How to add App Role for API

Question

How to add App Role for API

Keith Viking 20

I'm creating an API using .Net 6 (Core project). I need to setup our Azure account with a client credential. I followed the steps from a tutorial and can't find the option to create a role.

I found a possible solution which is to add the following into the Manifest file

"appRoles": [
  {
    "allowedMemberTypes": ["Member"],
    "displayName": "Access 1",
    "id": "1",
    "isEnabled": true,
    "description": "Description"
  },

This didn't allow me to save. I saved the details EXACTLY as I've posted above so I don't know if it was expecting actual value for it to save in which case I didn't know where to look for those values.

How do I add an app role for my WebApi Application in Azure?

Do I need to host my application within Azure or can I have the application on our server but use App Registration to hold the client credentials and other details but host the application on my server

Konstantinos Passadis 19,586 MVP

Hello @Keith Viking !

To add an app role for your WebApi Application in Azure, you need to follow these steps:

Go to the Azure portal and select your Azure AD tenant.

Click on "App registrations" and select your WebApi application.

Click on "Manifest" and add the following JSON to the "appRoles" section:



**"appRoles": [**

  **{**

    **"allowedMemberTypes": [**

      **"Application"**

    **],**

    **"displayName": "My App Role",**

    **"id": "12345678-1234-1234-1234-123456789abc",**

    **"isEnabled": true,**

    **"description": "Description of my app role."**

  **}**

**]**

Save the changes to the manifest.

Assign the app role to a user or group by going to the "Enterprise applications" section, selecting your WebApi application, and clicking on "Users and groups". Then, click "Add user/group" and select the user or group to assign the app role to.

You do not need to host your application within Azure to use App Registration to hold the client credentials and other details. You can host your application on your own server and use the Azure AD App Registration to authenticate users and authorize access to your WebApi.

I hope this helps!

Assisting Source: ChatGPT Subscription

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards

Keith Viking 20 Reputation points

2023-05-06T09:29:07.12+00:00

Thank you! I assume I can remove the ** that you have around the values and fields? Where do I obtain the ID from? Or can I have any number in there?
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-06T09:42:38.9333333+00:00

Hello @Keith Viking !

Yes there are 2 ways :

For Azure Specific roles open Cloud Shell, switch to Powershell,provide the command as in the Example

Get-AzRoleDefinition -Name "Contributor"

The Output looks like :

Name : Contributor

Id : b24988ac-6180-42a0-ab88-20f7382dd24c

IsCustom : False

Description : Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

Actions : {*}

NotActions : {Microsoft.Authorization//Delete, Microsoft.Authorization//Write, Microsoft.Authorization/elevateAccess/Action, Microsoft.Blueprint/blueprintAssignments/write…}

DataActions : {}

NotDataActions : {}

AssignableScopes : {/}

And for Azure AD Roles

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference?WT.mc_id=Portal-Microsoft_AAD_IAM

All the Ids are there as well as in the Roles and Administartors Page of Azure AD

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Keith Viking 20 Reputation points

2023-05-06T11:38:08.32+00:00

Hi so that looking you provided it's for users but this is an application?
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-06T12:22:55.8033333+00:00

Hello @Keith Viking !

In Azure, you can assign roles to applications (also known as service principals) in order to grant them permissions to access resources or APIs. These roles can be assigned at various scopes, such as the subscription, resource group, or individual resource level, and can provide different levels of access, such as read, write, or owner permissions. This allows applications to access the resources they need to perform their intended functions, while also helping to ensure that they do not have more access than necessary.

Do you know the role you need to add ?

I provided the How-to which is done the way i showed and by getting the Role ID , with an example of the Role Contributor!

The way you describe i guess you need a Contributor role but i am nor sure ! What does the APP do ? Maybe you mixed Azure Web Apps , with App Registrations :

1.Azure Web Apps is a [cloud computing](https://en.wikipedia.org/wiki/Cloud_computing"Cloud computing") based platform for hosting websites, created and operated by Microsoft. It is a [platform as a service](https://en.wikipedia.org/wiki/Platform_as_a_service"Platform as a service") (PaaS) which allows publishing Web apps running on multiple frameworks and written in different programming languages ([.NET](https://en.wikipedia.org/wiki/.NET_Framework".NET Framework"), node.js, PHP, [Python](https://en.wikipedia.org/wiki/Python_(programming_language)"Python (programming language)") and [Java](https://en.wikipedia.org/wiki/Java_(programming_language)"Java (programming language)")), including Microsoft proprietary ones and 3rd party ones

2.Azure App registrations are an easy and powerful way to configure authentication and authorization workflows for a variety of different client types. Everything from Android to a SAML application can be configured to use an app registration. With the additional ability to restrict APIs and protected endpoints, you can quickly create a registration that just allows the permissions and abilities that your organization defines as needed!

Taken from https://petri.com/understanding-azure-app-registrations/#:~:text=Azure%20App%20registrations%20are%20an%20easy%20and%20powerful,can%20be%20configured%20to%20use%20an%20app%20registration.

Have a look , and come back to resolve the issue or maybe this helps !

it is always good to have as much info as possible!

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-06T13:42:04.5633333+00:00

Hello @Keith Viking !

I hope my info cleared out any misunderstanding ( if any) So the Powershell i provided earlier is to get the ID of the Role so you can assign it via the Code to your Application Registration. The Applicaton can use this Role to make Authentication calls and be authorized as the specific Role

ALSO :

An Application can access specific APIs. In addition to accessing your own web API on behalf of the signed-in user, your application might also need to access or modify the user's (or other) data stored in Microsoft Graph. Or you might have service or daemon app that needs to access Microsoft Graph as itself, performing operations without any user interaction.

This link provides info

https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Keith Viking 20 Reputation points

2023-05-06T15:05:42.91+00:00

Hi, thanks for your help! I'll read through the links soon. As for what the app does, all I would like to do is have a few Get requests and a few POST requests for my application which is a WebApi Core running under .Net 6. I would like to create credentials stored on Azure so I can give these out to those that need access to the functions I mentioned. The functions would retrieve data and send data to our database but I would like to protect the WebApi with user credentials so I can assess who has access to the service (as in the API) so only users that we create credentials for have access. Please note we already have Azure Active directory containing directory for users so I don't want them to access the data unless they have access to the credentials I provide. Hope this is a little more clearer? Let me know if I need to take a different approach or can continue with the ideas from above. Thank you
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-06T16:08:40.0733333+00:00
Hello @Keith Viking !

Here are the high-level steps to achieve this:

Register your Web API application in Azure AD using the Azure portal.

Configure your Web API application to accept JWT access tokens issued by Azure AD.

In your Web API application, add the [Authorize] attribute to the controller or action methods that require authentication.

Configure the authentication middleware in your Web API application to use Azure AD as the authentication provider.

Configure the authorization middleware in your Web API application to validate the user's claims and roles.

Create and assign Azure AD application roles to control access to your Web API endpoints. * this is already described from my earlier response *

Create and manage user and service principal accounts in Azure AD, and assign them to the appropriate Azure AD application roles.

Once you have implemented Azure AD authentication and authorization in your Web API, you can use the Azure AD authentication libraries to obtain an access token for your Web API using a client application or script. This access token can be used to call your Web API endpoints and retrieve or modify data.

For more information on implementing Azure AD authentication and authorization for a Web API, see the following resources:

Secure a Web API with Azure AD

Azure AD authentication for .NET Core Web API

Protect a web API using OAuth 2.0 with Azure Active Directory and API Management

Please read carefullu and take your time to understand !

ALSO

Here is a SAMPLE Manifest ( It is only a sample based on my uderstanding !!)

{ "appId": "<APP_ID>", "appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "Can read data", "displayName": "Read", "id": "9e34523e-f6dd-4821-8788-39af5d6cf579", "isEnabled": true, "value": "Data.Read" }, { "allowedMemberTypes": [ "User" ], "description": "Can write data", "displayName": "Write", "id": "b0be2916-3a04-4f3e-8cf8-1de59459f1e2", "isEnabled": true, "value": "Data.Write" } ], "availableToOtherTenants": false, "displayName": "My App", "groupMembershipClaims": null, "identifierUris": [ "https://myapp.com" ], "oauth2AllowImplicitFlow": false, "optionalClaims": null, "orgRestrictions": [], "parentalControlSettings": { "countriesBlockedForMinors": [], "legalAgeGroupRule": "Allow" }, "passwordCredentials": [ { "customKeyIdentifier": null, "endDate": "2022-05-31T16:38:41.8606916Z", "keyId": "<KEY_ID>", "startDate": "2021-05-31T16:38:41.8606916Z", "value": "<KEY_VALUE>" } ], "publicClient": null, "replyUrls": [ "https://myapp.com/signin-oidc" ], "requiredResourceAccess": [ { "resourceAppId": "<RESOURCE_APP_ID>", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] } ], "samlMetadataUrl": null, "signInAudience": "AzureADMultipleOrgs", "spa": { "redirectUris": [ "https://myapp.com/redirect" ] }, "tags": null, "tokenEncryptionKeyId": null }

The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-07T15:16:25.73+00:00

Hello @Keith Viking !

Do you have any feedback or your issue is resolved?

