►
Description
This month's community call covered App Roles to manage authorization in your application including what is Authentication and Authorization, why Authorization is important, Groups vs Roles, AppRole - Users/Groups and
AppRoles for single tenant and multi-tenant apps.
Speakers: Jeevan Desarda, Saurabh Madan
Get started with App Roles https://aka.ms/AAa11te
Stay connected
Twitter https://twitter.com/microsoft365dev
Blogs https://aka.ms/M365DevBlog
A
My
name
is
stephen:
salazar,
I'm
a
program
manager
in
the
microsoft
identity,
platform
team
and
today
we
have
with
us
two
great
program:
managers
from
the
microsoft
identity
platform
team
as
well,
given
tesara
and
saurabh
madan
and
they're
gonna
talk
to
us
about
how
to
use
app
roles
in
your
applications
to
manage
authorization
for
them
and
some
of
the
latest
and
greatest
work
that
we're
doing
in
that
regard
before
they
get
started.
I
just
want
to
go
over
some
really
quick
logistics.
A
A
A
A
survey
that
you
can
use
to
just
give
us
feedback,
how
the
call
went
in
terms
of
the
topic
and
also
you
have
ideas
for
future
topics
that
we
should
cover,
but
without
further
ado,
because
I
know
jivan
and
surab
have
quite
a
bit
of
content
to
go,
I'm
going
to
give
it
to
them
so
that
they
can
do
the
introductions
and
and
then
get
started.
And
so
thank
you.
Everyone.
B
Thank
you.
Let
me
introduce
myself,
I'm
jeevan
lisida,
I'm
a
senior
program
manager
in
azure,
active
directory
and
my
particular
team
actually
works
on
the
integrations
for
different
sas
applications
with
the
juradi,
particularly
on
single
sign-on
and
user
provisioning,
and
we
list
these
applications
into
the
app
gallery.
B
Along
with
that,
we
also
closely
work
with
enterprise
customers
to
configure
and
deploy
the
applications.
As
we
are
part
of
the
customer
experience
team,
we
understand
our
customer
scenarios
and
help
them
deploy
these
particular
applications.
So
that's
my
particular
core
role
and
I
have
served
up
with
me
over
here.
Sarah,
can
you
please
introduce
yourself.
B
Before
I
go
to
the
agenda,
I
just
want
to
set
the
right
expectation
over
here.
So
our
goal
over
here
is
to
tell
you
about
everything,
about
the
authorization
and
application
roles
and
and
groups,
and
how
you
actually
should
do
the
application
roles.
Or
how
do
you
actually
do
authorization
using
application
roles
or
groups?
The
idea
is
to
present
that
at
a
higher
level,
like
think
more
about
ten
thousand
feet
overview
strategic
more
way.
I
know
when
it
comes
to
implementation.
B
What's
the
difference
and
what's
happening
over
there,
why
authorization
is
getting
so
important
nowadays
and
then
how
do
you
actually
achieve
that
authorization
when
it
comes
to
azure
id
for
applications,
so
it
might
be,
it
can
be
done
using
groups
or
it
can
be
done
using
roles
when
we
are
talking
particularly
about
roles.
There
is
a
particular
app
roles
are
possible
for
different
objects.
B
Like
users
in
groups
or
applications,
and
we
will
see
that
there
is
also
a
new
user
interface
we
are
coming
up
with,
so
we
will
showcase
that
particular
interface
to
you
and
then
from
there.
We
will
go
about
single
tenant
and
multi-tenant
apps.
So
it's
a
scenario
where
you
are
a
line
of
business
developer
for
your
organization
or
you
are
an
isv
developer.
Who
is
developing
application
for
our
multiple
customers?
B
Then?
How
do
you
consider
authorization
in
that
case
and
before
you
start
actually
coding?
Let's
look
at
some
watches
with
what
what
is
there
and
then
we
can
actually
summarize
our
learnings
over
there,
so
you
can
actually
go
and
start
off
the
actual
implementation
of
it.
So
that's
how
we
are
looking
at
our
agenda
today.
B
So
first,
when
we
talk
about
authentication,
I
know
for
years
our
customers
are
using
single
sign-on
and
they
are
doing
idp
based
authentication,
but
that's
a
real
need
nowadays
because
of
the
covet
situation.
