Azure B2C approles and permissions

Question

Azure B2C approles and permissions

bdiddy 171

Hi,

Is there a way where I can define application roles AND also what each role can actually perform?

I see we can define approles in the manifest, but what about roles permissions. So that in my application I can like enable/disable UI element based on those granular permissions.

Thanks,

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-08-06T19:11:38.897+00:00

What kind of application is it. What programming language, platform or SDK are you using?
bdiddy 171 Reputation points

2020-08-06T21:58:10.46+00:00

SPA angular application with a Web API in .net Core.

The SPA UI will need give access to particular screens based on roles and to show and hide some UI element based on permissions.

Role could be operatonmanager, salesmanager, accounting, etc.
Permissions could be process order, cancel order, approve expenses, reject expenses, etc.

Answer accepted by question author

1 additional answer

Your answer

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-08-06T19:11:38.897+00:00

What kind of application is it. What programming language, platform or SDK are you using?
bdiddy 171 Reputation points

2020-08-06T21:58:10.46+00:00

SPA angular application with a Web API in .net Core.

The SPA UI will need give access to particular screens based on roles and to show and hide some UI element based on permissions.

Role could be operatonmanager, salesmanager, accounting, etc.
Permissions could be process order, cancel order, approve expenses, reject expenses, etc.

Answer 1

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Moderator

@bdiddy you can use directory extension as optional claims for each of the permissions required. You can create extension "process order" and "cancel order" both of type "boolean" and assign both to user or group C and the latter to user or group D so you can get them in the token issued to each user.

Follows how to create an application, an extension and assign it to the first directory user:

Answer 2

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Moderator

Define your application app roles and assign them to the desired users in the Azure Portal, trough powershell or MS Graph. Then add the MSAL Angular library to your Angular project and create a Guard that validates if the required role(s) is/are present in the user id token:

   @Injectable()  
   class CanActivateOnRoles implements CanActivate {  
     constructor(private msalService: MsalService) {}  
     
     canActivate(  
       route: ActivatedRouteSnapshot,  
       state: RouterStateSnapshot  
     ): boolean {  
       return msalService.getAccount().idToken['roles'].find( r => r === 'some role') !== undefined;  
     }  
   }

---
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

bdiddy 171 Reputation points

2020-08-10T13:38:19.61+00:00

Thank you alfredo-revilla-msft, I guess there isn't something on azure that will say like Role is Admin and when you are an Admin you can process an order and cancel an order. But when you are an AccountManager you don't have the permission to process an order but you you can cancel an order.
Adeel Nayyer Sheikh 1 Reputation point

2020-10-07T04:50:08.67+00:00
Hi Alfredo,

I have defined the following app roles in my manifest:

"appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "Sandouk Owner", "displayName": "Sandouk Owner", "id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f", "isEnabled": true, "lang": null, "origin": "Application", "value": "SandoukOwner" } ]

I have then assigned "Sandouk Owner" role to one of the users in Azure AD B2C. But I am unable to get that role claim in id token or access token.

Would you please assist me what am I missing here.

Best regards,
Adeel
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-10-07T17:28:45.39+00:00

@Adeel Nayyer Sheikh Alternatively you might create a custom attribute in both user flows and custom policies and manage them using MS Graph. EG: you can create a roles attribute/claim and use it for business decisions. Alternatively, only in custom policies, you can define a roles claimtype and set its value using REST technical profile that feeds from a custom API you develop.
Adeel Nayyer Sheikh 1 Reputation point

2020-10-16T07:18:53.423+00:00

Hi Alfredo,

I got it. Thanks for the clarification. I also want to know about security groups. If we have enabled groupMembershipClaims in our app manifest, whether user groups can be returned in the access token for Azure AD B2C?

Best regards,
Adeel
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-10-16T15:13:57.957+00:00

No, that' an Azure AD only claim. B2C claims available are listed here.

--
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.
Yos Akimoto 6 Reputation points

2020-12-02T03:33:34.337+00:00

I set AppRoles in the manifest of the application registered in b2c, and there is a link of "Managed application in local directory" on the top page of the application, so I could get it by setting the object id in it as the argument of ServicePrincipals.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator

2020-12-03T20:52:50.66+00:00

Also, you can leverage Azure AD B2C User profile attributes and output them as claims.
Muqaddas Mehmood 1 Reputation point

2021-06-09T18:47:09.387+00:00

Hi!
Thats really helpful can I you share the same for python.I really appreciate it.
Muqaddas Mehmood 1 Reputation point

2021-06-09T18:48:09.91+00:00

Hi!
Thats really helpful can you share the same for python.I really appreciate it.

Share via

Azure B2C approles and permissions

1 additional answer

Your answer