Blazor Server App with Entra ID - Role Claims Not Available in User Principal

Question

Blazor Server App with Entra ID - Role Claims Not Available in User Principal

Ben Wilson 25

My Blazor Server app uses the Microsoft.Identity.Web framework with Entra ID (Azure AD) as the authentication provider. Authentication works correctly, but user role claims are not present in the authenticated user principal. As a result, any authorization policy that requires a user role denies access to all users.

I have already:

Defined app roles in the App Registration
Assigned users and groups to those roles
Waited over 24 hours for Azure AD propagation

I have also added a page that displays all claims of the signed-in user, and the user's role claims are not present.

What else should I check to ensure that role claims are included in the tokens and available to my application?

Thank you.

Ben Wilson 25

Below is my code in Program.cs related to Authentication.

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
            .AddInMemoryTokenCaches();

Below is the AzureAd section in appsetting.json

"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "example.com",
"TenantId": "*****",
"ClientId": "*****",
"CallbackPath": "/signin-oidc",
"ClientSecret": "*****"
},

Please advise. Also, I used similar codes in an Razor pages web app. When using Microsoft Entra, is the code significantly different between an Razor pages app and a Blazor server app?

Thank you.