is it possible to create appRoles (custom roles) for an app service using manage identity without creating a separate app registration?

Question

Is it possible to create appRoles (custom roles) for an app service that is using manage identity without creating a separate app registration?

I have an API running in app services that uses managed identity to access resources such as storage services etc. We need to apply custom roles for the API to ensure endpoints are secured and can only be used by client apps with the roles allocated.

However the only way to do this seems to be to create an app registration. Which gives me another identity, meaning another object id, client id and secret etc, which I would rather not have.

I've tried to assign the appRoles to the servicePrincipal of the app service via Microsft Graph API's (https://graph.microsoft.com/beta/servicePrincipals/{ObjectID}) but I keep getting a bad request error.

So I don't know if its simply not allowed or I'm doing something wrong. Can someone help?

The Request body payload for my MS Graph PATCH request is as follows (with a new unique GUID of course)

{
    "appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "somestuff",
            "displayName": "somestuff",
            "id": "*{MyNewUniqueGUID}*",
            "origin": "ServicePrincipal",
            "isEnabled": true,
            "value": "somevalue"
        }
    ]
}

Answer 1

If you just want to create an appRole on the service app and grant the appRole to the client app, then I think it’s easier to use Azure portal: https://stackoverflow.com/questions/68181260/setup-azure-client-credential-flow-with-spring/68190369#68190369