Role-based access control (RBAC) is a popular mechanism to enforce authorization in applications. The administrator assigns roles to different users and groups to control who can access to what content and functionality. Using RBAC with Application Roles and Role Claims, developers can securely enforce authorization in their apps with little effort on their part. Another approach is to use Microsoft Entra groups and Group Claims.

In this module, you'll learn how to use both Microsoft Entra groups and Application Roles to provide fine grained access control to an application.


  • Basic knowledge of OAuth authentication flows and terminologies
  • Ability to develop with ASP.NET Core at the intermediate level
  • Experience using Visual Studio Code at the beginner level
  • Access to a Microsoft 365 tenant

Learning objectives

  1. Create a custom ASP.NET web app that is secured with Microsoft identity
  2. Demonstrate how to obtain security groups as a claim in the token and use them in the app
  3. Demonstrate how to use app roles to grant users access to an app

Additional resources

Refer to the following repository for additional resources associated with this module. This repository includes completed code samples from the exercise units found in this module: 05 - Work with users, groups, and roles in custom apps.

This module is also available as the screencast Work with users, groups, and roles in custom apps.