![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 96%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
882 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Hi @Chaya ,
Thanks for reaching out.
I understand you are trying to secure your API with Node.js and Angular login but not able to get the roles in the token to authorize your API.
When you create a web API, you can define custom scopes to restrict access to data and functionality protected by the API. These scopes are used to protect your API endpoints and to ensure that only authorized clients can access them**.**
You can achieve this either using scopes or app roles.
Scope can be created for delegated permissions to access the parts of this API which can request that a user or admin consent to one or more of these scopes.
If you are looking to create application-only scopes, you should use 'App roles' and define app roles assignable to application type**.**
In this scenario where you are trying to call node.js API from single page application (SPA), you would require adding the scope and Expose and API.
You need to expose the API to the client app in Microsoft Entra ID.
1.Expose the API to client apps by adding a scope (in case of delegated permissions).
2.Assign owner to the API which will allow users to own the application and expose themselves to other apps.
Assign permission to your single page application to your API and grant admin consent to the permissions.
You will get the access token with Test.Role scope which can be used as bearer token to authorize the API.
If the goal is to obtain a token for server-to-server authorization, you would need to include roles in the App roles for that scenario.
MSAL sample references - https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code?tabs=apptype
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.