I have registered an application with name "API" and for this application I added two App Role in Manifest
"appRoles": [
"allowedMemberTypes": [
"description": "Demo Role for application.",
"displayName": "Demo Role",
"id": "42ee481e-b4bc-4afa-9499-586bc2a079be",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "demo.role"
"allowedMemberTypes": [
"description": "Test Role for application.",
"displayName": "Test Role",
"id": "42ee481e-b4bc-4afa-9499-586bc2a079bd",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "test.role"
Now I have registered another app called "Client Application" and I want to assign this application above two app roles which I defined in application "API"
From searching the docs I found that we assigning permissions is done to the application service principal, not the Application object.
Here is the sample code that I found in the documents...
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.principalId = UUID.fromString("33ad69f9-da99-4bed-acd0-3f24235cb296");
appRoleAssignment.resourceId = UUID.fromString("9028d19c-26a9-4809-8e3f-20ff73e2d75e");
appRoleAssignment.appRoleId = UUID.fromString("ef7437e6-4f94-4a0a-a110-a439eb2aa8f7");
principalId: The id of the user, group or client servicePrincipal to which you are assigning the app role. -- Where can I find principalId? Is this the objectId of the "Client Application"?
resourceId: The id of the resource servicePrincipal which has defined the app role. Where can I find resourceId? -- Is this the object ID of "API" Application which has app roles defined?
appRoleId: The id of the appRole (defined on the resource service principal) to assign to a user, group, or service principal. -- I found the app role id - the guid mentioned in app role in manifest of "API" application.
Please assist.

Principal id is the ObjectId but not the actual one which you see in portal but it is the object Id of the service principal and similarly resource Id is objectId of serviceprincipal of resource app.
See the difference from below provided info:
App id:51100c0f-xxxx-xxxx-xxxx-xxxxxxxa59,
From powershell commands:
$ResourceId= (Get-AzureAdServicePrincipal -Filter "displayName eq 'testapp'").ObjectId
#output :ResourceId: 36929cef-xxxx-xxxx-xxxx-xxxx989dac7
Portal:client app:
App id:329cd48e-xxxx-xxxx-xxxx-xxxxxxxx2b88,
$principalId=(Get-AzureAdServicePrincipal -Filter "displayName eq 'client app'").ObjectId
#Output : Principal id: 85a53d22-xxxx-xxxx-xxxx-xxxxx300b2
In an app role assignment, resourceId is the id of the servicePrincipal for the resource app ( API app in your case). To find the id of a service principal for which you know the appId through graph api for resource app and client app:see the below request
GET$filter=appId eq '{app-id}'
GET<App id>
GET$filter=startswith(displayName, 'Application-Name')
The response will contain the id property of the servicePrincipal object, and you can use that when creating the app role assignment.

When you create/register an application from portal UI, a service principal is created for you automatically however it is not the case when you create application using API calls.
When you register an application using API, you will have to explicitly create service principal for that application...
to create a service principal you need a graph client and object Id of the application you created (please note object Id and app client id is diff) - you can see your object Id from portal UI.
Application application = graphClient.applications(objId)
ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.appId = application.appId;
Now you have created a service principal for you up is finding the ID which you can do like this...
ServicePrincipalCollectionPage servicePrincipals = graphClient.servicePrincipals()
List<ServicePrincipal> list = servicePrincipals.getCurrentPage();
Go through the list and choose your application based on display name, and you can find ID too.
ServicePrincipal.Id --> This is what you need...
and based on your need...
The principalId is the client app which you created - so you need servicePrincipal.Id of that application.
The resourceId is the app where you defined your approles - so you need servicePrincipal.Id of that application.


