Is it possible to assign multiple roles to a user or group in Azure AD?
Asked Answered
W

3

18

When I add an appRoles section to my application manifest in Azure AD, I can assign users and groups to roles in the management portal.

  "appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "description": "Can read data.",
      "displayName": "Data Reader",
      "id": "67fba7fa-e54e-4258-b95d-32b082eb771d",
      "isEnabled": true,
      "value": "reader"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "description": "Can create and edit data.",
      "displayName": "Data Writer",
      "id": "e36736c5-e923-435e-8e44-6cae90792931",
      "isEnabled": true,
      "value": "writer"
    }
  ],

However, the UI only allows me to assign a single role to a user or group.

I can't find how to assign multiple roles to a user or group. I can add the user to multiple groups and assign roles to members of that group, which will result in multiple role claims in the token for that user, but this seems awkward.

Am I missing something? Is there a way to assign multiple roles to a user or group?

Wheatley answered 20/10, 2015 at 17:8 Comment(0)
C
28

You can assign multiple roles to the same user in the same app, but it is very limited. Basically add the same user again and select a different role:

enter image description here

The mechanism is very cumbersome and will not scale. If you have AAD Premium Lvl 2, you can associate application roles with groups and a when you assign a user to that group, they will gain the roles automatically. The automatic assignment only works for Premium Lvl 2 though.

Catlee answered 16/5, 2018 at 12:12 Comment(6)
Yeah, this question was asked and answered when the new portal did not exist yet. Seems silly that they only made this workable for Premium 2 users.Wheatley
I see someone plays world of warcraft ;)Panache
+ 50 DKP to youCatlee
This doesn't seem to work in the current version of Azure ADNacreous
@Nacreous I seem to be able to add the same user multiple times with different roles.Centaury
Looks like a new UX. I've since switched to doing this with Terraform. Much easier than attempting to use the portal. You can assign any principal a role. I can also assign a group's principal the role or another application principal the roles. Also found a powershell command that does the same thing. No need for a premium subscription.Nacreous
W
7

This turns out to be a limitation of the Azure management portal. In this blog comment, the AAD PM explains it is possible to assign multiple roles to a user or group through the GraphAPI.

For more info, see section 'Assigning application roles' in this MSDN blog article.

Wheatley answered 20/10, 2015 at 21:52 Comment(1)
Unfortunately those last two blog links are dead.Ripley
N
1

Had the same problem and with the current version of the azure portal the workaround was

  1. Create two groups (group_for_perm1, group_for_perm2)
  2. Add the same user to both groups ([email protected])
  3. Go into Azure AD->Enterprise applications
  4. Change the "Application type" filter to "All applications"
  5. Search for your app
  6. Select "Users and Groups"
  7. Hit "+ Add user/group" at the top, and assign group_for_perm1 permission1
  8. Hit "+ Add user/group" at the top, Assign group_for_perm2 permission2

Note if the "+ Add user/group" button is greyed out, you either didn't add App Roles to the App registration, or aren't in the owner group for the "Enterprise application". It appears you can be the owner of the App Registration and not be the owner of the Enterprise Application.

The token should now have a roles section with your two permissions. Take the JWT to jwt.io and you should see something like

  "rh": "I",
  "roles": [
    "permission1",
    "permission2"
  ],
Nacreous answered 29/9, 2022 at 11:33 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.