client_credentials authentication with Azure ID: Application is not assigned to a role

matteogll
June 13, 2023
178 views
3 votes
3 Answers

I’m trying to use Azure AD for a App-to-App authentication (grant_type: client_credentials) for calling a Rest API.

To avoid implementation issue I firstly tried with Postman with the following configuration, and got the error " Application {clientID} is not assigned to a role for the application {clientID}":

On Azure the App Registration seems to be properly configured, with a custom scope in "API permissions" and the same scope listen in "Expose an API".

What should I have to add in order to be able to call that API?
Please note that the same API works properly using IdentityServer4 with client_credentials grand type.

Thanks in advance

Answers

Chosen as BEST ANSWER
- matteogll
- June 12, 2023 at 11:00 am
- 0 votes
0
Thanks Marco, your solution works as expected. I don't need to manually edit the manifest so basically there are the 2 main configuration to do:

1-In App roles add a new role of type "Application"

2-In API permission ad a permission of type "Application permission" related to the role you've just created

In this way you are able to get an access token for that App.

TIP: In my .Net Core API I've to add this flag to the "Azure AD" configuration: "AllowWebApiToBeAuthorizedByACL": true

See: How to authenticate protect a backend web api for server to server communication using Azure Ad client_credentials

(Edit)

- Rukmini
- May 16, 2023 at 8:59 am
- 0 votes
0
I created an Azure AD Application and Exposed an API like below:

And added the API permissions:

Now, when I generated the access token, I got the error like below:

The error "AADSTS501051: Application ‘ClientID'(ruktestapp) is not assigned to a role for the application ‘api://ClientID'(ruktestapp)" usually occurs if the user assignment is turned on for the Service Principal.

To resolve the error, Go to Enterprise Applications -> Select your application -> Go to properties -> Assignment required to NO and Save

Now, I generated access token successfully after few seconds applying the changes like below:
```
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secretClientSecret
scope:api://ClientID/.default
grant_type:client_credentials
```
Login or Signup to reply.

- MarcoLodini
- June 7, 2023 at 10:29 am
- 0 votes
0
The answer from Rukmini is not entirely correct.
In the answer provided, a Delegated permissions is assigned as API permission, and the token request is with a client_credentials flow.
For client_credentials flow authentication, an Application permissions is required, not Delegated.

The issue can be fixed by keeping the "Assignment Required" on YES for security reasons (you may want to decide who, user/group or service principal, can access your application), and creating an Application permission on your App Registration.

Specifically:
- Create an App Role for the app registration with users/groups and Applications (if you need to have both Delegated and Application permissions, otherwise Application is sufficient")
- Create an API in "Expose an API" (if you need Delegated permissions for your users) with another Value
- Edit the manifest to have matching values between the ID of the app role and the scope, and between the scope name and App Role value (only if you want to have both the Delegated and the Application permissions with the same value)
- In API Permissions, Add a permission for your application using Application permissions and grant admin consent
That way, you can keep the Assignment required on YES and use both client_credential and other flows.
For other flows, you need to add also the Delegated permissions.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.