Application Role vs User Role in Azure Active Directory and B2C

To implement role-based access control (RBAC) for an Application and for an API (hosted in API Management) in Azure AD and B2C, we need to add custom roles into the Azure AD/B2C application manifest file.

Understanding the Azure Active Directory app manifest — Microsoft identity platform

There are three possible valid values for a role type:

• Application
• User
• Both

What is a User Role?

We add the role and do the assignment. We can assign this role to any number of users and groups. Once you add the role in the manifest file you need to do the user or group assignment.

What is an Application Role?

This is a special type of role, no user assignment is required. An Application role is used for Client Credential Flow authorization, machine-to-machine communication. No assignment is required.

OAuth 2.0 client credentials flow on the Microsoft identity platform

But…

For an Application role type, we need to grant Admin consent.

So what is consent?

This is very well explained in MS documentation portal. Below is the text from MS documentation

Azure AD app consent experiences - Microsoft identity platform

Consent is the process of a user granting authorization to an application to access protected resources on their behalf. An admin or user can be asked for consent to allow access to their organization/individual data.

User consent flow is when an application developer directs users to the authorization endpoint with the intent to record consent for only the current user.

Source: https://docs.microsoft.com/

You must have noticed this while doing Google or Facbook Sign In. For User Role there is no consent required.

Admin consent flow is when an application developer directs users to the admin consent endpoint with the intent to record consent for the entire tenant. To ensure the admin consent flow works properly, application developers must list all permissions in the RequiredResourceAccess property in the application manifest.

Let’s try to understand what is Admin consent, in this consent type the Admin has to Grant Admin consent once from the Azure portal (Or REST API). This is required for the Application role type.

See that yellow icon, it shows that Admin consent is not granted, once you grant this you will be able to see the Application in JWT Token generated for an application.

In the next article, we will understand the difference between Scope and Role.

Link to next article: https://medium.com/azurehelp/roles-and-scopes-in-azure-identity-f201d11e253c