API Permissions - Microsoft Graph API

I'm using Microsoft Graph API to create an application making an HTTP request using the following documentation:
Content-type: application/json
"displayName": "MyAppName",
"signInAudience": "AzureADMultipleOrgs"
But I need to add some API permissions (Microsoft Graph Application permissions) when creating the applications so I can do other operations like getting the Azure AD groups, modify them, create users, etc. Is there a way to add and grant the permissions programmatically as well without doing it through the portal?
Thank you.
Microsoft Graph object ID
The first thing you'll need is the object ID of Microsoft Graph service principal in your tenant.
00000003-0000-0000-c000-000000000000 is the globally unique application ID for Microsoft Graph, which we can use to get the object ID by making a request like below.
GET$filter=appid eq '00000003-0000-0000-c000-000000000000'&$select=id,appid,appDisplayName
Example response
The object ID we need is the id in the response
"#odata.context": "$metadata#servicePrincipals(id,appId,appDisplayName)",
"value": [
"id": "bd0a624d-11f8-44ab-a015-d8f276d75ad3",
"appId": "00000003-0000-0000-c000-000000000000",
"appDisplayName": "Microsoft Graph"
Application IDs for commonly used Microsoft applications
Adding API Permissions
You can add the API permissions, which is separate from granting admin consent.
Bearer {access token}
The API resource to add permissions from, in this case 00000003-0000-0000-c000-000000000000 is for Microsoft Graph
Array of permissions containing the ID and type
Use the globally unique ID of the permission want to add, which you can reference from All permissions and IDs
For delegated permissions, use Scope. For application permissions, use Role
Example body
The below permissions are for User.Read (delegated), openid (delegated), and Directory.Read.All (application)
"requiredResourceAccess": [
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
Update application API endpoint
requiredResourceAccess resource type
resourceAccess resource type
Granting admin consent
Important to note that you can only grant admin consent with the API for delegated permissions. For application permissions, you'll need to use the Portal and click the button.
Bearer {access token}
The Enterprise Application object ID for which you want to grant consent to
Indicates if authorization is granted for the client application to impersonate all users or only a specific user. AllPrincipals indicates authorization to impersonate all users. Principal indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. Required. Supports $filter (eq only).
Use the object ID we obtained earlier for the Microsoft Graph service principal
A space-separated list of the claim values for delegated permissions which you want to grant admin consent to
Example body
"clientId": "7f244605-717f-408f-96fb-d369678cea56",
"consentType": "AllPrincipals",
"resourceId": "bd0a624d-11f8-44ab-a015-d8f276d75ad3",
"scope": "openid User.Read"
Create oAuth2PermissionGrant API endpoint
oAuth2PermissionGrant resource type
Unless you’re creating more then 10 applications, I would just go through the portal.
Creating secrets through the api is not very easy.
The portal has wizards and explanations for most options
Granting permissions and creating applications can be done at the same time, you can also create the application and then have an admin do the admin consent.
Admin consent explained:

Azure AD: Grant an appRoleAssignment for a service principal is failing with "code": "Request_ResourceNotFound"

I am trying to create a "service principal" for application and to grant admin consent for the permissions using Microsoft graph API.
I followed the following steps:
Created application in a tenant using graph API. My request body is:
"displayName": "AppWithPermissions",
"requiredResourceAccess": [
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
Created a service principal for the above-created application. The creation was successful.
Now, I want to grant admin consent to each assigned permission programmatically using graph API.
To grant application permissions, I created an app role assignment in the appRoleAssignedTo collection of the API's service principal:
The request was as follows:
Post request:{id}/appRoleAssignedTo
Request body:
"principalId": "principal_id",
"resourceId": "resource_id",
"appRoleId": "approle_id"
"principal_id" is the "id" of service principal created in step 2 above.
"approle_id" is the id of the appRole you want to grant. (taken "id" value from "resourceAccess" array present in "requiredResourceAccess")
"id" in http request url and "resource_id" are the same. (taken "resourceAppId" value from "requiredResourceAccess" which is corresponds to "approle_id" given above)
After running the query, I am getting error 404.
"code": "Request_ResourceNotFound"
for the "resource_id"/"id" field.
Adding screenshots for better understandings:
App Creation:
service principal creation:
Grant an appRoleAssignment for a service principal:
I am confused about which IDs to use where and didn't get a clear idea from the documentations. Can any one please resolve my query? Thanks in advance.
It looks like you're using the appId instead of the id value.
In an app role assignment, resourceId is the id of the servicePrincipal for the resource app (in your case, the API). In an application object's requiredResourceAccess, you use appId, which is a different value.
To find the id of a service principal for which you know the appId:
GET$filter=appId eq '{app-id}'
The response will contain the id property of the servicePrincipal object, and you can use that when creating the app role assignment.
The document description is not very clear.
In simple terms:
principalId: Usually your service principal id.
resourceId: Usually your service principal id.
appRoleId: For appRoleId you can find it by requesting GET{id}.
Grant an appRoleAssignment for a service principal:

