Assign App Roles to AD Users in AD B2C

Elizabeth Davis 31 Reputation points

Is there a way to assign users that we've added to Active Directory to app roles in AD B2C? I noticed that you can create app roles through the app manifest, but where do you go to then assign the users to these roles?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,371 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,759 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,517 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 39,906 Reputation points

    Hi @Elizabeth Davis

    Azure AD B2C does not currently support appRole, such as user flows or custom policy. Reference: similar answers.

    However, you can use Azure AD based authentication to grant appRole because Azure AD supports appRole. First, make sure you have added appRoles in your API application's manifest, then click Managed application in local directory to go to Enterprise Applications>Users and groups>Add user/group.



    Next use an Azure AD based authentication flow such as ROPC flow or auth code flow.


    Parse the token and you will see your custom role.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
  1. Hugo Forte 21 Reputation points

    I have the same problem - though this answer does not quite work as it only applies to users that are in the active directory - I'd also like to be able to use roles or groups with all users that are signed up though facebook/google and other social logins.

    4 people found this answer helpful.
    0 comments No comments