Everyone
is
working
remote
and
people
still
or
the
users
employees,
whether
it's
a
partner
vendor
or
customers,
everybody
actually
working
remotely
and
need
access
to
different
set
of
application,
because
this
application
hold
critical
information
for
our
users.
B
So
we
would
like
to
simplify
that
sign
in
and
that's
where
the
single
sign
on
and
idp
based
authentication
is
important.
We
know
this
is
happening
along
with
idfs
15
20
years
back,
but
now
it's
like
everyone
is
moving
to
the
cloud
idp.
So
there
is
a
still
need,
whether
it's
a
line
of
business
app
or
whether
it's
a
sas
app.
You
still
need
the
single
sign-on
capabilities,
the
authorization
part
right
now
we
are
doing.
B
We
are
seeing
a
good
shift
from
our
customers,
where
our
customers
are
now
actually
looking
more
into
the
authorization
and
the
authorization
basically
is
to
control.
Who
is
doing
what
into
that
app
more
granular
control
on
those
critical
accounts
is
important
and
that's
where
the
business
and
the
it
want
more
visibility.
Who
is
doing
what
into
that
particular
application?
B
But
they
can
only
do
that
when
they
have
a
visibility
like
who
is
an
admin
on
that
app
versus
who
is
the
user
on
that
app?
And
that's:
where
actually
comes
more
authorization
part
which
need
to
be
managed
from
the
identity
provider?
So
authentication
is
just
implementing
single
sign-on
using
open
edit
connect
to
earth,
but
to
apply
these
particular
roles.
That's
where
the
interest
on
the
business
side
is
more
on.
B
How
do
I
achieve
this
particular
granular
control
on
different
users
or
groups
so
that
I
should
know
what
they
are
doing
into
that
app
and
and
that's
what
the
authorization
is
giving
more
importance
nowadays,
I'll
just
stop
over
here.
If
you
have
any
questions,
feel
free
to
ask
me
and
saurabh
over
here
and
now
we
can
take
some
time
to
talk
about
it
and
then
we'll
go
further.
B
Okay,
let's
talk
about,
have
you
used
idp
base
authorization
in
your
application?
So
please
let
us
know
by
typing
your
answer,
like
I
don't
know,
I'm
not
a
developer
over
here,
but
you're
more
like
an
architect
or
or
just
the
admin
so
you'd
like
to
achieve
it
or
if
you
say
yes,
sometimes
I
use
it
or
I
use
it
always
or
I
never
use
this
particular
authorization.
I
just
implement
the
single
sign
on
using
ncl
or
open
id
connect
to
earth
and
I'm
good
over
here.
B
I
do
see
that
a
lot
of
b
over
here
so
sometimes
I
use
it,
and
I
do
see
there
are
a
few
c's
also
which
is
really
nice,
and
I
do
cd
and
I'm
literally
getting
worried
about.
But
okay
no
worries,
I
think
after
this
session,
I
think
you
will
all
all
feel
good
about.
At
least
you
have
understood
the
concepts
and
now
you
can
be
able
to
easily
decide
which
way
I
wanted
to
go
good.
Thank
you.
C
Okay,
yeah,
even
there
was
a
question
up
in
the
chat
about
who's.
Doing
what
is
authentication,
so
I
just
just
wanted
to
clarify
one
thing
here:
identifying
who
you
are
is
authentication
and
what
you
can
do
and
what
what
you're
authorized
to
do
is
the
authorization
part
of
this
is
how
you
can
differentiate
and
look
at
these
things.
B
Yes
and
that's
what
I
gave
you
the
example
of
the
admin
versus
the
normal
user,
so
what
you
can
do
into
that
app
is
also
important
and
based
on
that
customers
want
to
apply
the
security
controls
and
that's
where
the
authorization
part
is
important.
So
basically,
is
the
role.
What
you
carry
into
that
particular
app
is
the
authorization
and
that's
where
it's
important
to
understand,
but
yeah
thanks.
B
I
have
got
enough
amount
of
responses,
so,
let's
move
forward
so
now,
when
you
think
about
azure
active
directory,
there
are
two
options
over
here.
