All Collections
Advanced Setup
Configure roles in Azure AD application
Configure roles in Azure AD application
Julian Colina avatar
Written by Julian Colina
Updated over a week ago


When this guide is completed app roles from your Azure AD application will be mapped into Haystack roles when new users are signed in.


In order to follow this guide you need to have SSO provided by Azure successfully configured.

Create new user

In order to follow the steps from this guide, it is necessary for your organization to have a member user that is created (not invited) in the organization. This user will be used to make changes to roles. If you don’t have one, this is how to create it(after finishing the guide you can delete this user):

  1. Go to Azure portal(login with Global Admin privileges for your organization): Microsoft Azure

  2. Select the Users icon

  3. Select the New user button (not New guest user)

  4. Enter data for the user you are creating(remember the username and the password, you will need it to login in the step two of the guide). The selected role has to be Global administrator. After entering the data click the Create button.

Create admin role for application

Copy the application id

  1. Go to Azure portal(we are still signed in with the same user, not the newly created one): Microsoft Azure

  2. In the left pane, select Azure Active Directory icon

  3. Select Enterprise applications

  4. In the list of applications select the application where you configured SSO with Haystack

  5. On the left side select the Properties button and copy the Object ID of the application:

  6. The copied Object ID will be used in the next chapter

Create admin role

  1. Go to Microsoft Graph Explorer: Graph Explorer - Microsoft Graph

  2. Select the Sign in to Graph Explorer button on the left side of the page, it will open a new tab where you should sign in with the account created in the first part of the guide

  3. When signed in click on three dots next to your account name and click on the Select permissions option:

  4. Click on the Directory option from the Permissions list and check Directory.AccessAsUser.All, Directory.Read.All and Directory.ReadWrite.All, then click Consent (this will sign you in again):

  5. Change the version to beta and fetch the list of service principals by using the following address (objectID is the ID of the application that we got in the previous chapter):<objectID>

    If you are using multiple directories use this pattern(add the domain of the user that we created, place it before servicePrincipals):<objectID>

  6. Find “appRoles” in the API response, you can see two default roles: User and msiam_access:

  7. Take the “appRoles” data from the response and copy it to the Request body but it needs to be modified so it looks similar to the example bellow. The Admin role should be added after the msiam_access application role. The API address stays the same but the method is changed from GET to PATCH. To generate the GUID value for the ID of the new role you can use this application(check Hyphens):

    The following JSON is an example of the appRoles object. Create a similar object to add the Admin role to you application:

    { "appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "User", "displayName": "User", "id": "18d14569-c3bd-439b-9a66-3a2aee01d14f", "isEnabled": true, "origin": "Application", "value": null }, { "allowedMemberTypes": [ "User" ], "description": "msiam_access", "displayName": "msiam_access", "id": "b9632174-c057-4f7e-951b-be3adc52bfe6", "isEnabled": true, "origin": "Application", "value": null }, { "allowedMemberTypes": [ "User" ], "description": "Administrators Only", "displayName": "Admin", "id": "5c48908d-bdee-4bf4-b005-48a39b9bce75", "isEnabled": true, "origin": "ServicePrincipal", "value": "Administrator" } ] }

  8. In the end it should look similar to this, when everything is entered click Run query. If the API call is successful the response should be status code 204 No content. After that if you run a GET call with the same address, the “appRoles” data should contain the new Admin role.

Add the user with the new role to the application

  1. Go to Azure portal: Microsoft Azure

  2. In the left pane, select Azure Active Directory icon

  3. Select Enterprise applications

  4. In the list of applications select the application where you configured SSO with Haystack

  5. Select Users and Groups tab and then select Add user/group button

  6. Click the None Selected button shown on the picture bellow

  7. Select the user from your organization that you want to add(select a random invited user to your organization not the user that we created earlier in this guide) and click the Select button

  8. Click the None Selected button shown on picture bellow

  9. On the right side there should be options for selecting the role, after selecting the role click the Select button on the bottom right corner and after that in the bottom left corner click Assign

  10. Select the Single sign-on option on the left side of the page and afterwards click on the Edit button in the Attributes & Claims section

  11. Click on the Add new claim button

  12. Enter the data like in the picture bellow(leave the Namespace field empty) and click Save:

  13. Congrats! After completing these steps, the users that are signed up on Haystack via SSO will get the roles from the Azure AD application.

Did this answer your question?