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Keith Viking 20 Reputation points

2023-05-08T06:49:48.47+00:00
@Konstantinos Passadis The problem is the amount of links provided is unreal. I started with a course but the steps in the course are different to what im seeing on the Azure site.

I then posted this question, https://learn.microsoft.com/en-us/answers/questions/1275119/how-do-i-protect-web-api I thought i was getting on track until i tried adding A ROLE.

So i then posted this question and when adding a role i was getting the error "Cannot convert primitive type value to expected type edm.XXXX" .

The link you provided for the quickstarts states to add a Scope - the link i posted above states do not create a scope? Who is right?

How can anyone understand anything when the information out there isnt correct and getting different advice/steps?

When i add

{ "allowedMemberTypes": [ "User" ], "description": "Can read data", "displayName": "Read", "id": "9e34523e-f6dd-4821-8788-39af5d6cf579", "isEnabled": true, "value": "Data.Read" },

This saves with any ID but then Application permission is not available see this thread for the issue im facing https://stackoverflow.com/questions/57379397/why-is-application-permissions-disabled-in-azure-ads-request-api-permissions

If i change

"allowedMemberTypes": [ "User" ],

To Application (from User to Application to grant the API access) then it wont save and i get the error "One or more properties contains invalid values."
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-09T09:34:58.12+00:00
Hello @Keith Viking !

I think i found something :

The reason for this error is that the allowedMemberTypes property is not applicable for application permissions. It is only applicable for delegated permissions, where you can specify whether the permission applies to users, groups, or both.

For application permissions, you can omit the allowedMemberTypes property altogether. Here is an example of what the JSON should look like for an application permission:

{ "adminConsentDescription": "Allow the app to read data from your organization", "adminConsentDisplayName": "Read data", "id": "9e34523e-f6dd-4821-8788-39af5d6cf579", "isEnabled": true, "type": "Application", "userConsentDescription": "Allow the app to read data from your organization", "userConsentDisplayName": "Read data", "value": "Data.Read" }

Notice that the allowedMemberTypes property is not present, and the type property is set to "Application". Once you make this change, you should be able to save the permission without any errors, and it should be available for your API to request.

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Accepted answer

0 additional answers

Your answer

Konstantinos Passadis 19,586 Reputation points MVP

2023-05-06T09:11:11.92+00:00

Hello @Keith Viking !

To add an app role for your WebApi Application in Azure, you need to follow these steps:

Go to the Azure portal and select your Azure AD tenant. Click on "App registrations" and select your WebApi application. Click on "Manifest" and add the following JSON to the "appRoles" section: **"appRoles": [** **{** **"allowedMemberTypes": [** **"Application"** **],** **"displayName": "My App Role",** **"id": "12345678-1234-1234-1234-123456789abc",** **"isEnabled": true,** **"description": "Description of my app role."** **}** **]** Save the changes to the manifest. Assign the app role to a user or group by going to the "Enterprise applications" section, selecting your WebApi application, and clicking on "Users and groups". Then, click "Add user/group" and select the user or group to assign the app role to.

You do not need to host your application within Azure to use App Registration to hold the client credentials and other details. You can host your application on your own server and use the Azure AD App Registration to authenticate users and authorize access to your WebApi.

I hope this helps!

Assisting Source: ChatGPT Subscription

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Keith Viking 20 Reputation points

2023-05-06T09:29:07.12+00:00

Thank you! I assume I can remove the ** that you have around the values and fields? Where do I obtain the ID from? Or can I have any number in there?
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-06T09:42:38.9333333+00:00

Hello @Keith Viking !

Yes there are 2 ways :

For Azure Specific roles open Cloud Shell, switch to Powershell,provide the command as in the Example

Get-AzRoleDefinition -Name "Contributor"

The Output looks like :

Name : Contributor

Id : b24988ac-6180-42a0-ab88-20f7382dd24c

IsCustom : False

Description : Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

Actions : {*}

NotActions : {Microsoft.Authorization//Delete, Microsoft.Authorization//Write, Microsoft.Authorization/elevateAccess/Action, Microsoft.Blueprint/blueprintAssignments/write…}

DataActions : {}

NotDataActions : {}

AssignableScopes : {/}

And for Azure AD Roles

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference?WT.mc_id=Portal-Microsoft_AAD_IAM

All the Ids are there as well as in the Roles and Administartors Page of Azure AD

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Keith Viking 20 Reputation points

2023-05-06T11:38:08.32+00:00

Hi so that looking you provided it's for users but this is an application?
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-06T13:42:04.5633333+00:00

Hello @Keith Viking !

