Azure Active Directory same app roles in two sites

Pako Porras 81 Reputation points


I have the following scenario. A web site and an API. I need to have communication between both sites.
I login in the web site against azure active directory using OpenIDConnect and I can communite with the API using a JWT token.
Now I want to protect my sites using appRoles. I can do that definig the appRoles in the manifest of both apps and then adding users to these roles in both app registrations. When I login in the web site I can see the roles in User.Identity.Claims. And If I retrieve the JWT token of the API I can see also the appRoles defined in the API app registration.
My problem is that I need to add the users and define the appRoles in both sites. I want to use the same users and roles in both sites, so It's a problem if I have a lot of users and roles. If I want to remove a user from the web siite I need to do the same change in the api site.

So my question is how can I use the same appRoles in both applications and only define appRoles and add users in one place. I can't use Groups, only appRoles.

I don't know if it's possible to define appRoles and users for each role only in the API app registrartion and themn retrieve this appRoles in the web site after a user login (so the User.Identity.Claims will be populate with the same appRoles that I can see in the JWT token)

The goal is to use in my web site [Autorize (Roles="Admin")] in the controllers and also use [Autorize (Roles="Admin")] in the API methods, but the appRole Admin and role's users are only defined in the API app registration.

Which approach is the best to get this goal?

Thanks in advance

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,913 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 24,486 Reputation points Microsoft Employee

    Application Roles are specific to the application they are designed for. You define them as part of app registration manifest and then assign the roles to users/groups specifically for this app.

    So you can't really use application roles across different applications. Your options are to use users or groups.

    This post highlights the options pretty well:

    If you would like to request this as a feature you can do this in User Voice, but right now this is by design.

    0 comments No comments

0 additional answers

Sort by: Most helpful