API scopes and roles

bdiddy 171 Reputation points
2020-10-29T15:35:29.59+00:00

Hi,

When I register an application (Web api) and Expose the API (adding scopes).

I see that we can add appRoles in the manifest.

Is there a way to associate roles and scopes? Like to say an Admin role has Read and Write scopes and the Employee role only has the Read scope on this API.

Or this is more on the web api responsibility to have those association somewhere?

Thank you,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,420 questions
0 comments
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,456 Reputation points
    2020-10-29T17:21:57.577+00:00

    Hello @bdiddy . There's no way to associate or control both of them in Azure AD but you can do it in your application. EG: if an user with employee role token contains Admin only scopes then you could deny authorization.

    Let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.