Adding AAD roles to JWT token

NicholaiX-5929 21 Reputation points
2021-06-20T18:38:58.483+00:00

I am looking for guidance. I'm writing an app that requires knowledge of the user's AAD roles. How can I surface these roles in the user's JWT token? Or do I really need to make a second call to get these roles (which would be somewhat painful at scale). The goal is to use the user role in the Authorize policy in the API.

Roles I'm referring to are the built-in AAD roles, such as "Billing administrator" or "Application administrator", not application custom roles.

Or is there a way to link a custom role to a specific built-in role (link "Myapp Billing Administrator" role to "Billing administrator" AAD role)?

Open to recommendations.

Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,866 Reputation points Moderator
    2021-06-21T09:25:47.413+00:00

    Hi @NicholaiX-5929 · Thank you for reaching out.

    For this purpose, you can configure below setting:

    107545-image.png

    Directory roles: If the user is assigned directory roles, they are emitted as a 'wids' claim (groups claim won't be emitted). These GUIDs are constant and you can use them to maintain a mapping table.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. NicholaiX-5929 21 Reputation points
    2021-07-09T16:51:44.857+00:00

    Thank you. I did manage to come to the same result as in your example.

    This however works only for built-in roles, since user-defined roles get random GUIDs. So we can't map the GUIDs back to an expected role name back at the application.

    Consider for example you have an application My Cool App and you ask the solution administrator to define a role "My Cool App Administrators" and you want to get that information in the JWT token. You will get a GUID with no way to map back to the role name, unless you make a second call. And if you have to make a second call, it renders adding to the JWT useless. Or am I mistaken?

    0 comments No comments

  2. NicholaiX-5929 21 Reputation points
    2021-07-09T16:54:27.813+00:00

    BTW, I realize my original question was about built in roles, and I will accept the answer for that. This is an extension of my previous question, since we got a new corner case.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.