I’m working on a project using Azure’s App Registrations for User impersonation. The App Registration has App Roles for access control. Thus, the application checks these roles for deciding if a given user can or can’t do something. Besides, App Roles are used for email routing; i.e., when the application must send emails, it will collect all the users assigned to a given role.
There are 2 environments runnings this application in Azure. Configurations are completely separated and they run exactly the same version. One environment is for testing, and the other one for development. It means that there are 2 App Registrations, and both of them having the required App Roles. I have also created shared mailboxes and assigned their correspondent users to the roles shown above.
I can say I have configured something like this:
-
App Registration Dev
1.1) App Role 1 – Dev (user SharedMailbox1 has this App Role assigned)
1.2) App Role 2 – Dev (user SharedMailbox2 has this App Role assigned) -
App Registration Test
2.1) App Role 1 – Test (user SharedMailbox1 has this App Role assigned)
2.2) App Role 2 – Test (user SharedMailbox2 has this App Role assigned)
According to the description above, SharedMailbox1 is expected to receive emails from both environments, whenever mails must be sent to members of App Roles “App Role 1 – Dev” and “App Role 1 – Test”. Something similar happens to user SharedMailbox2. Shared mailboxes’ users are not the only members of such roles.
For some reason, when the application instance running in Test must get the full list of members of App Role “App Role 1 – Test”, the list doesn’t include the user SharedMailbox1. However, when the application instance running in Dev does the same, the user SharedMailbox1 is included in list of members of App Role “App Role 1 – Dev”. When I use Graph API for checking both list members, users belong to the App Roles.
Other users (regular Microsoft Entra ID users, not Shared mailboxes) assigned to roles “App Role 1 – Dev” or “App Role 1 – Test” are always returned.
Is there something at App Registration’s level or Shared mailbox’s level that I could check?