![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 77%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
Hi moiz,
you're hitting azure ad's application assignment requirements. The system is basically asking "is this user actually allowed to use this app?" before even letting them in.
What's happening is your app registration in azure portal has this setting enabled where users must be explicitly assigned. So even with valid credentials, azure ad blocks them until an admin manually approves access. go to your azure portal and find your app registration. Navigate to the 'Enterprise application' blade for your app. Look for 'Properties' and then find the 'Assignment required?' setting. You want to set this to 'No'. This tells azure ad that any user in your tenant can access the app without manual approval.
But wait... this might feel too open, right? You still want role based control, just not that manual approval step.
The better approach is to keep assignment required set to 'Yes', but then pre assign your users or groups. Go to 'Users and groups' in your enterprise application and add all the users or security groups that should have access. This way, azure ad knows upfront who's allowed in, and your users won't see that pending request screen.
Now, for the role based part within your blazor app... In your blazor components, you need to implement proper authorization checks. Since you're using azure ad, the roles should be coming through as claims. Make sure your app is configured to map the roles claim properly.
In your program.cs or startup, ensure you have this configured
builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddInMemoryTokenCaches();
builder.Services.AddAuthorization(options => { options.FallbackPolicy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); });
Then in your blazor components, use the Authorize attribute to control access:
@attribute [Authorize(Roles = "Admin,Manager")]
For more granular control within pages, you can use the AuthorizeView component:
<AuthorizeView Roles="Admin"> <Authorized> <p>You can only see this if you're an admin!</p> </Authorized> <NotAuthorized> <p>Sorry, you need admin rights for this section.</p> </NotAuthorized> </AuthorizeView>
check your app's authentication settings in the azure app configuration. Make sure the redirect uris are correct and the token configuration includes role claims. Sometimes the roles don't come through because the token isn't configured to include them.
You might need to update your app registration manifest to include "groupMembershipClaims": "SecurityGroup" or "ApplicationRole" depending on how you're managing roles.
This microsoft doc explains the user assignment requirements really well https://free.blessedness.top/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal.
The key is separating the azure ad level access (who can enter the app) from your application level role checks (what they can do inside). Fix that assignment requirement first, then make sure your role claims are flowing through properly
regards,
Alex
and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer