Share via

Editing App Role value in Azure App Registration not reflected in JWT

wetzelb 1 Reputation point
2021-02-19T19:52:05.507+00:00

I created an App Role in my App Registration and assigned users to the App Role through Enterprise Applications. All was working fine and the role is included in the claims in the JWT when I login with a user that is assigned to the App Role.

Then I needed to change the value of the App Role which is allowed through the Azure console. After doing that, when I get a new JWT, it still has the original value of the App Role. Unassigning and reassigning the user in Enterprise Applications didn't fix it.

The only way I could get it to work was to delete the original App Role and create a new one with the new value and then update the user/role assignments in Enterprise Applications.

Is this a known bug or limitation?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,965 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2021-02-23T07:30:26.813+00:00

    Hi @wetzelb · Thank you for reaching out.

    I just tested it out in my test tenant and didn't encounter any such issue. The change in the role name took effect without requiring to re-create the role or re-assigning it to the user. Please try using a new browser session preferably in-private/incognito, just to ensure the new token is not acquired in existing session context.

    Steps that I performed:

    1. Created app role by using below parameters in app manifest:

    "appRoles": [
    {
    "allowedMemberTypes": [
    "User"
    ],
    "description": "Tester Have the ability to create tasks.",
    "displayName": "Tester",
    "id": "d1c2ade8-0000-0000-0000-6d06b947c66f",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "Tester"
    }
    ]
    2. Acquired an Access token for the user assigned with Tester role in the enterprise app.
    70915-image.png

    3. Updated the app role in the manifest as shown below:

    "appRoles": [
    {
    "allowedMemberTypes": [
    "User"
    ],
    "description": "Writer have the ability to create tasks.",
    "displayName": "Writer",
    "id": "d1c2ade8-0000-0000-0000-6d06b947c66f",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "Writer"
    }
    ]
    4. Acquired a new Access token without re-assigning or recreating the new role and got the new role in the token:
    70916-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.