Group Assignment missing step in 5-WebApp-AuthZ/5-2-Groups ?

[esdccs1]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. [ ] with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. [ ] with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. [ ] with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. [ ] with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. [ ] with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. [ ] Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. [ ] With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. [ ] Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. [ ] Web app calling several APIs 3-WebApp-multi-APIs
4. [ ] Web app calling your own Web API
   1. [ ] with a work and school account in your organization: 4-WebApp-your-API/4-1-MyOrg
   2. [ ] with B2C users: 4-WebApp-your-API/4-2-B2C
   3. [ ] with any work and school account: 4-WebApp-your-API/4-3-AnyOrg
5. Web app restricting users
   1. [ ] by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. [x] by Groups: 5-WebApp-AuthZ/5-2-Groups
6. [ ] Deployment to Azure
7. [ ] Other (please describe)

Repro-ing the issue

Repro steps

Note: I have re-used the Application I have configured in 5-1 for 5-2

When Running 5-2 Webapps, I am trying to get past this step https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-2-Groups#steps-to-enable-this-option-in-your-app specifically

Select the Users and groups blade in the left to open the page where you can assign users and groups to your application.

Click on the Add user button on the top row.
Select User and Groups from the resultant screen.
Choose the groups that you want to assign to this application.
Click Select in the bottom to finish selecting the groups.
Click Assign to finish the group assignment process.
Your application will now receive these selected groups in the groups claim when a user signing in to your app is a member of one or   more these assigned groups.

I cant seem to be able to click "Assign" as its expecting me to also assign the group some roles.

I can successfully get past this step if I assign the group UserReaders defined in tutorial 5-1...

Should 5-2 be defining roles to this specific group in this step ? or is some configuration getting in the way of clicking that greyed out button?

In 5-1 , specifically in this section https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles#define-your-app-roles it had linked to these instructions for both user/groups where it does mention explicitly assigning a role https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#assign-users-and-groups-to-roles

Thanks

Expected behavior

Be able to click assign following the steps

Actual behavior

Button is greyed out

Possible Solution

I should've strictly created a new application and not re-used the one from 5-1 with pre-defined UserRead and DirectoryRead role scopes?

Additional context/ Error codes / Screenshots

Any log messages given by the failure

Add any other context about the problem here, such as logs.

• You can enable Middleware diagnostics by uncommenting the following lines
• You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
• Logging for MSAL.NET is described at Loggin in MSAL.NET

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Versions

of ASP.NET Core, of MSAL.NET

Attempting to troubleshooting yourself:

• did you go through the README.md in the folder where you found the issue?
• did you go through the documentation:
  • Scenario: Web app that signs in users
  • Scenario: Web app that calls web APIs

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[kalyankrishna1]

You have also defined roles in the same app registration and thats conflicting with your assignment. We recommend you use a new app registartion for this.

[esdccs1]

Ah ok, I was not aware that by defining an App Role, it disabled the functionality of assigning a Group to the App with no Role assigned to it. Is this mentioned somewhere in the documentation?