I am using the Roles claim provides friendly strings and have them appearing in the JWT I request from Azure. This works when I manually register the application in Azure. When I use Graph API, I find no significant differences between manually registered Applications in their manifest or ServicePrincipal properties. Also, in Azure they appears the same, even showing the checked boxes representing the roles on the Application's Configure tab. However, in JWT's returned for such an application the roles claim does not appear in the roles attribute. The only difference I can detect so far, is that in Azure, a manually registered application that works has an "application role assignments" section on the Dashboard tab, whereas one added from Graph API does not. What does difference tell me about the registered applications and how should I vary my Graph API implementation to account for it?
Thank you
Tom Schulte / Plex Systems