Azure AD: Expose an API for both client credentials and Authorization grant flow

kumar 41 Reputation points


Can we expose an API in Azure AD App Registration that can be used by both Client Cred flow and Authorization code flow.

Basically When I expose a scope (Ex: API.Read) in Azure AD Api Application, it shows up only in Delegated Permissions but not in Application Permissions in the Client Azure AD Application

To show up in Application Permissions we need to add App Role, but when we try to create with same name(API.Read) we are getting error
Error detail: It contains duplicate value. Please Provide unique value.

How can we achieve the same to have same API name for both Delegated Permissions(which AuthCode flow) and Application Permissions (Client Credential Flow)


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,650 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,526 Reputation points

    Hi @kumar • Thank you for reaching out.

    Yes, when a given scope is added under Expose an API blade, you cannot add App Role with the same name.

    In this case, when you create the App Role, select Both (Users/Groups + Applications) option and assign required set of users/Groups to the service principal created for the application under Enterprise applications blade.

    Azure AD > Enterprise Applications > Search with App Name or ID > Users and groups > +Add users/groups > Add required users/groups.

    Once done, you need to request a token using <your_exposed_API>/.default scope and user will get a token with Roles claim with value Read, as shown below:


    Make sure the application is configured to perform authorization based on Roles claim rather than SCP claim for users in this case.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.