Hi @mythz,
Is there a way to get roles populated when using MicrosoftGraphAuthProvider and Azure AD? I’ve been trying to add/remove Scopes from the MicrosoftGraphAuthProvider to get back the roles by no luck.
Thanks!
Hey @DeonHeyns, out of interest, what errors are you getting? Are you able to share details about what scoped access you have tried?
Are the roles not included in token from Azure AD at all? A comment from this related question suggests:
If i change the scopes to include the identity token then the identity token has the relevant roles
But can’t confirm, if you manage to configure it so the token includes the roles can you provide an example of the JSON payload of the token (with all sensitive info scrubbed out).
Hey @layoric, no errors just empty roles collection. I’ll post the access and id tokens. Gives us a couple to scrub.
I’ll have a hack at it, random googling points to the fact that roles aren’t included when doing authorization_code grant type. Here’s what I currently get back:
access_token
{
“aud”: “00000003-0000-0000-c000-000000000000”,
“iss”: “https://sts.windows.net/”,
“iat”: 1614215249,
“nbf”: 1614215249,
“exp”: 1614219149,
“acct”: 0,
“acr”: “1”,
“acrs”: [
“urn:user:registersecurityinfo”,
“urn:microsoft:req1”,
“urn:microsoft:req2”,
“urn:microsoft:req3”,
“c1”,
“c2”,
“c3”,
“c4”,
“c5”,
“c6”,
“c7”,
“c8”,
“c9”,
“c10”,
“c11”,
“c12”,
“c13”,
“c14”,
“c15”,
“c16”,
“c17”,
“c18”,
“c19”,
“c20”,
“c21”,
“c22”,
“c23”,
“c24”,
“c25”
],
“aio”: “”,
“amr”: [
“pwd”,
“mfa”
],
“app_displayname”: “Super Duper”,
“appid”: “”,
“appidacr”: “1”,
“family_name”: “Heyns”,
“given_name”: “Deon”,
“idtyp”: “user”,
“ipaddr”: “”,
“name”: “Deon Heyns”,
“oid”: “”,
“onprem_sid”: “”,
“platf”: “3”,
“puid”: “10030000A5E87CE8”,
“rh”: “0.ASgASPp-HouAsUyXCdG05vvfeBjoFkhOq6hNs9x3yIACZoUoAKc.”,
“scp”: “User.Read profile openid email”,
“signin_state”: [
“kmsi”
],
“sub”: “KPYN7QF8IfI5dD8-_rZwyItO31RudPvPjQvAv319nlU”,
“tenant_region_scope”: “NA”,
“tid”: “”,
“unique_name”: “somerando@rando.com”,
“upn”: “somerando@rando.com”,
“uti”: “x-8Ua1ygiUis6ddNw7gMAA”,
“ver”: “1.0”,
“wids”: [
“b79fbf4d-3ef9-4689-8143-76b194e85509”
],
“xms_st”: {
“sub”: “qGsCL3aOe2su8NaNvzil1tZUb3Jg-GLiCeTwQlNyjME”
},
“xms_tcdt”: 1496944370
}
id_token:
{
“aud”: “”,
“iss”: “https://login.microsoftonline.com//v2.0”,
“iat”: 1614215249,
“nbf”: 1614215249,
“exp”: 1614219149,
“aio”: “”,
“name”: “Deon Heyns”,
“oid”: “9a32b753-573a-42ab-ad7d-32e9b59c8e37”,
“preferred_username”: “somerando@rando.com”,
“rh”: “0.ASgASPp-HouAsUyXCdG05vvfeBjoFkhOq6hNs9x3yIACZoUoAKc.”,
“sub”: “qGsCL3aOe2su8NaNvzil1tZUb3Jg-GLiCeTwQlNyjME”,
“tid”: “”,
“uti”: “x-8Ua1ygiUis6ddNw7gMAA”,
“ver”: “2.0”
}
Didn’t reply to you @layoric regarding scopes. I’m chucking the kitchen sink at it: “offline_access”, “openid”, “profile”, “User.Read”
also what’s the chances of two people hitting this same issue in the same day 
Very unlikely, that I thought it was a colleague researching the same issue 
Found some info about adding AD Roles at Add app roles and get them from a token - Microsoft identity platform | Microsoft Learn
Not sure if helpful.
Alright got it returning roles in the id_token now. I had to assign the roles through the Azure Portal and doesn’t seem to be picked up if only linked to a classic AD. I followed these steps: Add app roles and get them from a token - Microsoft identity platform | Microsoft Docs
AuthUserSession isn’t populated by the roles in the id_token but I’m sure that is something I can figure out and send a PR for
2 Likes
ok awesome, yeah a PR would be very appreciated 
done! PR sent, will move the conversation there
1 Like