Page Comparison

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, adding app roles to applications, editing applications, and deleting applications. In this article, we demonstrate how to add an app role to an Azure applicationAzure Application App Roles represent permissions that can be assigned to users, groups, or other applications in Azure Active Directory (Azure AD). They are defined in the manifest of an Azure AD application and allow different roles to have different levels of access within the application.

Creating and assigning App Roles is typically done for the following reasons:

1. Role-Based Access Control (RBAC): RBAC is a strategy for managing resource access based on a user's organizational role. App Roles allow you to implement RBAC by defining roles with certain permissions and assigning these roles to users, groups, or service principals.

2. Fine-Grained Permissions: You might want to create App Roles to enforce fine-grained permissions within your application. For example, you could create roles such as "Admin,” "User,” and "ReadOnly,” each with different permissions, to ensure users can only perform actions that their role allows.

3. Secure API Access: If your application exposes APIs, you might want to secure them by allowing only applications with certain roles to access them. For example, you could define an App Role in your API app's manifest, then assign that role to a client app, granting the client app the ability to call the API.

4. Organizational Structure: If your organization has a complex structure with various teams and departments needing different access levels, App Roles can help manage this complexity. By creating roles reflecting these organizational structures, you can ensure users have the correct access based on their responsibilities.

To create Azure App App Roles, the CreateAzureAppAppRole workflow is utilized. This workflow provides a range of configurable parameters, which allows you to modify the displayed fields when generating client secrets.

In the following sections of this article, we will walk you through tailoring the workflow parameters to suit your environment. Subsequently, we will guide you on creating an App Role for an application integrated with your Azure AD tenant.

Configure workflow parameters

The workflow for creating Azure application app roles is CreateAzureAppAppRole. The workflow has several parameters that affect field values. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant with the applications for which you want to create secrets.

Parameter	Description
AppRoleFulfillmentGroup_IsVisible	Set to true/false to show or hide the "App Role Fulfillment Group Details" section in the App Role details page
DefaultAccessRequestPolicyID	Specifies the Default Access request policy to be selected in the drop down in the IAM Shop Settings step. The value must be a GUID.
DefaultAllowedMemberTypeID	Sets the default AppRole Allowed Member Type. Set to 2 for "User", 3 for "Applications", 4 for "Both (Users/Groups + Applications)" and 0 for no pre-selection.
DefaultAzureTenantID	This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant. Easy html macro theme {"label":"solarized_dark","value":"solarized_dark"} contentByMode {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-success\">The tenant you specify here appears by default as the tenant \r\n with the application(s) for which you want to create secret(s). If you have more than one tenant \r\n managed by EmpowerID, those tenants can be selected on the form. Please note that\r\n once you set a value for this parameter, the value cannnot be null going forward unless you null it in the \r\n EmpowerID Identity Warehouse.</p>\r\n ","javascript":"","css":""} You can find the Tenant ID for your Azure tenant by navigating to Azure RBAC Manager > Resources and selecting the Tenants tab. Image Added
DefaultCreateAppRoleFulfillmentGroup	Set to true/false to create Azure app role fulfillment group. The radio button will be checked/unchecked respectively.
DefaultEmailMessageName	This is the name of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time a client app secret is created.
DefaultOrgZoneID	This is the ID of the EmpowerID location where the app role will be created . If value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form.
DefaultOwnerPersonID	This is the Person ID of the secret owner. If the value is present, the specified person will be the owner for all client app secrets.
DefaultPreApproveOwner	Specifies whether the Pre-approve access for owner checkbox appears on the form.
DefaultSecretExpirationInDays	This is the default client secret expiration in X days from the current date. X days will be added to the current date.
DefaultShareCredential	Specifies whether to enable sharing for all credentials by default.
DefaultVaultCredential	Specifies whether to vault all secrets by default
ManagementRoleIDsToNotify	This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time a client app secret is created.
SelectExpiration_IsVisible	Specifies whether to show or hide the expiration field on the form.
ShareCredential_IsVisible	Specifies whether to show or hide the Share credential checkbox on the form
VaultShareCredential	Specifies whether to vault all secrets by default
VaultCredential_IsVisible	Specifies whether to show or hide the Vault credential checkbox on the form
SelectAOwner_IsVisible	Specifies whether to show or hide the Owner selection drop-down on the form

To configure workflow parameters for your needs, do the following:

1. On the navbar, expand Object Administration and select Workflows.

2. Select the Workflow tab and search for Create Azure App Client Secret.

3. Click the Display Name for the workflow.
   

   Image Added

4. Expand the Request Workflow Parameters accordion on the Workflow Details page for the workflow and click the edit button for the DefaultAzureTenantID parameter.
   

   Image Added

5. Enter the Azure Tenant ID in the Value field and click Save.
   

   Image Added

6. Configure any other settings as needed.

Add an app role to an Azure application

1. Navigate to the Resource Admin application portal for your environment.

2. Select Applications from the dropdown menu and search for the application you want to assign an Azure AD role.

3. Click the Friendly Name link for the application.
   

   Image RemovedImage Added

    

4. Select Azure Application Roles on the application menu, expand Actions, and then click Create Azure Application Role.
   

   Image RemovedImage Added

    
   This initiates the Create Azure App App Role workflow with the selected application as the target and directs you to the App Role Details form.
   

   Image RemovedImage Added

5. Fill in the form fields with the appropriate information for your app role.
   

   Insert excerpt
   IL:Azure Snippets IL:Azure Snippets name AppRoleFields nopanel true

6. Click Next.

7. Review the summary information and then click Submit.

...

Image Modified