question

PakoPorras-1857 avatar image
0 Votes"
PakoPorras-1857 asked JamesTran-MSFT commented

Azure Active Directory same app roles in two sites

Hello:

I have the following scenario. A web site and an API. I need to have communication between both sites.
I login in the web site against azure active directory using OpenIDConnect and I can communite with the API using a JWT token.
Now I want to protect my sites using appRoles. I can do that definig the appRoles in the manifest of both apps and then adding users to these roles in both app registrations. When I login in the web site I can see the roles in User.Identity.Claims. And If I retrieve the JWT token of the API I can see also the appRoles defined in the API app registration.
My problem is that I need to add the users and define the appRoles in both sites. I want to use the same users and roles in both sites, so It's a problem if I have a lot of users and roles. If I want to remove a user from the web siite I need to do the same change in the api site.

So my question is how can I use the same appRoles in both applications and only define appRoles and add users in one place. I can't use Groups, only appRoles.

I don't know if it's possible to define appRoles and users for each role only in the API app registrartion and themn retrieve this appRoles in the web site after a user login (so the User.Identity.Claims will be populate with the same appRoles that I can see in the JWT token)

The goal is to use in my web site [Autorize (Roles="Admin")] in the controllers and also use [Autorize (Roles="Admin")] in the API methods, but the appRole Admin and role's users are only defined in the API app registration.

Which approach is the best to get this goal?

Thanks in advance

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PakoPorras-1857

Please let us know if the reply below helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.

0 Votes 0 ·

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Application Roles are specific to the application they are designed for. You define them as part of app registration manifest and then assign the roles to users/groups specifically for this app.

So you can't really use application roles across different applications. Your options are to use users or groups.

This post highlights the options pretty well:

https://stackoverflow.com/questions/56487790/how-to-manage-azure-ad-app-roles-across-many-applications

If you would like to request this as a feature you can do this in User Voice, but right now this is by design.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.