Getting Application roles in JWT token for external users and Microsoft internal users after the Authentication

Question

We are trying to implement Role based Authentication for our Multitenant application which allows home tenant users and External tenant users as well.

Application is hosted on One tenant of Azure Platform. We have roles 2 roles for Home tenant users. The two roles are "Admin.Only" and "User.Only". For the external users we are assigning role as "External.Only".

Our front end application is in Angular and backend API is in .Net core.

We are using MSAL library for Application Authentication.

Currently we have assigned one role to home tenant user email id and assigned Another role to external user. We have invited external user (Added as Guest User) and external user accepted the invitation as well.

Now, if we login with Home tenant email Id, we are getting role in the JWT token. But we are not getting role in JWT for external users.

We have assigned the role to user directly from the Enterprise application page. Also I have created an Azure group and added external user (Guest user). But role is not coming up in JWT. I even tried with Security groups too but roles is not showing up in JWT.

Can anyone help here to get the Role in JWT when external user is logged in? So that we can validate the JWT token at the .Net Core API controller level to Authorize their role and serve the API responses accordingly.

Answer 1

I created an Azure AD security group and added guest user like below:

Added the group Users and groups in the Enterprise application:

Generated access token for the external user via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:api://xxx/.default
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

When I decoded the token the application role is present for the external user: