A cloud-based identity and access management service for securing user authentication and resource access
Hello @ritmo2k
It is possible to fully implement authorization using security groups and a custom policy handler, but there are certain trade-offs to take into account. * Security groups are ideal for fine-grained permissions that are in line with current access-management procedures and are subject to frequent changes.
- Nevertheless, a common mechanism to regulate which clients or service principals are initially permitted access to the API is provided via scopes (delegated) and app roles (application permissions).
- Scopes also facilitate consent and offer a more explicit authorization contract between the client and the API for future delegated user scenarios.
- Furthermore, your API may need to access Microsoft Graph to assess group membership for application identities because service principals do not consistently get group claims in tokens.
Hence, Use a hybrid approach
- To manage API access, define a few coarse-grained scopes/app roles (like Api.Access). For fine-grained authorization within the API, keep use security groups and custom authorization policies.
- This maintains future flexibility and standard Entra ID access controls while offering a scalable authorization solution.
Let me know if any further queries - feel free to reach out!
Hello @ritmo2k
If the resolution was helpful, kindly take a moment to click on
and click on Yes for was this answer helpful. And, if you have any further query do let us know.