Adding AAD roles to JWT token

Question

Adding AAD roles to JWT token

NicholaiX-5929 21

I am looking for guidance. I'm writing an app that requires knowledge of the user's AAD roles. How can I surface these roles in the user's JWT token? Or do I really need to make a second call to get these roles (which would be somewhat painful at scale). The goal is to use the user role in the Authorize policy in the API.

Roles I'm referring to are the built-in AAD roles, such as "Billing administrator" or "Application administrator", not application custom roles.

Or is there a way to link a custom role to a specific built-in role (link "Myapp Billing Administrator" role to "Billing administrator" AAD role)?

Open to recommendations.

NicholaiX-5929 21

Actually to update, it looks like the roles are coming as individual wids fields, but I can't get the role name as well. I have tried various configurations such as follows:

    "idToken": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": [
                "dns_domain_and_sam_account_name"
            ]
        }
    ],
    "accessToken": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": [
                "dns_domain_and_sam_account_name"
            ]
        }
    ],

I only receive the GUIDs. I assume these guids are constant and I can use them to maintain a mapping table?

Accepted answer

2 additional answers

Your answer

NicholaiX-5929 21 Reputation points

2021-06-20T19:25:17.673+00:00

Actually to update, it looks like the roles are coming as individual wids fields, but I can't get the role name as well. I have tried various configurations such as follows:

"idToken": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [ "dns_domain_and_sam_account_name" ] } ], "accessToken": [ { "name": "groups", "source": null, "essential": false, "additionalProperties": [ "dns_domain_and_sam_account_name" ] } ],

I only receive the GUIDs. I assume these guids are constant and I can use them to maintain a mapping table?

Answer 1

AmanpreetSingh-MSFT 56,871 Moderator

Hi @NicholaiX-5929 · Thank you for reaching out.

For this purpose, you can configure below setting:

Directory roles: If the user is assigned directory roles, they are emitted as a 'wids' claim (groups claim won't be emitted). These GUIDs are constant and you can use them to maintain a mapping table.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2021-07-01T05:29:43.877+00:00

Hi @NicholaiX-5929 · Just checking if you have any further question.

Answer 2

Thank you. I did manage to come to the same result as in your example.

This however works only for built-in roles, since user-defined roles get random GUIDs. So we can't map the GUIDs back to an expected role name back at the application.

Consider for example you have an application My Cool App and you ask the solution administrator to define a role "My Cool App Administrators" and you want to get that information in the JWT token. You will get a GUID with no way to map back to the role name, unless you make a second call. And if you have to make a second call, it renders adding to the JWT useless. Or am I mistaken?

Answer 3

NicholaiX-5929 21

BTW, I realize my original question was about built in roles, and I will accept the answer for that. This is an extension of my previous question, since we got a new corner case.

Share via

Adding AAD roles to JWT token

2 additional answers

Your answer