Service to Service authentication in Azure AD

Ever get confused trying to figure out how to do different kind of authentication flows correctly in Azure AD? I know I have.

It doesn’t help that Microsoft has added the so called delegated permission rights for the AD apps. What this actually does I don’t know – because even if you tick it all the apps in the AD will still by default have access to your service. If you want to limit access to a specific app you have to do as follows.

Navigate to Enterprise applications in your AD settings.From there head to your service application and select yes on the user assignment required box. This part will actually make the service require user assignment, so if you try to obtain a token now via your client the service should return an error.

Next you need to edit your manifest json (service app) and add the following to your app roles array:

Finally, head to the client app and you can find your newly created permission in the list to be added. After ticking it I also had to hit the Grant permissions button (note you will need AD admin access to do this).I find this UX confusing and don’t really understand why this option has to be in a different menu than the regular app registrations settings.

Leave a Reply

Your email address will not be published. Required fields are marked *