Client app calls protected Api by Azure AD with Admin Role

Question

I'm a bit confused, I have the following implementation:

ASP.net API protected using Azure AD, and users with Admin role only can call this API, these roles are configured in Azure AD and assigned to users. the API has one defined scope AccessApi.

Scopes  Who can consent     Admin consent display name     User consent display name   State 

api://xx  User              AccessApi                      AccessApi                 Enable

The client application developed in WebAssembly blazor is registered and protected in Azure AD without roles, its configured to use AccessApi scope from my Api.

API / Permissions name  Type       Description   Admin consent required    Status
myApi (1)   

AccessApi              Delegated     AccessApi              No

My confusion is do I need to assign an Admin role for the client application to obtain token which will be used to access the API or the API scope accessApi is enough without any roles?

knowing that users of the client app are the same users of the API just with different roles.

Since same users use both API and client App, is it possible to use MS Graph by client App to get JWT token and use that token to call the API?

Answer 1

If you want to control the user's access to the api based on the role, then you can use appRole. Set the appRole of the application and then assign the appRole to the user, then only the user who is assigned the appRole can access the api.

Next, go to the enterprise application and assign appRole to the user.

In addition, never try to use the token of ms graph api to call your custom api. These are two completely different api resources, and you need to request different tokens for different api resources!