Roles claim missing from the access token

VN 20 Reputation points
2024-09-17T03:56:48.5266667+00:00

Have registered an app for SSO to web app. Created App roles for the app. Assigned users to groups and assigned groups to the app roles. The access tokens of the authenticated users do not show the roles claim. There are no groups or roles claim in the access token. Have been banging my head since several days now but this shit doesn't seem to budge. Went through all similar questions but nothing has helped so far. Seeking out the community for help.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,698 questions
{count} votes

Accepted answer
  1. Niels Rossen 80 Reputation points
    2024-09-20T06:38:37.7366667+00:00

    We have had a similar issue, be aware of a possible conflicting configuration that can cause this.

    https://stackoverflow.com/a/76322800/1020139

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. VN 20 Reputation points
    2024-09-21T08:44:43.82+00:00

    As @Niels Rossen suggested, emit_as_roles for the optional groups claim was the culprit. It prevented the app roles from appearing in the token. After removing the optional groups claim entirely, I could see the app roles coming up under the roles claim in the token. Thanks a ton to @Niels Rossen

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.