Difference between Scope, Role & Group in Azure AD MSAL

0
votes

I am trying to understand difference between Role & Group, Scope in Azure AD.

I am trying to create a Protected Web API in Azure AD, please correct me if I my understanding below is wrong.

Group --> Active directory group created, where users who need access will be added to the group, please correct if below groups are not planned correctly.

**Groups:**

API_Read_AppName --> Group1
API_ReadWrite_AppName --> Group 2

I am assuming these two groups one is read and other is readwrite are created and then users will be added to these groups who wants access to my protected WebAPI

Role --> This is the role which determine the access level to my protected WebAPI

**Roles:**

ReadEMCS
ReadWriteEMCS

I will be creating above roles and assign these roles to the group created above:

Role --> Group

ReadEMCS --> API_Read_AppName 
ReadWriteEMCS --> API_ReadWrite_AppName

I am confused with above setup as my group already has Read group & ReadWrite group and users will be added to those groups and based on the user who in the group will have respective access, what is my Roles doing in my case ? Do I need Roles at all as access is already maintained by group in this case.

  1. What are Roles used for when using groups we are able to manage access ?
  2. What are the use cases where we need a Role & Groups to manage access ?
  3. What is a Scope in Azure AD and what it is used for ?
1
.netazureazure-active-directorymsal

1 Answers

0
votes

I assume that you are talking about app roles for "Role".

App roles and Group claims have the same effect. To some extent, their role is repetitive. So you don't need to create app roles and assign them to the groups.

Usually if there are too many user groups, more than two hundred, then the group id will not be directly included in the jwt token, and you may need to use Microsoft Graph to get the user's group. This is a bit more complicated, in this case we can choose to use app roles.

In addition, if your enterprise app has User assignment required enabled, then we can choose to use app roles together.

In short, you can flexibly choose to use app roles and Group claim. You can even combine them, such as verifying both Group claims and App roles.

  1. What are Roles used for when using groups we are able to manage access ?

The Roles claim is not necessary.

  1. What are the usecases where we need a Role & Groups to manage access ?

It depends on your need.

  1. What is a Scope in Azure AD and what it is used for ?

Scope is a setting specific to web APIs. It defines the permissions necessary for the client side to access your web API (service side). You can think of it as the most basic permission. Only when this condition is met first, we will consider verifying groups claim or app roles.