I have an Azure Function App (API) linked to an App Registration in Azure Active Directory (AAD), that exposes some custom Roles via the Manifest.
A client App Registration in AAD can add the API and select from its custom Roles as permissions. This allows the client app to call AAD to obtain a JWT that includes these custom Roles, which can then be checked by the downstream Function App during JWT validation.
I would like the client App Registration to also include other API's custom Roles as part of a company's 'Product Group' (eg. Product Group may be Sales, Service, Finance etc.).
I want to create AAD Users representing each B2B consumer system, and link them to a Group that aligns to a company 'Product Group'.
Therefore, a User (B2B consumer system) should be able to request a JWT that includes custom Roles for all API's in the Product Group. I need the JWT to include information of the consumer system, as it needs to be available to the downstream Function App.
What's the best way to achieve this?