Is it possible to assign Groups to App roles in Azure Entra ID B2C Tenant?

Question

Hi community,

I am building a java based webapp for a customer on Azure. The customer wants to assign specific privileges to certain users via roles and groups.

Currently we have enabled a B2C Tenant in Azure, where all the external users of the app are registered. We can currently only assign users to app roles, but not groups. It looks like this:

Why are groups not available for assignment, even though the b2c tenant is in the P2 tier?: I would appreciate any help very much!

Thanks in advance

Florian

Answer 1

Hi Florian, Welcome to MS Q&A

• Group-based assignment to enterprise apps in Azure B2C Tenant's P2 tier is not supported. This means that you can only assign users to app roles and not groups. This limitation is specific to the tier you are using. For more information on group assignment limitations within enterprise applications, you can refer to the following link: [Configure, manage, remove, and troubleshoot user and group assignments to enterprise apps] .
• In the P2 tier, group-based assignment is not available for distribution or Microsoft 365 groups. Additionally, nested group memberships are currently not supported. When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups. For more details on these limitations, you can refer to the provided source .

I hope this information helps clarify the limitations you are experiencing with group assignment in Azure B2C Tenant's P2 tier for your Java-based web app. If you have any further questions or need additional assistance, please feel free to ask.

Kindly accept answer , if it helps

Thanks

Deepanshu

Answer 2

Hi @Florian Graff

Thank you for reaching out!

Azure AD B2C does not currently support appRole, such as user flows or custom policy. Azure AD B2C is designed for consumer-facing applications and does not support the same level of access control as Azure AD. Instead, Azure AD B2C uses policies to define the user experience and authentication requirements for your application.
You can create app roles updating the application manifest and assign users and service principals (but not groups) to them in Azure AD B2C. This feature however will only be useful for Azure AD administrative (not consumer/user) flows, this is when targeting the tenant-specific authority (https://login.microsoftonline.com/tenant-id) but not the User Flow specific authorities (https://tenant-name.b2clogin.com/tenant-name.onmicrosoft.com/policy-name

"appRoles": [  
           {  
              "allowedMemberTypes": [  
                  "User"  
              ],  
              "description": "Read-only access to device information",  
              "displayName": "Read Only",  
              "id": "601790de-b632-4f57-9523-ee7cb6ceba95",  
              "isEnabled": true,  
              "value": "ReadOnly"  
           }  
       ],

For consumer/user flows you can create a roles claim or attribute to be returned by your Custom Policy or User Flow. You're free to choose the data source for the aforementioned: manually input or hard coded values, values stored in Azure AD itself through directory extensions or in an external data source/API which can be consumed by a REST technical profile.

Appreciate if you could share the feedback on this feature in our feedback forum which is closely monitored by our product team.

Reference: https://www.ipannila.net/azure-ad-b2c-app-registration/

Hope this helps. Do let us know if you any further queries.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.