Azure AD app registration differentiate between roles

Question

I have an App Registration in Azure AD which has App Roles (eg: role1, role2). Against this app multiple environments connect to it and get a role back. Is it in someway possible to specify a role based on who connects to it?

So if User X connects from Env 1, I wanna send back Role1. If User X connects from Env 2, I wanna send back Role2. Already tried with having multiple groups, but they just get added to the roles array and you can't really see which role belongs to which group.

Output is this: roles=["Role1","Role2"] Ideally I would have something like roles=["env1:Role1","env2:Role2"] or even better just 1 role depending on the env.

So is it possible to have a distinction in your roles that you send back somehow?

Answer 1

I agree with @junnas, you can try creating different applications to achieve your scenario.

I tried to reproduce the same in my environment and got the same issue as below:

As a workaround, I created an Azure AD Application and created an App role as below:

Based on your requirement, assign the user the App role as below:

I added the App role to the API permissions and granted Admin consent:

I generated the access token via Client Credential flow by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:api://****/.default
grant_type:client_credentials

When I decoded the token, I got the App role successfully as below:

You can create another Application for the second App role and perform the same.