Entra ID Web API Authorization Model

ritmo2k 931 Reputation points
2026-06-18T21:42:45.54+00:00

I have an ASP.NET Core Web API that we host for use by other teams and services. I would appreciate guidance on how to design the permission model.

The long-term goal is to set up a public client and build tooling for users. We also plan to provision app registrations for automation that requires API access. The short-term focus is limited to app registrations.

We want to use security groups for fine-grained authorization because the API has too many permissions, and those permissions change too frequently, to manage effectively with scopes or app roles. Security groups also align well with the existing processes used to manage the data behind the API.

Given the pending interactive delegated permission model for the public client, and the non-interactive application permission model for service principals, am I missing anything by avoiding scopes and app roles entirely and relying only on a custom authorization policy handler in the Web API?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments

Answer accepted by question author

Rukmini 43,260 Reputation points Microsoft External Staff Moderator
2026-06-19T00:22:25.64+00:00

Hello @ritmo2k

It is possible to fully implement authorization using security groups and a custom policy handler, but there are certain trade-offs to take into account. * Security groups are ideal for fine-grained permissions that are in line with current access-management procedures and are subject to frequent changes.

  • Nevertheless, a common mechanism to regulate which clients or service principals are initially permitted access to the API is provided via scopes (delegated) and app roles (application permissions).
  • Scopes also facilitate consent and offer a more explicit authorization contract between the client and the API for future delegated user scenarios.
  • Furthermore, your API may need to access Microsoft Graph to assess group membership for application identities because service principals do not consistently get group claims in tokens.

Hence, Use a hybrid approach

  • To manage API access, define a few coarse-grained scopes/app roles (like Api.Access). For fine-grained authorization within the API, keep use security groups and custom authorization policies.
  • This maintains future flexibility and standard Entra ID access controls while offering a scalable authorization solution.

Let me know if any further queries - feel free to reach out!

Hello @ritmo2k

If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.