msiam_access role

Pooja Nair (MINDTREE LIMITED) 26 Reputation points Microsoft Vendor
2023-09-11T17:27:06.39+00:00

I have a question about the msiam_access role for users in Azure Active Directory. Is this role assigned to all users by default, or does it depend on the application they are using? What is the purpose of this role and how does it affect the management of enterprise app roles?

I read in the documentation that “You can only add new roles after msiam_access for the patch operation”. What does this mean and how can I do it?
https://learn.microsoft.com/en-us/azure/active-directory/develop/enterprise-app-role-management#add-roles

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,530 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,488 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 43,411 Reputation points
    2023-09-12T03:17:11.88+00:00

    Hi @Pooja Nair (MINDTREE LIMITED)

    Is this role assigned to all users by default, or does it depend on the application they are using? What is the purpose of this role and how does it affect the management of enterprise app roles?

    It looks like you are trying to configure appRole for your enterprise application, this role is not assigned to all users, it should be assigned to the users used to access the protected API, users assigned this role will be able to access the protected web API, if a user who has not been granted this role attempts to access the protected Web API, they will be blocked and a 403 error will be returned.

    I read in the documentation that “You can only add new roles after msiam_access for the patch operation”. What does this mean and how can I do it?

    This means that if you are adding a new appRole to an enterprise application, then you need to copy the previously created appRole into the request body, otherwise the new appRole will overwrite the previously created appRole. This operation is often called a patch operation.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.