Azure active directory same appRoles and users in two apps

Pako Porras 81 Reputation points


I have the following scenario. I have two apps registered in azure, one is a web site and another an api. I can login into the web site and I can do calls to the api using a JWT token.

Now I need to secure both apps. Both apps use the same roles and the same users. My first approach was to create approles in both manifests, and then add the users to each rol in each app registration.

Everything is working fine and I can use [Autorize(Roles="Admin")] in the controllers of the web site and in the methods of the Api.

But It's hard to mantain both approles and users in both applications. Each change in one app needs to be replicated in the other one. So my goal is to use only the approles and users of one of the app registrations.

Is that possible? Can I define for example approles and users in the api app registration and use them in the web site? How can I do that?

After the first login in the web site how can I update the user claims?
Now If I define roles and users only in api side when I check User.Identity.Claims roles aren't there, so I can't access to a page decorated with [Authorize(Roles="Admin")]. If a retrieve jwt token using the scope of the api I can see the roles inside the claims. How can I add jwt token claims into User.Identiy.Calims after login and then add them to each request inside the web site?

I can't use azure Groups, only appRoles.

My goal is to use the same roles and users in the web site and in the api but only definig them in one place.

Is that possible? Which is the best approach to do that?


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,513 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 22,281 Reputation points Microsoft Employee

    App roles are very specific to each app and aren't really intended to be shared across apps. They're defined in the app registration manifest for the specific application.

    You are better off assigning by group or by user.

    This stack overflow thread goes over these options in pretty good detail.

    1 person found this answer helpful.
    No comments