Add App Roles

As a Microsoft Entra application owner, you can define custom app roles to control what users or applications can do within your app. EmpowerID writes the defined roles to Entra ID, making them available for assignment and use in token claims.

Steps to Add App Roles

1. Log in to Resource Admin.
2. In the Resource Type menu, select Applications.
3. Search for and select the Microsoft Entra application you want to update.
4. Click the Details button for the application.
   
   This opens the application Overview page.
   
5. In the left application menu, click App Rights.
6. Click the Create App Right button.
   
   The Create Microsoft Entra Application App Role form opens.
   
7. Fill in the fields on the form to define your app role:
   • App Role Name – Enter the display name for the role (e.g., Report Creator)
   • Allowed Member Types – Choose one of the following:
     • Users/Groups – Assignable to user or group principals
     • Applications – Assignable to client apps (e.g., service-to-service)
     • Both – Available to both user/group and application principals
   • Value – Enter the unique identifier that will appear in the roles claim of access tokens (e.g., Report.Create)

note

This value must be unique across all app roles within the application and is used for access control logic in your application.

• Description – Provide a description of the role for internal documentation or display
• Display Name – Optional. Used in some UI listings. If left blank, App Role Name is used.
• Is Enabled – Leave checked to make the role available for assignment immediately

8. Select the EmpowerID location for RBAC delegation. If a default location is preselected and you wish to change it:

   • Click the × icon to clear the default
     
   • Click Select a Location
     
   • Browse or search for the location you want
     
   • Click the desired location to select it

   If no location is preselected, simply click Select a Location to begin.

9. Specify how EmpowerID should fulfill access requests for this role:

Field	Description
Fulfill via Group	Select an EmpowerID group whose membership will drive app role assignment. When enabled, members of the selected group are automatically assigned the role.

tip

Use group fulfillment to simplify ongoing app role management via dynamic or delegated group membership.

10. Click Next to review your input.
11. On the Summary screen, confirm your configuration.
12. Click Submit to create the app role in Microsoft Entra ID.

What Happens Next

• EmpowerID creates the app role in Microsoft Entra ID.
• If fulfill via group is configured, EmpowerID ensures role assignments stay in sync with group membership.
• The role is now available for use in token-based access control or within applications.

note

All changes are logged in the EmpowerID audit trail for auditing and compliance.

Related Articles

• Delete App Roles
• Manage Application Scopes
• Update API Permissions