Share via

What are best practices for using Scopes v Azure AD Claims?

Siegfried Heintze 1,906 Reputation points
2023-07-10T17:59:15.3833333+00:00

Background:

I have this example working: https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c. I have enhanced the C# script in this example to enumerate all the claims and return them in a long concatenated string where I display them and I can see my custom extension attribute called "extension_Role", which, depending on the user, can have values like "crew-boss" and "worker", etc.

So now I am in the process of implementing additional functions for my CrewTaskManager blazor server front end and some functions like GetAllWorkers and AssignTaskToWorker would only be allowed for a Crew Boss but other functions like GetAllMyTasks would be allowed for Workers.

Question 1:

So what would constitute best practices here with regard to authorization v scopes?

Is there a problem with using the original Hello Scope for the above example (after renaming it I suppose) for all of these functions since I'm using multiple AD claims for authorization?

It seems to me like multiple scopes would be redundant with the extension attribute feature that I'm using to implement Authorization for a B2C application.

I'm thinking scopes would be more relevant for constraining which third party applications can call my azure function.

Question 2:

to be continued!

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,409 questions
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2023-07-11T10:44:55.93+00:00

    Hi @Siegfried Heintze ,

    Thanks for reaching out.

    Best practices for authorization in Azure AD B2C would be to use claim-based authorization.

    This will allow you to control access to different parts of your application based on the user's claim i.e "crew-boss".

    Also, if a user is granted access to the scope, they will have access to all of the functions that are associated with that scope. This may not be desirable if you want to restrict access to certain functions based on the user's role.

    Using scopes for authorization can work, but it may not be the best approach. Scopes are typically used to control access to APIs, not to different parts of your application.

    Claim based authorization would give you more granular control over which users have access to which functions.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.