I currently have an API setup in Azure APIM with multiple operations. I have implemented a JWT Bearer authentication policy on the All Operations section.
What I need to do now is implement the authorization part per operation based on the scopes returned in my token. I've looked at this example and understand what to do API Authorization Restriction
However, is it good/bad practice to try implement the policy on the root All operations and then in that policy check the operation being requested and write the code to match the correct scopes to operation.
Or should the JWT policy be copy/pasted for each operation and only that operations authorization logic then lives in there.
Thanks in advance.