My company has disabled the ability for anyone to app App Roles to users. This is not something I'm going to be able to change. However they have a process where you can get into groups. The guids for these Groups show up in the auth tokens created when the user authenticates with code flow with the App Registration.

Is there anyway for me to configure this tool to look for a users Groups instead of Roles?

Hi @justinmchase , I'm afraid, at the moment the only way to achieve that would be to clone this repo and then modify the token validation code here accordingly.
Then you can deploy your code version from sources, just like you would deploy any other Azure Functions project.

But I would still recommend to configure AppRoles-to-Groups mapping instead of using groups themselves. A user (especially in large companies) can easily be a member of dozens of groups, so the token might get pretty large. Also it might not be a good idea to even expose the whole list of your groups via a token (remember, tokens are not encrypted). Those were two most important reasons for introducing app roles, but there are many other reasons...

I would also like to do that but our AD admins forbid it...

Would you be open to a Pull Request to enable it in main?

@justinmchase , can you see yourself in the list of owners of this Enterprise App (on the Owners tab) ?
If not, can you check with someone who is an owner whether they can access this Add user/group button?
Or maybe they could add you there as an owner there?..

It was fairly tricky but I managed to figure it out. I thought it was my company intentionally blocking it but actually it was because I created the App Registration from another app registration it didn't automatically assign owners as I would have expected. That other app registration is able to modify the one in question except its unable to assign owners to the Enterprise Application (aka Service Principal). But you can create a secret, then use that to log in as the SP and then assign owners to yourself. From there the standard UI for manually defining and adding roles to users and groups works as expected.

I'm sort of multiple layers separated from the admins in my company and it can be hard to ask questions like this sometimes, but I managed to figure it out, thanks!