Hi @kumar • Thank you for reaching out.
Yes, when a given scope is added under Expose an API blade, you cannot add App Role with the same name.
In this case, when you create the App Role, select Both (Users/Groups + Applications)
option and assign required set of users/Groups to the service principal created for the application under Enterprise applications blade.
Azure AD > Enterprise Applications > Search with App Name or ID > Users and groups > +Add users/groups > Add required users/groups.
Once done, you need to request a token using <your_exposed_API>/.default scope and user will get a token with Roles claim with value Read, as shown below:
Make sure the application is configured to perform authorization based on Roles claim rather than SCP claim for users in this case.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.