question

LeandroTeles-7656 avatar image
3 Votes"
LeandroTeles-7656 asked JamesTran-MSFT edited

Azure AD B2C Application won't show up as an option to add role assignment. (Graph API)

I'm following this documentation:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga

And I found another question answered that I thought fit my case:
https://docs.microsoft.com/en-us/answers/questions/199433/can39t-add-role-assignments-to-azure-b2c-applicati.html

My problem is that the app that I registered will not appear as an option when I try to follow the "Enable user delete and password update" portion of the documentation.

I am also mindful of the notice "Please allow a few minutes to for the permissions to fully propagate." But I've at it for 2 hours now, so I don't think that is the problem.

Here is my App and its API permissions:

56358-image.png

And my B2C Tenant

56259-image.png


azure-ad-b2c
image.png (108.1 KiB)
image.png (173.6 KiB)
· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@LeandroTeles-7656
Thank you for pointing this out!

I followed the steps I posted, along with the ones in the documentation for adding the User Admin role to an application and wasn't able to. This leads me to believe something might've been changed on our end, so I've reached out to our engineering team regarding this issue and will update as soon as possible.

56952-approles.gif


If you have any other questions or would like to work with our support engineers on this issue, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
approles.gif (181.5 KiB)
FrankK-5855 avatar image FrankK-5855 ·

Also hitting his issue!

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT FrankK-5855 ·

@FrankK-5855
Thank you for adding to this thread! I've reached out to our engineering team regarding this issue and will update as soon as possible.

0 Votes 0 ·
RandallRivera-3360 avatar image RandallRivera-3360 ·

ano update on this? this has become our blocker in our application..

0 Votes 0 ·

4 Answers

JamesTran-MSFT avatar image
1 Vote"
JamesTran-MSFT answered JamesTran-MSFT edited

@LeandroTeles-7656 and @arunmohan-8297,
Thank you both for the quick follow-up! I've created a short GIF that should help walk you through the steps.

@VarunCT-2281
I've reached out to our Product Group regarding your ask and providing them the details you mentioned.
-Is there any way to automate this process without Graph explorer?(i.e. using AzureAD app registration)


Alternate Solution:
Using this MS Graph API to assign the service principal of the application the necessary role if desired.

  1. Find the service principal id of the application. You can use GET /servicePrincipals to do this. Graph Explorer Link.
    59205-getserviceprincipals.gif

  2. Find the role template id of the desired role. You can use GET /DirectoryRoles for listing them. If you don't see User Admin role proceed to step 3.
    59247-getdirectoryrolesv2.gif



  3. Activate the desired role using POST /directoryRoles and the RoleTemplateID.

  4. Add the service principal as a "member" to the directory role using POST /directoryRoles/{ID}/members/$ref in which the body is

    {
    "@odata.id": "https://graph.microsoft.com/beta/servicePrincipals/<servicePrincipalId>;"
    }
    59080-addrole.gif


  5. Check if your role was assigned correctly to your B2C app.
    59281-checkrole.gif



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


getserviceprincipals.gif (514.9 KiB)
getdirectoryrolesv2.gif (107.6 KiB)
addrole.gif (246.9 KiB)
checkrole.gif (153.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@LeandroTeles-7656, @arunmohan-8297, and @VarunCT-2281
Hi all,
I just wanted to follow up and let you all know that I received an update from our engineering team letting me know that the issue should be resolved.

60371-addroleissueresolved.gif



If you have any other questions, please let me know.
Thank you all for your time and patience throughout this issue!

0 Votes 0 ·
addroleissueresolved.gif (311.7 KiB)
VarunCT-2281 avatar image VarunCT-2281 JamesTran-MSFT ·

JamesTran-MSFT · its working.thank you

0 Votes 0 ·
RandallRivera-3360 avatar image
2 Votes"
RandallRivera-3360 answered

ano update on this? this has become our blocker in our application..

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered VarunCT-2281 edited

Hi All · Thank you for reaching out.

There seems to be an issue with the UI. I will report the issue to the product team and get it addressed.

However, as of now, you can follow below steps and use PowerShell to add application to the User Administrator role:

  1. Install latest Azure AD PowerShell Module.

  2. Run Connect-AzureAD -TenantId Your_B2CTenant.onmicrosoft.com and sign in with Global Administrator account in that tenant.

