Changing role-value in a multi-tenant application is not reflected in access tokens

Question

When updating the value of an application role in a multi tenant application, it does not seem that subsequent created access tokens created in "client" AADs have the new updated value among the roles, but rather the old value. I have verified using Get-AzureADServicePrincipal that the enterprise app has been updated in the guest AAD with new value for the role. I have also tried to remove a user from the particular role and then re-assigning the user after the role has been updated, but it does not seem to solve the problem. Only workaround for now, it deleting the enterprise app in the "client" AAD and then re-creating it.

Is this scenario not supported or am I doing something wrong?

Answer 1

Hi @cvationshm · Thank you for reaching out.

When a multi-tenant application is registered in a tenant1, a corresponding servicePrincipal also gets created in that tenant. Change in App Role name gets updated almost instantly in the servicePrincpal within same tenant.

When the application is accessed by users in the other tenant (tenant2), and consent is provided, a corresponding servicePrincipal gets created in that tenant as well. This app roles in this servicePrincipal are populated on the basis of the appRoles configured in the application registered in tenant1. Change in appRoles afterwards, won't update this servicePrincipal and would require re-creation of the servicePrincipal.

As per my testing, the issue you are facing is the expected behavior.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.