I hope my info cleared out any misunderstanding ( if any) So the Powershell i provided earlier is to get the ID of the Role so you can assign it via the Code to your Application Registration. The Applicaton can use this Role to make Authentication calls and be authorized as the specific Role

ALSO :

An Application can access specific APIs. In addition to accessing your own web API on behalf of the signed-in user, your application might also need to access or modify the user's (or other) data stored in Microsoft Graph. Or you might have service or daemon app that needs to access Microsoft Graph as itself, performing operations without any user interaction.

This link provides info

https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Keith Viking 20 Reputation points

2023-05-06T15:05:42.91+00:00

Hi, thanks for your help! I'll read through the links soon. As for what the app does, all I would like to do is have a few Get requests and a few POST requests for my application which is a WebApi Core running under .Net 6. I would like to create credentials stored on Azure so I can give these out to those that need access to the functions I mentioned. The functions would retrieve data and send data to our database but I would like to protect the WebApi with user credentials so I can assess who has access to the service (as in the API) so only users that we create credentials for have access. Please note we already have Azure Active directory containing directory for users so I don't want them to access the data unless they have access to the credentials I provide. Hope this is a little more clearer? Let me know if I need to take a different approach or can continue with the ideas from above. Thank you
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-07T15:16:25.73+00:00

Hello @Keith Viking !

Do you have any feedback or your issue is resolved?

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Keith Viking 20 Reputation points

2023-05-08T06:49:48.47+00:00

@Konstantinos Passadis The problem is the amount of links provided is unreal. I started with a course but the steps in the course are different to what im seeing on the Azure site.

I then posted this question, https://learn.microsoft.com/en-us/answers/questions/1275119/how-do-i-protect-web-api I thought i was getting on track until i tried adding A ROLE.

So i then posted this question and when adding a role i was getting the error "Cannot convert primitive type value to expected type edm.XXXX" .

The link you provided for the quickstarts states to add a Scope - the link i posted above states do not create a scope? Who is right?

How can anyone understand anything when the information out there isnt correct and getting different advice/steps?

When i add

{ "allowedMemberTypes": [ "User" ], "description": "Can read data", "displayName": "Read", "id": "9e34523e-f6dd-4821-8788-39af5d6cf579", "isEnabled": true, "value": "Data.Read" },

This saves with any ID but then Application permission is not available see this thread for the issue im facing https://stackoverflow.com/questions/57379397/why-is-application-permissions-disabled-in-azure-ads-request-api-permissions

If i change

"allowedMemberTypes": [ "User" ],

To Application (from User to Application to grant the API access) then it wont save and i get the error "One or more properties contains invalid values."
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-09T09:34:58.12+00:00

Hello @Keith Viking !

I think i found something :

The reason for this error is that the allowedMemberTypes property is not applicable for application permissions. It is only applicable for delegated permissions, where you can specify whether the permission applies to users, groups, or both.

For application permissions, you can omit the allowedMemberTypes property altogether. Here is an example of what the JSON should look like for an application permission:

{ "adminConsentDescription": "Allow the app to read data from your organization", "adminConsentDisplayName": "Read data", "id": "9e34523e-f6dd-4821-8788-39af5d6cf579", "isEnabled": true, "type": "Application", "userConsentDescription": "Allow the app to read data from your organization", "userConsentDisplayName": "Read data", "value": "Data.Read" }

Notice that the allowedMemberTypes property is not present, and the type property is set to "Application". Once you make this change, you should be able to save the permission without any errors, and it should be available for your API to request.

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 1

@Keith Viking

Answer to the below query is :

When i add

{ "allowedMemberTypes": [ "User" ], "description": "Can read data", "displayName": "Read", "id": "9e34523e-f6dd-4821-8788-39af5d6cf579", "isEnabled": true, "value": "Data.Read" },






> This saves with any ID but then Application permission is not available see this thread for the issue im facing https://stackoverflow.com/questions/57379397/why-is-application-permissions-disabled-in-azure-ads-request-api-permissions

> If i change
> ```
"allowedMemberTypes": [

"User"
  ],

To Application (from User to Application to grant the API access) then it wont save and i get the error "One or more properties contains invalid values."

Once added the roles in manifest could not be removed directly, kindly follow the given steps:

Add a new role with "allowedMemberTypes" to "Application" and disable the existing role:
Now remove the disabled role and save the Manifest, this is because and existing role could not be removed without being disabled, this would let you save the updated role:

User's image

Application permission will then be available to assigned:

User's image

Please do let me know if you have any queries in the comments section, we could connect offline to get this fixed for you.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Konstantinos Passadis 19,586 Reputation points MVP

2023-05-09T18:43:18.0066667+00:00

Hello

Thsi is what i answered above !

Never Mind !

I am glad you found the solution!

Regards

Share via

How to add App Role for API

0 additional answers

Your answer