Roles for a SPA and API setup in Microsoft Intra ID
I have setup a FastAPI with FastAPI-Azure-Auth. It is a API and a Swagger page (SPA) to test the API. I have an app registration for the API and one for the Swagger page. On the API app registration I added a role named "Role7" on my user.
On the swagger page app reg I added a "Role1" to my user.
Swagger page APP reg:
I added permission to the API app reg.
By problem is in the claims i get in the Swagger page I get "Role7" which is from the API app reg. And I would expect to get the roles I have setup in Swagger page app reg. How do I setup the appregs so it will be the web page and not the API that controls access and roles?
The API must be the one that decides what roles the token can contain. It is after all the one authorizing the tokens.
So you have two options (at least):
- Make one app registration instead of two, Swagger UI is just part of the API. Now role management is on this one app registration.
- Stay with two app registrations. Roles must be assigned on the API to apply there. Client could check what roles the user has from the API.
If you have P1/P2 licenses, you can make option 2 easier by assigning a group to the same role on both the app registrations. Then you have one place where you can edit the members of that role.
- You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Issue with Azure Automation Account and Key Vault Certificate Retrieval
- OpenAI remove key access while using AAD authentication
- Add tenant specific roles in Azure AD multitenant app
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- How to automatically refresh access token
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- How to get user's attributes from Identity in Blazor Server with organization authentication
- Correlation failed in net.core / asp.net identity / openid connect
- I'm unable to Login to VM with Azure AD user credentials
- I need to add co-organizer in teams meeting through graph api
- MSAL for non-SPA? Server side authentication?
- Entra ID - Adding actor claim to the token via client credential flow
- Roles for a SPA and API setup in Microsoft Intra ID
- Getting a token from Microsoft Intra ID with PostMan using MFA
- Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation
- Add Azure Active Directory User to Azure SQL Database
- How to create dynamic groups in AzureAD/EntraID from a csv import?
- Creating a user in Azure AD B2C through Microsoft SSO
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- How do I connect locally to Azure SQL database with Microsoft Entra ID registered app in C#?
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Error OrganizationFromTenantGuidNotFound and 401 Unauthorized when Sending Email via Microsoft Graph API in React App
- Fetch employee id from from job description properties .NET 8
- How to check if a device is AD joined or Azure AD joined/registered?
- Granting Azure Application User access to PowerApps API
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Create Azure Key Vault backed secret scope in Databricks with AAD Token