Azure App Service - Python web app (streamlit) - check if user has role

Question

Deploying a Streamlit Python app as an Azure App Service (container). I have the user id, and want to be able to check if the user is assigned an app role, to enable an "admin only" feature on the front end.

Grateful for guidance on how to check app roles assigned to a user within Azure using a Python SDK. Thanks!

Answer 1

You can get the appRoleAssignments of a user via the navigation property when querying the Graph API:

https://graph.microsoft.com/v1.0/<tenantID>/users/<userObjectID>/appRoleAssignments

You can create assignments by making an HTTP POST to:

https://graph.windows.net/tenant-id/users/user-id/appRoleAssignments?api-version=1.6

The object that you need to send looks like below:

{
  "id": "id-of-role",
  "principalId": "objectId-of-user",
  "resourceId": "objectId-of-service-principal"
}

If your app does not have any roles, but you still want to assign a user, it seems you can just set the id to all zeros:

Where the resource does not declare any permissions, a default id (zero GUID) must be specified.

So something like:

{
  "id":"00000000-0000-0000-0000-000000000000",
  "resourceId": "a27d8321-3dc6-44a1-bf19-2546a9f2806e",
  "principalId": "c4f810b8-2ea1-4580-9595-30275a28c2a2"
}