0
votes

I'm relatively new to Azure Active Directory & trying to understand some best practices or guidelines for administering custom roles & permissions for application use.

For instance, I might want to create a Role of "Technician" & they have permissions such as "firmware.upgrade" or "product.view" to be enforced within application & endpoints.

Would "Technician" actually be an Azure AD Group then & I could assign custom roles "firmware.upgrade" & "product.view" to that group? Can it even work that way?

Also, I could consider Application Roles, but "Technician" (and others) would be a role used across several applications. So I wasn't sure if an Application Role makes sense to use.

1

1 Answers

1
votes

You're on the right track.

You will start by creating app roles like "firmware.upgrade" and "product.view" in your Azure AD application. Please note that these roles are specific to your Azure AD application only and the logic for what a user with these roles can do will be defined in your application code.

Next you would create an Azure AD groups (e.g. "Technicians", "Users" etc.) and start assigning other users in your Azure AD in these groups.

Then you would assign these groups app roles. For example, you can choose to assign "firmware.upgrade" and "product.view" roles to "Technicians" group while "product.view" role to "Users" group.

When a user authenticates/authorizes against Azure AD for your application, the claims will include all the app roles assigned to them either directly or through group membership. Based on the app roles in the claim, you would then grant access to certain parts of your application to these users.

Please do note that while groups are for entire Azure AD, your application roles are specific to an application only. For each application in your Azure AD, you will need to create new application roles.