You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Add App Roles

Owned by Phillip Hanegan
Last updated: Nov 28, 2023
5 min read

Azure Application App Roles represent permissions that can be assigned to users, groups, or other applications in Azure Active Directory (Azure AD). They are defined in the manifest of an Azure AD application and allow different roles to have different levels of access within the application.

Creating and assigning App Roles is typically done for the following reasons:

  1. Role-Based Access Control (RBAC): RBAC is a strategy for managing resource access based on a user's organizational role. App Roles allow you to implement RBAC by defining roles with certain permissions and assigning these roles to users, groups, or service principals.

  2. Fine-Grained Permissions: You might want to create App Roles to enforce fine-grained permissions within your application. For example, you could create roles such as "Admin,” "User,” and "ReadOnly,” each with different permissions, to ensure users can only perform actions that their role allows.

  3. Secure API Access: If your application exposes APIs, you might want to secure them by allowing only applications with certain roles to access them. For example, you could define an App Role in your API app's manifest, then assign that role to a client app, granting the client app the ability to call the API.

  4. Organizational Structure: If your organization has a complex structure with various teams and departments needing different access levels, App Roles can help manage this complexity. By creating roles reflecting these organizational structures, you can ensure users have the correct access based on their responsibilities.

To create Azure App App Roles, the CreateAzureAppAppRole workflow is utilized. This workflow provides a range of configurable parameters, which allows you to modify the displayed fields when generating client secrets.

In the following sections of this article, we will walk you through tailoring the workflow parameters to suit your environment. Subsequently, we will guide you on creating an App Role for an application integrated with your Azure AD tenant.

 

Step 1 – Configure workflow parameters

The workflow for creating Azure application app roles is CreateAzureAppAppRole. The workflow has several parameters that affect field values. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant with the applications for which you want to create secrets.

Parameter

Description

Parameter

Description

AppRoleFulfillmentGroup_IsVisible

Set to true/false to show or hide the "App Role Fulfillment Group Details" section in the App Role details page

DefaultAccessRequestPolicyID

Specifies the Default Access request policy to be selected in the drop down in the IAM Shop Settings step. The value must be a GUID.

DefaultAllowedMemberTypeID

Sets the default AppRole Allowed Member Type. Set to 2 for "User", 3 for "Applications", 4 for "Both (Users/Groups + Applications)" and 0 for no pre-selection.

DefaultAzureTenantID

This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant.

You can find the Tenant ID for your Azure tenant by navigating to
Azure RBAC Manager > Resources and selecting the Tenants tab.

DefaultCreateAppRoleFulfillmentGroup

Set to true/false to create Azure app role fulfillment group. The radio button will be checked/unchecked respectively.

DefaultEmailMessageName

This is the name of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time a client app secret is created.

DefaultOrgZoneID

This is the ID of the EmpowerID location where the app role will be created . If value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form.

DefaultOwnerPersonID

This is the Person ID of the secret owner. If the value is present, the specified person will be the owner for all client app secrets.

DefaultPreApproveOwner

Specifies whether the Pre-approve access for owner checkbox appears on the form.

DefaultSecretExpirationInDays

This is the default client secret expiration in X days from the current date. X days will be added to the current date.

DefaultShareCredential

Specifies whether to enable sharing for all credentials by default.

DefaultVaultCredential

Specifies whether to vault all secrets by default

ManagementRoleIDsToNotify

This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time a client app secret is created.

SelectExpiration_IsVisible

Specifies whether to show or hide the expiration field on the form.

ShareCredential_IsVisible

Specifies whether to show or hide the Share credential checkbox on the form

VaultShareCredential

Specifies whether to vault all secrets by default

VaultCredential_IsVisible

Specifies whether to show or hide the Vault credential checkbox on the form

SelectAOwner_IsVisible

Specifies whether to show or hide the Owner selection drop-down on the form

 

To configure workflow parameters for your needs, do the following:

  1. On the navbar, expand Low Code / No Code Workflow and select Low Code Workflows.

  2. Select the Workflow tab and search for Create Azure App Client Secret.

  3. Click the Display Name for the workflow.

     

  4. Expand the Request Workflow Parameters accordion on the Workflow Details page for the workflow and click the edit button for the DefaultAzureTenantID parameter.

     

  5. Enter the Azure Tenant ID in the Value field and click Save.

  6. Configure any other settings as needed.

Step 2 – Add an app role to an Azure application

  1. Navigate to the Resource Admin application portal for your environment.

  2. Select Applications from the dropdown menu and search for the application you want to assign an Azure AD role.

  3. Click the Friendly Name link for the application.

     

  4. Select Azure Application Roles on the application menu, expand Actions, and then click Create Azure Application Role.

     
    This initiates the Create Azure App App Role workflow with the selected application as the target and directs you to the App Role Details form.

     

  5. Fill in the form fields with the appropriate information for your app role.

  6. Click Next.

  7. Review the summary information and then click Submit.

Step 3 – Verify the application role in Azure

  1. In Azure, navigate to Azure AD > App registrations.

  2. Select All applications and search for the target application.

  3. Click the Display Name link for the application.

     

  4. Under Manage, click App Roles.

    You should see the app role you created for the application.

 

Inventoried App Roles are stored as records in the AzGlobalRight table of the EmpowerID Identity Warehouse. You can view these in the Web on the Find Universal PBAC page. To do so, expand Role Management and click Universal PBAC. Once on the page, select the Global Right tab and search for the App Role. You should see the role in the grid as shown in the below image.