Share via

How to Use App Roles in External Entra ID to Restrict Data Access per Customer Without Code?

Testa 571 Reputation points
2025-04-03T08:30:47.4766667+00:00

I’m trying to control data access in my application using External Entra ID and want to minimize the amount of custom code for authorization. I would like to know if App Roles can be used to restrict access to specific data based on the customer.

https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps

I understand that App Roles are used for role-based access control (RBAC) within an application.

Instead of implementing logic in the application code, I want to leverage built-in Entra ID features as much as possible.

My goal is to ensure that each customer can only see their own data.

Can App Roles help with this, or do I need to use other features like Groups, Custom Claims, or Conditional Access?

What is the best Entra ID-based approach to achieve this without manually filtering data in the backend?

Any guidance or best practices would be greatly appreciated!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,195 questions
0 comments
Accepted answer
  1. Harshitha Eligeti 2,585 Reputation points Microsoft External Staff
    2025-04-07T15:59:41.4933333+00:00

    Hello @Testa
    I understand that you're aiming to control data access in your application using External Entra ID, minimizing the need for custom authorization code. You're considering using App Roles to restrict access to specific data based on the customer and would like to know if this can help, or if other features like Groups, Custom Claims, or Conditional Access are necessary. Essentially, you're looking for the best Entra ID-based approach to ensure that each customer can only view their own data, without having to manually filter the data in the backend.

    In this scenario, App Roles are typically used to assign roles at the application level for a user. However, for user-specific permissions, like filtering data based on a "customer_id," application permissions should be used. To implement such user-specific permissions, you may need to leverage additional features such as Groups or Custom Claims. For example, Groups can be used to manage user memberships tied to specific customer data, while Custom Claims can include unique identifiers in the token, allowing your application to filter data based on those identifiers.

    For additional information please refer these documents:
    https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview
    https://learn.microsoft.com/en-us/entra/identity-platform/custom-rbac-for-developers#choose-an-approach

    Do Let us know if you have any further queries. We are happy to assist you further.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.