Accessing Roles claim in Azure AD secured Web Api

Question

We have an AspNet Core web site and related web api that are secured against Azure Active Directory. A manager logs into the website to manage staff that work in branches.

We currently define what branches a manager manages using "App Roles" that are defined in the application's registration manifest.

In the AspNet WebSite those roles are the returned in the ClaimsPrincipal.Claims collection under the ClaimTypes.Role, "http://schemas.microsoft.com/ws/2008/06/identity/claims/role".

However if we implement an AspNet web api that is called from that same AspNet WebSite the claim is not available in the api. For example

GET https://ourdomain.com/api/v1/managers/-/staff

In the AspNet web api I can inspect the claims via the HttpContext but the Roles claim type is not present.

How do I get the Roles claim in the api? I want to get at the individual values of the Role claims as that has the ID of the various branches.

The WebApi has its Auth defined usign Microsoft.Identity.Web

 public void ConfigureServices(IServiceCollection services)
 {
        services.AddMicrosoftIdentityWebApiAuthentication(Configuration);
        services.AddControllers();
 }

Answer 1

You can leverage Role along with Groups to control access of your application. You can define some application roles and assign the roles to the groups. Then the users in the group will have the claim like below:

{
  "roles": ["{custom_role}"]
}

To see details, refer to:

How to: Add app roles in your application and receive them in the token

Using groups vs using application roles for authorization in Azure AD apps

As @juunas said, you should define the app roles in the app registration used by the API (not client app).

For how to configure the client app and API app, you can find an sample and detailed steps from this another answer.