Azure AD: Expose an API for both client credentials and Authorization grant flow

kumar 41 Reputation points
2021-09-08T10:12:43.247+00:00

Hi,

Can we expose an API in Azure AD App Registration that can be used by both Client Cred flow and Authorization code flow.

Basically When I expose a scope (Ex: API.Read) in Azure AD Api Application, it shows up only in Delegated Permissions but not in Application Permissions in the Client Azure AD Application

To show up in Application Permissions we need to add App Role, but when we try to create with same name(API.Read) we are getting error
Error detail: It contains duplicate value. Please Provide unique value.

How can we achieve the same to have same API name for both Delegated Permissions(which AuthCode flow) and Application Permissions (Client Credential Flow)

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,272 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,556 Reputation points
    2021-09-08T11:08:40.41+00:00

    Hi @kumar • Thank you for reaching out.

    Yes, when a given scope is added under Expose an API blade, you cannot add App Role with the same name.

    In this case, when you create the App Role, select Both (Users/Groups + Applications) option and assign required set of users/Groups to the service principal created for the application under Enterprise applications blade.

    Azure AD > Enterprise Applications > Search with App Name or ID > Users and groups > +Add users/groups > Add required users/groups.

    Once done, you need to request a token using <your_exposed_API>/.default scope and user will get a token with Roles claim with value Read, as shown below:

    130220-image.png

    Make sure the application is configured to perform authorization based on Roles claim rather than SCP claim for users in this case.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.