Is there any way to use one AzureAD app for both frontend and backend

NicoleZ
March 29, 2023
131 views
0 votes
2 Answers

I have react front-end app and AWS lambda backend. I already integrated AzureAD authentication to my react app using MSAL. I wanted to clarify a couple of things

after the user logs In to the front end i want to call one of my backend APIs and call the azure graph api via my backend service. for the backend azure interaction, I had to create another app in the azure ad. my question is can i use my frontend access token to call the azure graph api since my front-end access token belongs to a different app in the azure Ad? if not what would be the suggested way to do this kind of flow?
is there any way to add the user role like admin, manager, user to the active directory and retrieve that role when the user logs in. my requirement is once a user logs in I need to display certain features to my front-end app based on roles. I have seen that there are things called scope but couldn’t figure out if it satisfies my requirement.

Answers

- Agyss
- March 29, 2023 at 7:42 pm
- 0 votes
0
Let me start with the second question, as I think the answer is less complicated:

To configure rules, you can use the "app roles" feature as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

They also provide you some samples (for node.js – closest I could find to react: https://github.com/azureadquickstarts/appmodelv2-webapp-openidconnect-nodejs) about how to access the information from the sign-in token including the claims. These claims include the previously defined role which may be assigned to the user.

For the first question:
Microsoft provides and article here: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-your-web-api

This explains how to register both your applications and how the API can securly contact graph api.

Login or Signup to reply.

- Rukmini
- March 30, 2023 at 12:36 pm
- 0 votes
0
I tried to reproduce the same in my environment and got the results like below:

You have to create two Azure AD applications for authentication.

I created Azure AD ServerApp and exposed an API like below:

Is there any way to add the user role like admin, manager, user to the active directory and retrieve that role when the user logs in.

And in the ServerApp, I created App roles:

Now, in the ClientApp, I added API permissions like below:

Now, I generated access token via Client Credentials Flow by using below parameters:
```
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:api://SeverAppID/.default
grant_type:client_credentials
```
When I decoded the token, the App Roles are displayed successfully like below:
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.