  3. Run Get-AzureADDirectoryRole cmd and copy the object id of the User Administrator role.

  4. Navigate to Azure AD > Enterprise Applications > Search the app and copy the object id of the app.

  5. Run Add-AzureADDirectoryRoleMember -ObjectId object_ID_copied_in_Step3 -RefObjectId object_ID_copied_in_Step4 cmdlet.

To verify, navigate to Azure AD B2C > Roles and Administrators > User Administrator. You should see the application present under this role.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VarunCT-2281 avatar image VarunCT-2281 ·

Im using PowerShell 7.1.1 in Ubuntu . After installed the package still showing the 'Connect-AzureAD' is not recognized as a name of a cmdlet.

Please fix UI issue quickly

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT edited

Hi All,
Thank you for adding to this thread and for your patience. I received a response from our product team and will post the alternate solution below while the portal experience is being investigated.


Alternate Solution:
Using this MS Graph API to assign the service principal of the application the necessary role if desired.

  1. Find the service principal id of the application. You can use GET /servicePrincipals to do this.

  2. Find the role template id of the desired role. You can use GET /DirectoryRoles for listing them

  3. Activate the desired role using POST /directoryRoles

  4. Add the service principal as a "member" to the directory role using POST /directoryRoles/{ID}/members/$ref in which the body is

    {
    "@odata.id": "https://graph.microsoft.com/beta/servicePrincipals/<servicePrincipalId>;"
    }


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

· 13
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VarunCT-2281 avatar image VarunCT-2281 ·

did you tested this answer ?

For getting the directory role

1.set the following permission to a application Delegated RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All.

  1. Then created a bearer token based the document https://docs.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0&tabs=http.

  2. After that calling the GET /DirectoryRoles.
    But only get the two roles Directory Readers", "Global Administrator".
    User Administrator role is not getting while calling this endpoint.

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT VarunCT-2281 ·

@VarunCT-2281
Thank you for the update!

When listing directory roles, please keep in mind that the MSGraph API display name for a user admin is "User Account Administrator", while the Azure Portal will display User Administrator. For more info.

58292-image.png


If you have any other questions, please let me know.
Thank you for pointing this out!

0 Votes 0 ·
image.png (19.3 KiB)
VarunCT-2281 avatar image VarunCT-2281 JamesTran-MSFT ·

could you please explain the process step by step.
How do you create the bearer token for GET /DirectoryRoles ?
Are you trying this in AD B2C portal or normal portal?

0 Votes 0 ·
Show more comments
kalsu-7032 avatar image kalsu-7032 ·

am also on same boat here. I have tried these steps and seeing below error.

{
"error": {
"code": "BadRequest",
"message": "Resource not found for the segment 'servicePrincipal'.",
"innerError": {
"date": "2021-01-20T05:30:45",
"request-id": "5a28640d-a809-496c-9ba5-7fbcfe7abfa1",
"client-request-id": "27a0f62b-3212-39e4-ff60-dd6669dd597d"
}
}
}

0 Votes 0 ·
KritSrivilas-5134 avatar image KritSrivilas-5134 kalsu-7032 ·

missing 's'
{
"@odata.id": "https://graph.microsoft.com/beta/servicePrincipals/xxxxxxxxxxxxxxxxxxxxxxx"
}

0 Votes 0 ·
arunmohan-8297 avatar image arunmohan-8297 ·

is this issue fixed?.How long it take to complete bug fix?.please answer. My production unit is pending due to this issue

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT arunmohan-8297 ·

@arunmohan-8297
Thank you for adding to this thread!

The issue is still being investigated by our engineering team when it comes to assigning this role via the Azure Portal. However, as of right now, you can follow the steps I posted on this thread (https://docs.microsoft.com/answers/answers/236787/view.html) for the Graph API work around steps.

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT ·

@LeandroTeles-7656
I just wanted to check in and see if you were able to resolve this issue using the Graph API workaround steps?

0 Votes 0 ·
arunmohan-8297 avatar image arunmohan-8297 JamesTran-MSFT ·

No. issue is not resolved by graph API

1 Vote 1 ·
VarunCT-2281 avatar image VarunCT-2281 JamesTran-MSFT ·

No .Work round is not working for my case.
Reason .

My environment creation is automated with an application registered in azure ad b2c .Only manual interaction is creating this application in azure ad b2c and giving access to application.
For deleting or edit the azure ad b2c user profile needs a user administration role app.That part is pending due to this issue.

Please enable the option in azure portal . My product release is pending due to this bug

0 Votes 0 ·
LeandroTeles-7656 avatar image LeandroTeles-7656 JamesTran-MSFT ·

Unfortunately my job has not afforded me the opportunity to revisit this issue yet. I expect to do so late next week. In the meantime, I'll have to take @arunmohan-8297 , @VarunCT-2281 and the rest of the community at their word.

0 Votes 0 ·