Adding users with roles into app registration

I can see you can create app registrations with graph API but is it possible to add users and roles to an app registration?
If you want to assign a user to that application, in one of the specified app roles, you'll need to set the appRoleAssignment on the user . If using Azure AD Graph api , you could use below rest api :{tenant-id}/users/{username}/appRoleAssignments?api-version={api-version}
Authorization: Bearer {token}
"id": "RoleID",
"principalId": "UserObjectID",
"principalType": "User",
"resourceId": "servicePrincipalID"
id: This is the Id for the Role you are assigning. These Ids can be found in the Application's Manifest. Or you could use below api to get the specific role defined for your application(appRoles claim):{tenant}/applications/{ObjectIDOfApplication}?api-version=1.6
principalId :This is the Obeject Id of the User you are assigning the role to.
principalType :If you are assigning this role to a User then this is set to the string User .
resourceId : Service Principal ID of the application . To get service principal id , you could use below api (objectId claim) :{tenant}/servicePrincipals?api-version=1.6&$filter=appId eq 'appid'
Application role assignments are available in the Microsoft Graph Beta endpoint: see Update approleassignment
To give you an idea of what could do to add app role assignments to a user, I suggest you look at the Configure.ps1 PowerShell script of the active-directory-dotnet-webapp-roleclaims sample on GitHub, which creates test users of a given role and updates the application registration. This is in PowerShell, but you should be able to adapt it to using MSGraph

