Page Comparison

...

• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management

• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

• https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.
  

Open the Azure AD manifest file

Log into the Azure admin portal.

...

Click on the application in the list and open the Manifest blade to see the JSON manifest. You may edit this directly in the browser, or download the manifest file to your computer, edit the file locally, and then re-upload it with the modifications. It's up to you.

...

Create application roles in a manifest JSON file

The below example shows how to set up two roles jira-software-users and jira-administrators in the JSON file.

...

The manifest appRoles section before modification:

"appRoles": [],

And after adding a "jira-software-users" and "jira-administrators" application roles:

"appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "jira-software-users",
        "displayName": "jira-software-users",
        "id": "<NEW GENERATED UUID>",
        "isEnabled": true,
        "lang": null,
        "value": "jira-software-users"
    },
    {
        "allowedMemberTypes": [
            "User"
        ],
        "description": "jira-administrators",
        "displayName": "jira-administrators",
        "id": "<NEW GENERATED UUID>",
        "isEnabled": true,
        "lang": null,
        "value": "jira-administrators"
    }
],

Also note the value field is the actual claim value AAD will include in the OIDC Response, so it cannot be null or the application role will essentially be useless. You may, of course, add any number of appRoles as your desired permission model requires.

Mapping application roles to group memberships

When the manifest update is successful, the application roles should be defined. You must then map them to users and/or group memberships in Azure AD.

...

Azure AD should now be sending roles whenever users log in, though it sometimes takes a few minutes for these manifest and claims changes to propagate.

Setting up managed groups in Kantega SSO

Now enable managed groups in Kantega SSO if this isn't already the case, then run a new OIDC login test. The OIDC Response should now contain the application roles that map to the user's groups. The test page should recognize the Roles claim and display this in the attribute list.

...

And finally to have the roles claim be used as group parameter, navigate to the “Group memberships” page and add group parameter: “roles” as shown below. On this page, you may also configure how your groups should be used during login. Read more about this here: Group claims from identity provider (legacy, pre-5.3).

...