AppRole value should not contain spaces

[thomasdc]

It took me a while to realize that adding an AppRole with a value containing spaces is NOT allowed. It will give you the following error when you try to save the Manifest: "Failed to update application .... Error details: One or more properties contains invalid values.".

Please document this.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 9939fc33-8762-3104-eae0-08250c508100
• Version Independent ID: 9c6fa664-df37-40aa-f46e-9e59f79ae215
• Content: How to add app roles in your Azure Active Directory-registered application and receive them in the token
• Content Source: articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md
• Service: active-directory
• GitHub Login: @kkrishna
• Microsoft Alias: kkrishna

[MarileeTurscak-MSFT]

@thomasdc Thanks for your feedback! We will investigate and update as appropriate.

[jgmicallef]

Can confirm this is correct, I get Error details: Request_BadRequest when ever the value has a space in it. Will this limitation get fixed in a future Azure release?

[kalyankrishna1]

Changes pushed to PR -https://github.com/MicrosoftDocs/azure-docs-pr/pull/75185

[tfosmark]

@thomasdc The change has been submitted for publication and will be live on May 6. Thank you!

[vsdotnetguy]

@tfosmark Can this issue be reopened as the exact same issue is happening with AD B2C Applications where AppRole.Value contains spaces? It occurs whether editing the manifest manually or using MS Graph. Once I removed the space from the value, the MS Graph Application UpdateAsync worked without error.

[MicrosoftGuyJFlo]

@kalyankrishna1 can you provide any feedback on this issue?

[antoineozenne]

Same issue for me. Some applications use spaces in their role names (MongoDB Atlas for example). Therefore, we cannot take full advantage of the mapping with Azure. It's even more frustrating when using Terraform.

[wpinegar]

We can confirm that this problem still exists. We need a way to send role claims for Azure SAML apps with spaces in the role value. Some apps that we are using need spaces in the values in the role claims. Is there a supported method to accomplish this?

[pkrumwiedePX]

@kalyankrishna1 Is there any update to this ticket? This is still an issue where the role claims cant contain spaces.

[wpinegar]

The only fix we have found for this is to create the AD groups as mail enabled groups (limitation at our company), sync the groups with Azure and then setup the SAML role claim to use SAMAccountName as the role names. That works perfectly for roles that need embedded spaces. Nested groups aren't supported in this configuration. Nothing else works. I have no idea why the Azure team designed it this way.

Seems to be a known issue.

[cilwerner]

@kalyankrishna1, @wpinegar has this issue been addressed in another PR which can be linked?

[chris-zenfolio]

I am running into this same issue trying to set up New Relic to use App Roles for permissions. The workaround (as suggested by New Relic) is to use a user property like "Job Title" and map it to their property that defines the user type. However, this is not a viable workaround because that is specifically a user-centric solution. New Relic's user types (that I control the licensing with) are Basic User, Core User, or Full User. Because of the spaces, I cannot leverage the app roles. Suggestions to work around?

[chris-zenfolio]

Because of the specific New Relic user types, I was able to make 3 app roles with Name:Values of Basic User:Basic, Core User:Core, and Full User:Full. Then I used the following expression SingleAppRoleAssignment([appRoleAssignments]) to get the result I want. This function returned the name (not value) of the role. It only works if there is a single app role assigned. It's a kludgey workaround when compared to a direct assignment.

[wpinegar]

When we researched this a few years back, it appears that the almost universal fix was to setup the AD groups as OnPrem groups in Active Directory. Those groups can contain spaces and then you sync those groups with Azure. You can use the synced AD groups, which contain spaces, as Roles within the SAML claim.

That's what we are doing for any SAML claims where the roles need to contain spaces. Unfortunately you have to name the OnPrem groups exactly what the app expects the role name to be, but so far it's worked out fine.