You
can
use
groups
for
authorization
or
you
can
use
rules
for
authorization,
but
the
question
is:
where
should
I
begin
from
so
we
are
going
to
talk
about
both
these
particular
scenarios
and
then
we
will
see
it's
like
okay,
what
is
actually
suitable
in
your
app
and
what
are
the
significant
difference
between
two?
So,
let's
start
with
particular
group
part:
are
you
using
group
information
into
the
application?
B
B
Yes,
I'll
answer
that
question
also.
I
know
there
are
people
typing.
So,
yes,
the
concept
still
works
in
azure
id
and
azure
ddb2c.
So
either
it's
a
group
or
roles.
It
works
on
both
the
ends.
So
yes,
so
whatever
we
are
talking
is
going
to
be
also
applicable
into
the
v2c
10,
and
so,
if
you
have,
if
you're
a
b2c
developer,
it's
still
valid
for
that
all
azure.
The
roles
do
not
work
with
ad
groups.
Yes
I'll
I'll
talk
about
it
in
little
detail,
just
wait
for
a
few
more
minutes.
B
Okay!
So
let's
talk
about
the
group
part
of
it
first.
So
when
you
are
using
groups
for
authorization,
there
are
different
types
of
groups
in
the
organization,
so
basically
consider
on-premise
groups
like
security
groups
and
distribution
groups
which
lot
of
our
enterprise
customers
are
actually
syncing.
These
groups
from
on
premise,
active
directory
to
azure,
active
directory
and
then
also
cloud
customers
create
all
like
users
can
create
office
groups.
B
You
can
create
azure
id
groups,
there
are
dynamic
groups,
you
can
create
based
on
that
role
or
you
can
actually
write
a
rule
and
say
if
the
user
is
the
department.
Is
sales
then
create
this
particular
group
and
all
the
users
into
that
particular
group.
So
this
is,
these
are
the
different
types
of
groups,
but
when
you
are
writing
an
application,
you
have
to
plan
for
all
types
of
groups.
You
can't
just
say
it's
like
okay,
it's
my
on
premise,
group
or
I'll
rely
on
the
cloud
groups.
B
The
one
of
the
major
thing
with
azure
active
directory
is
the
group.
Names
are
not
immutable.
Values,
non-invitable
values
the
names,
particularly
so
what
it
means
is
you
can
create
suppose
the
office
group
or
the
cloud
group
with
the
same
name
again
and
again,
it's
pretty
much
possible
because
we
don't
check
for
the
uniqueness
of
the
group
name
in
the
on-premise
world.
There
is
on-premise
sam
account
names
which
you
can
always
consider
as
unique,
but
that
is
not
the
same
case
with
the
cloud
troops
or
which
are
agility
groups.
B
So
that's
one
of
the
thing
and
that's
why
we
feel
that
passing
the
group
names.
In
the
token,
like
all
the
group
names,
including
cloud
troops,
is
not
very
secure
solution,
because
in
this
case
a
user
can
just
create
a
group
and
part
of
that
particular
group
or
owner
of
that
group
and
then
just
pass
that
information
in
the
token
and
the
application
will
do
authorization
based
on
the
value
what
it
receives
in
the
token.
So
that's
why
it
is
more
riskier
and
that's
why
we
suggest
to
use
group
ids.
B
B
So
there
is
a
partial
you
can
say
is
available
through
the
applications
assigned
to
the
group,
but
that
might
not
always
like
be
helpful
as
you
need
it,
and
if
there
are
more
particular
group
in
the
token
there
is
always
a
token
bloat
possibility.
So
I've
seen
this
with
few
customers
where
the
token
bloat
happens,
and
then
then
you
cannot
actually
be
able
to
pass
or
to
get
the
response
event.
So
that's
like
one
of
the
biggest
thing
I'll
just
little
bit
over
here.
I
think
there
are
a
lot
of
questions
over
here.
B
We
use
it
when
coming
from
sharepoint
online.
Yes,
I
have
seen
the
sharepoint
scenario
where
you
need
this
particular
group
information,
but
that's
a
group
ids
80
groups,
don't
always
work
for
certain
types
of
authorization,
for
example,
when
attribute
based
authorization
is
needed.
Yes,
for
a
back
purposes.
Yes,
the
ad
groups
is
not
always
suitable
solution.
