If your organization integrates applications with Microsoft Entra ID, you can manage those applications in EmpowerID, including assigning any Azure app roles for those applications to application users. These roles are crucial for defining what actions a user or service can perform within an application, effectively governing the security and functionality of the app. In this article, we demonstrate how you can assign App Roles to Azure users in EmpowerID, ensuring that users have the appropriate levels of access aligned with their responsibilities and your organization's security policies.
Procedure
Navigate to the Resource Admin application portal for your environment.
From the dropdown menu, choose Applications and then search for the specific application that contains the App Role(s) you wish to assign.
Locate and click the Details button associated with the application record to access more information about the application.
This directs you to the overview page for the application. This page serves as a central hub for managing key aspects of the application, including options to modify App Role assignments for the application.On the application menu on the page's left side, expand App Rights (Azure “App Roles”) and click Assignments.
Click Assign App Right to start the 'Assign Application Right' ('AssignAzLocalRightScope') workflow for your chosen application. This workflow comprises multiple steps that will assist you in selecting the app roles to assign and identifying the recipients for these roles.
Locate and select each Application Right (Azure App Role) you wish to assign.
After making all your selections, click Next to proceed to the next stage of the workflow.
Begin the process by searching for and selecting the appropriate assignees for the application role. You have various options at your disposal, including individual people, Management Roles, Business Roles and Locations, and groups. Keep in mind choosing a Management Role, a Business Role and Location, or a group means that all members within these roles or groups will automatically receive the app role for the application.
For example, in the screenshot provided below, two individuals and one group have been selected as assignees.
Reviewing and Adjusting Assignees:To review your selections, click on the 'Added' flag next to each type of assignee, as shown below. This allows you to confirm that the correct assignees are selected.
If you need to modify your selections, such as removing an assignee, simply click the 'Delete' button next to the assignee you wish to remove.
After making all your selections, click Next to commit your changes.
Review the assignment summary and then click Submit to exit the workflow.
Verify the application role assignment in Azure
In Azure, browse to Microsoft Entra ID > Enterprise applications.
Set the Application Type to All applications and search for your application.
Click the Display Name link for the application.
Under Manage, select Users and Groups, and then search for a user you just assigned to the app role.
You should see the user’s role reflect the changes you made in EmpowerID.