Role/Group based Authorization using ADAL.js and ASP.NET Web API

What we are planning to achieve is a role-based security for a Front end Angular-2 and back-end ASP.NET Web API application. We are doing the authentication process with the help of ADAL.js and storing the token in the local storage. We have also implemented the approach shown here i.e. to call the Graphi API and get the user groups to stuff them into Claims.
My question is : Is there anyway, we can add role claims from server to the bearerToken which is residing in the local storage. Or is there any better way to approach this issue.
The code sample mentioned assign the role based on the group. If you have the Azure AD basic version, it support to assign the role to the users/groups directly.
My question is : Is there anyway, we can add role claims from server to the bearerToken which is residing in the local storage. Or is there any better way to approach this issue.
Yes, it is possible. To issue the role claims we need to assign the users to assign the roles to users or group first. Then when the user acquire the token, the Azure AD would issue the relative role claims in the token.
You can refer the code sample for using the role claim from here.
And you may also be interest in groups claim developing.
ok i was struggling with this for a while and i have figured it out i believe.
In Azure AD, set up your WebApi app as application type to be Web App / API.
go to Manifest file and add your roles like
"allowedMemberTypes": [
"displayName": "Reviewer",
"id": "0238c2bb-9857-4d07-b760-a47ec621d57a",
"isEnabled": true,
"description": "Reviewer only have the ability to view tasks and their statuses.",
"value": "reviewer"
"allowedMemberTypes": [
"displayName": "Approver",
"id": "000018cb-19e3-4f89-bf99-5d7acf30773b",
"isEnabled": true,
"description": "Approvers have the ability to change the status of tasks.",
"value": "approver"
Then create the the Client app as Application type to be Native app and add required permissions to the service you added above.
In the SPA Angular app add something like this
var endPoints = {
// "https://localhost:44386/" is the API URL
// "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx" is the Service Application ID
"https://localhost:44386/": "xxxxxxxxxxxxxxxxxxxxxxxxxx"
instance: "",
// tenant is your tenant name (something like below)
tenant: "{NAME}",
// this is the Native app application ID (ClientID) you registered
clientId: "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",
extraQueryParameter: "nux=1",
endpoints: endPoints
}, $httpProvider);
Then, in your startup.cs you need to set up the Service App like the following:
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
TokenValidationParameters = new TokenValidationParameters
/* "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx" is the Service Application ID. (Same as you registered in the client app above)*/
ValidAudience = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
RoleClaimType = "roles"
/*enant is your tenant name (same as you registered in client app above)*/
Tenant = "{NAME}"
Finally you need to go to Azure active directory => Enterprise application => all applications => select your webAPI service => Users and groups => then assign users to the roles.
When this is all done when you log through your client app to authenticate and call the webapi, adal.js and ada-angular.js will put the proper bearer token that contains roles
Good to learn this approach.
Ted, thanks for sharing your solution !
For those who are not familiar with operating Azure AD manifest file. The following is a good resource.
"appRoles": [
"allowedMemberTypes": [
"displayName": "Reviewer",
"id": "0238c2bb-9857-4d07-b760-a47ec621d57a",
"isEnabled": true,
"description": "Reviewer only have the ability to view tasks and their statuses.",
"value": "reviewer"
"allowedMemberTypes": [
"displayName": "Approver",
"id": "000018cb-19e3-4f89-bf99-5d7acf30773b",
"isEnabled": true,
"description": "Approvers have the ability to change the status of tasks.",
"value": "approver"

Azure Active Directory: Get user's UPN with OpenID Connect authentication

I want the login system for an ASP.Net MVC 5 website be backed by Azure Active Directory.
Specifically I want to find out, whether the user is a member of a specific group and give access based on that.
I have code to query users/groups in AD, and only users from the AD get authenticated by Microsoft and redirected to the website.
But it seems that I need the user's principal name (UPN, ClaimTypes.Upn) to query the Azure AD graph API, while the OpenID Connect Provider just gives me some version of the user's e-mail address:
From OpenID Connect:
User.Identity.Name =
From AD Graph API:
user.UserPrincipalName =
Is there any possibility to get the internal user GUID or get from one ID to the other in order to be able to query the AD graph API for the current user?
Indeed. Get the ObjectId of the user from the objectidentifier claim, using:
UPN property is set by default for regular Organizational accounts - whereas you are signing is as an MSA (Microsoft Account) external user. MSA external users do not have the UPN property set by default. That said, you do not need the user's UPN to query their Group membership using Graph API - ObjectId is recommended. Further, we recommend that for authorization purpose, you use the getMemberGroup API that returns transitive group membership of the user.
Hope this helps.
For reference on other claim types: the raw JWT access token issued by Azure AD for an MSA external user looks like this:
"family_name": "Guest",
"unique_name": "",
"altsecid": "",
"ver": "1.0",
"aud": "",
"acr": "1",
"iss": "",
"oid": "fa6fa59a-5f2b-4069-a8e4-c76e52179f64",
"scp": "Directory.Read UserProfile.Read",
"idp": "",
"email": "",
"appidacr": "1",
"given_name": "AAD",
"exp": 1403260411,
"appid": "29181964-d91b-4331-859d-d815863848d6",
"tid": "62e173e9-301e-423e-bcd4-29121ec1aa24",
"iat": 1403256511,
"amr": [
"nbf": 1403256511,
"sub": "Wi6CVQ6FVj_aj3na076wm-C6eJy6CK6YhB3PR9Jpty0"
