Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID. This includes onboarding applications, assigning users to application roles, adding app roles to applications, editing applications, and deleting applications. In this article, we demonstrate how to add an app role to an Azure application.

Azure Application App Roles represent permissions that can be assigned to users, groups, or other applications in Azure Active Directory (Azure AD). They are defined in the manifest of an Azure AD application and allow different roles to have different levels of access within the application.

Creating and assigning App Roles is typically done for the following reasons:

  1. Role-Based Access Control (RBAC): RBAC is a strategy for managing resource access based on a user's organizational role. App Roles allow you to implement RBAC by defining roles with certain permissions and assigning these roles to users, groups, or service principals.

  2. Fine-Grained Permissions: You might want to create App Roles to enforce fine-grained permissions within your application. For example, you could create roles such as "Admin,” "User,” and "ReadOnly,” each with different permissions, to ensure users can only perform actions that their role allows.

  3. Secure API Access: If your application exposes APIs, you might want to secure them by allowing only applications with certain roles to access them. For example, you could define an App Role in your API app's manifest, then assign that role to a client app, granting the client app the ability to call the API.

  4. Organizational Structure: If your organization has a complex structure with various teams and departments needing different access levels, App Roles can help manage this complexity. By creating roles reflecting these organizational structures, you can ensure users have the correct access based on their responsibilities.

To create Azure App App Roles, the CreateAzureAppAppRole workflow is utilized. This workflow provides a range of configurable parameters, which allows you to modify the displayed fields when generating client secrets.

In the following sections of this article, we will walk you through tailoring the workflow parameters to suit your environment. Subsequently, we will guide you on creating an App Role for an application integrated with your Azure AD tenant.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites</h4>\r\n <p>To create an app role for an Azure app, you need:</p>\r\n <ul>\r\n <li>An Azure AD tenant managed by EmpowerID</li>\r\n <li>A target application registered in Azure</li>\r\n </ul>\r\n <p class = \"bd-callout bd-callout-success\">To run the workflow that creates Azure app roles, users\r\n must have the <b>UI-Res-Admin-MS-Application</b> Management Role.</p>\r\n </div>","javascript":"","css":""}

Step 1 – Configure workflow parameters

The workflow for creating Azure application app roles is CreateAzureAppAppRole. The workflow has several parameters that affect field values. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant with the applications for which you want to create secrets.

Parameter

Description

AppRoleFulfillmentGroup_IsVisible

Set to true/false to show or hide the "App Role Fulfillment Group Details" section in the App Role details page

DefaultAccessRequestPolicyID

Specifies the Default Access request policy to be selected in the drop down in the IAM Shop Settings step. The value must be a GUID.

DefaultAllowedMemberTypeID

Sets the default AppRole Allowed Member Type. Set to 2 for "User", 3 for "Applications", 4 for "Both (Users/Groups + Applications)" and 0 for no pre-selection.

DefaultAzureTenantID

This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-success\">The tenant you specify here appears by default as the tenant \r\n with the application(s) for which you want to create secret(s). If you have more than one tenant \r\n managed by EmpowerID, those tenants can be selected on the form. Please note that\r\n once you set a value for this parameter, the value cannnot be null going forward unless you null it in the \r\n EmpowerID Identity Warehouse.</p>\r\n ","javascript":"","css":""}

You can find the Tenant ID for your Azure tenant by navigating to
Azure RBAC Manager > Resources and selecting the Tenants tab.

DefaultCreateAppRoleFulfillmentGroup

Set to true/false to create Azure app role fulfillment group. The radio button will be checked/unchecked respectively.

DefaultEmailMessageName

This is the name of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time a client app secret is created.

DefaultOrgZoneID

This is the ID of the EmpowerID location where the app role will be created . If value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form.

DefaultOwnerPersonID

This is the Person ID of the secret owner. If the value is present, the specified person will be the owner for all client app secrets.

DefaultPreApproveOwner

Specifies whether the Pre-approve access for owner checkbox appears on the form.

DefaultSecretExpirationInDays

This is the default client secret expiration in X days from the current date. X days will be added to the current date.

DefaultShareCredential

Specifies whether to enable sharing for all credentials by default.

DefaultVaultCredential

Specifies whether to vault all secrets by default

ManagementRoleIDsToNotify

This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time a client app secret is created.

SelectExpiration_IsVisible

Specifies whether to show or hide the expiration field on the form.

ShareCredential_IsVisible

Specifies whether to show or hide the Share credential checkbox on the form

VaultShareCredential

Specifies whether to vault all secrets by default

VaultCredential_IsVisible

Specifies whether to show or hide the Vault credential checkbox on the form

SelectAOwner_IsVisible

Specifies whether to show or hide the Owner selection drop-down on the form

To configure workflow parameters for your needs, do the following:

  1. On the navbar, expand Low Code / No Code Workflow and select Low Code Workflows.

  2. Select the Workflow tab and search for Create Azure App Client Secret.

  3. Click the Display Name for the workflow.

    Image Added

  4. Expand the Request Workflow Parameters accordion on the Workflow Details page for the workflow and click the edit button for the DefaultAzureTenantID parameter.

    Image Added

  5. Enter the Azure Tenant ID in the Value field and click Save.

  6. Configure any other settings as needed.

Step 2 – Add an app role to an Azure application

  1. Navigate to the Resource Admin application portal for your environment.

  2. Select Applications from the dropdown menu and search for the application you want to assign an Azure AD role.

  3. Click the Friendly Name link for the application.

    Image RemovedImage Added

     

  4. Select Azure Application Roles on the application menu, expand Actions, and then click Create Azure Application Role.

    Image RemovedImage Added

     
    This initiates the Create Azure App App Role workflow with the selected application as the target and directs you to the App Role Details form.

    Image RemovedImage Added

  5. Fill in the form fields with the appropriate information for your app role.

    Insert excerpt
    IL:Azure Snippets
    IL:Azure Snippets
    nameAppRoleFields
    nopaneltrue

  6. Click Next.

  7. Review the summary information and then click Submit.

Step 3 – Verify the application role in Azure

  1. In Azure, navigate to Azure AD > App registrations.

  2. Select All applications and search for the target application.

  3. Click the Display Name link for the application.

  4. Under Manage, click App Roles.

    You should see the app role you created for the application.

...

Info

Inventoried App Roles are stored as records in the AzGlobalRight table of the EmpowerID Identity Warehouse. You can view these in the Web on the Find Universal PBAC page. To do so, expand Role Management and click Universal PBAC. Once on the page, select the Global Right tab and search for the App Role. You should see the role in the grid as shown in the below image.

Image Modified