Group Based Assignment in Azure AD B2C

Copper Contributor

Hi,

 

according to this comparison you can't use the groups from the underlying Azure AD tenant to manage access of customers to applications. Apparently you can't define app roles and then assign groups to applications and put customers into groups.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/supported-azure-ad-features 

 

However, I was able to do this.

 

  1.  While the famililar "Application Roles" menu isn't available I can just define a role directly in the manifest.
  2. I was able to assign a group to an application with the role I defined in the manifest: POST https://graph.microsoft.com/v1.0/servicePrincipals(appId='/:client_id/')/appRoleAssignedTo
  3. I was able to take an account that was created via a custom policy execution and put it into that group.
  4. While you can't easily configure the token as you would with regular Azure AD P2 and include the groups and roles, it was trivial to write an Azure Function that using the user object ID and client_ID derived the assigned roles and groups by overlapping the /memberOf groups of the user and the /appRoleAssignments of the servicePrincipal. It simply gets called in the custom policy and in case the customer is not assigned I send a custom OAuth 2.0 error (access_denied) instead of the claims with the groups and roles included.

 

While it is a workaround obviously and I need to consider rate limits when my policy does Graph API calls via an Azure Functions on sign in, I think it should work out just fine for our scenario.

 

Anything speaks against doing this or am I risking that this functionality gets removed as it's not intended to be possible? Role based access via groups is the best thing about Azure AD and it should be a feature in Azure AD B2C anyway if you ask me. Otherwise you're not able to handle lots of customer facing applications with different customer segments by different business units.

1 Reply
This seems like a good workaround for you. I would say the only risk would be that you will be leveraging an unsupported scenario. If that is an acceptable risk, then I'd say all should be good.