the user who is not assigned any roles in the application and the role claims did not display in the ID token:
To get Azure AD role claims using ASP.NET Core web app, refer this GitHub blog by aremo-ms.
In your Startup.cs file modify the code like below:
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.TokenValidationParameters.RoleClaimType = "roles";
});
services.AddAuthorization(options =>
{
options.AddPolicy(AuthorizationPolicies.AssignmentToUserReaderRoleRequired, policy => policy.RequireRole(AppRole.UserReaders));
options.AddPolicy(AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired, policy => policy.RequireRole(AppRole.DirectoryViewers));
});
}
// In code..(Controllers & elsewhere)
[Authorize(Policy = AuthorizationPolicies.AssignmentToDirectoryViewerRoleRequired)]
// or
User.IsInRole("UserReaders"); // In methods
Reference:
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs