In this post we detail how to assign roles to enterprise applications in Azure B2C, issues with assigning via PowerShell and troubleshooting.
So this is just a super quick post to document an issue that stumped me recently. I had been asked to assign the Helpdesk Administrator role to a custom enterprise app in an Azure B2C environment. The steps I had been given to follow were from this blog post and got me most of the way there.
I had issues with using MSOL initially, but managed to get around that but every time I ran the Add-MsolRoleMember cmdlet I kept getting the same error:
Error adding Service Principal to Role: This role does not exist. Check the name and try again.
As always, the simplest solution is often the best and in this case that was true again! I was able to assign the role to the enterprise applications through the Azure B2C AAD GUI. The way I did it was to:
Open Azure Active Directory
Select Roles and administrators
Select the relevant admin role (e.g. Helpdesk Administrator)
Under Assignments > press + Add Assignments
Search for the name of the enterprise app you want to assign the role too > select it > press Add
That’s it, no need for PowerShell you can just assign the roles direct from Azure AD.
In this post we look at how to set up the admin consent workflow in Azure, which fixes an issue with the Samsung Email app requiring admin consent, giving users a way to request access to applications and allowing global admins the ability to grant tenant-wide consent.
I had an issue recently in my organisation where after a recent OS update, users began to report receiving a “need admin approval” message appear when attempting to access mail through the native Samsung email application.
So the first thing I checked out was the Enterprise application in Azure Active Directory just to do a once-over of the settings there. However, there was no Samsung Email app to be found!
Fail #1 – user consent settings
So after noticing there was no Samsung email app to check the configuration of, still in Enterprise applications I went to > Consent and permissions > User consent settings.
From here I changed the user consent for applications part to Allow user consent for apps from verified publishers, and also set the five permissions classed as low impact as recommended.
For me, this did not work.
I then spoke to Microsoft support who recommended configuring the admin consent workflow (preview), which gives end users a way to request access to applications that require admin consent.
Configure the admin consent workflow
There is full documentation from Microsoft here on how to configure the admin consent workflow, but I’ll include the steps I took to enable it below:
Navigate to Azure Active Directory. You need to be a global administrator to complete these steps
Open Enterprise applications > under Manage, select User settings
Under Admin consent requests (Preview), set Users can request admin consent to apps they are unable to consent to to Yes
Now you need to set the users who are to review the admin consent requests(these need to also have the global administrator, cloud application administrator, and application administrator roles)
Enable or disable email notifications to the reviewers when a request is made
Enable or disable reminder email notifications to the reviewers when a request is about to expire
Specify how long requests stay valid
Changes can take up to an hour to take effect – for me it took closer to 45 minutes. After this time, I tested the Samsung email app again and the message changed to requiring approval:
This then notifies the user that their request has been sent, and an email is sent to the request administrator(s). Then in Enterprise Applications, under Activity if you click on Admin consent requests (Preview) you will see Samsung Email listed, as well as being able to see who requested it on the Requested by tab.
From here, I just pressed Approve, which naturally approvedthe request,. Once approved, the request is cleared from the admin consent requests list.
Granting tenant-wide admin consent to an application
Microsoft documentation here talks about needing to grant admin consent for the applications to be available tenant-wide. It’s really easy to do as in my example, the Samsung Email app is now listed under Enterprise Applications, so all I needed to do was:
Go back to Enterprise applications
Select the Samsung Email application
Select Permissions and then click Grant admin consent
Agree with the permissions the application requires and grant consent