(First thing that I'll do) Compared the (Role Definitions) Manifest file with roles defined in web.config? (Each role should have unique GUID), Have you compared those? and off course User that have access to that Application have also role 'CommerceAdmins'

/K

<p>I don't have access to the Client Azure Portal but as I've said this is working fine the&nbsp;Episerver sit&nbsp;and I've get the claims coming during the authentication for the user so I know the WebEditors and WebAdmins roles are correctly returning as claims for the user.&nbsp; As for&nbsp;<span>CommerceAdmins the configuration is as above, this is a MappedRole&nbsp;and should be mapped to&nbsp;WebAdmins, Administrators roles so as the user is coming back with WebAdmins this should be working</span></p>

this can be verified by writing a small piece of code that can verify that what epi returns for principal.IsInRole('CommerceAdmin'), Quite recently I have faced similar kind of issue when user must have to be in "SpecialRole" mapped to WebAdmins, for me correct mapping of roles fixed that.

/K

Turns out I need to get the client to add the Administrators role in which hadn't been done, I thought as the config said WebAdmins were CommerceAdmins it would work without but I guess not. Thanks for the help anyhow