Share via

API scopes and roles

bdiddy 171 Reputation points
2020-10-29T15:35:29.59+00:00

Hi,

When I register an application (Web api) and Expose the API (adding scopes).

I see that we can add appRoles in the manifest.

Is there a way to associate roles and scopes? Like to say an Admin role has Read and Write scopes and the Employee role only has the Read scope on this API.

Or this is more on the web api responsibility to have those association somewhere?

Thank you,

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator
2020-10-29T17:21:57.577+00:00

Hello @bdiddy . There's no way to associate or control both of them in Azure AD but you can do it in your application. EG: if an user with employee role token contains Admin only scopes then you could deny authorization.

Let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

Was this answer helpful?

0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.