I
agree
with
that.
What
is
the
demand
difference
between
pass-through
authentication
and
password
asking?
Oh,
I
think
that's
not
a
question
over
here.
It's
particularly
you
are
asking
about
authentication,
so
there
is
a
good
amount
of
documentation.
B
We
wrote
for
pass
through
earth
and
password
hashing,
so
I
suggest
you
to
look
at
that
authorization
with
authorizing
with
idp
when
utilizing
multi-tenant
art
is
my
primary
issue
that
drivers
that
drives
as
needed
to
move
the
application
based
off
okay,
so
multi-tenant.
So
we
are
going
to
talk
about
singleton
multi-tenant
into
that.
I
will
try
to
answer
your
question.
There
is
also
the
constraint
that
dynamic
groups
do
not
support
multi-values.
Yes,
that's
true,
and
we
will
see
what
is
the
multi-valued.
Actually,
you
can
able
to
do
it.
B
One
of
the
biggest
challenge
with
the
group
is
the
limitation
of
number
of
groups
which
can
be
passed
in
the
token
yes.
Today
we
have
a
limit
for
150
particular
group
ids.
In
the
token,
if
there
are
more
than
that,
then
there
is
a
query
which
is
getting
passed
and
you
need
to
invoke
that
graph
particular
query
to
retrieve
the
information.
B
B
Sometimes
in
b2c,
using
groups
is
not
a
very
good
control,
but
you
can
actually
in
b2c,
allows
lot
of
customization
of
the
claims
you
can
also
able
to
do
that.
It's
depends
on
the
approach.
But
again,
if
you
are
using
groups,
you
should
be
using
or
you
will
be
using
group
ids,
particularly
if
you
are
okay
to
use
the
group
is,
then
you
should
do
that.
B
Yes,
it
will
use
more
bandwidth
for
a
token,
because
this
goes
into
the
body,
as
you
already
actually
post,
always
post
the
response
using
post
binding.
So
that's
where
the
response
goes
into
the
body
and
the
body
always
has
a
limit
based
on
the
browser,
so
some
browser
like
2
kb,
is
a
limit.
So
if
your
response
was
beyond
that,
the
body
will
not
able
to
accommodate
so
many
things
so
that
open
bloat
happens
how
to
change
office
groups
to
dynamic
groups.
B
That's
not
the
topic
too.
I
think
I
suggest
you
to
submit
a
stack,
workflow
question
for
it
where
I'll
be
happy
to
answer
that.
Yes,
we
are
going
to
talk
about
app,
assign
teams
or
groups.
Okay,
let's
move
forward.
There
are
a
lot
of
questions.
Okay,
so
now,
when
we
look
at
for
approvals,
so
the
difference
between
app
roles
is,
you
can
actually
apply
app
role
for
every
app
in
azure
id.
B
That
means
any
app
in
azure
id,
whether
it's
a
saml
app
added
from
the
gallery
or
non
gallery
app
or
whether
it's
app
registered
using
app
registration.
You
can
still
able
to
configure
app
roles
for
it.
Saurabh
is
going
to
talk
about
the
user
interface
and
graph
apn
manifest
option
for
that.
How
do
you
configure
that?
So
you
will
be
able
to
see
that
over
there,
one
of
the
good
thing
on
app
roles,
it's
more!
It's
about
the
it's!
The
claim
is
in
the
human
readable
format.
B
That
means
if
there
is
a
specific
role
which
you
are
actually
putting,
it
can
be
configured
on
the
app
and
it
can
be
sent
in
the
token
which
can
be
readable,
one
of
the
biggest
difference.
What
you
see
when
we
are
comparing
with
groups
is
based
on
the
groups.
You
have
to
do
group
to
role
mapping
into
the
app
versus
when
you
are
using
app
role
as
a
feature.
In
that
case,
customer
configure
the
role
based
on
the
what
you
actually
have
as
roles
configured
into
the
app
so
think
more
about.
B
There
is
an
app
you
are
developing
where
an
signing
is
e-signature
app,
and
I
have
a
three
particular
roles,
so
admin
approver
and
a
user
as
a
role.
So
these
are
my
rules
which
are
being
created
into
my
app.
I
can
replicate
the
same
in
using
app
roles
in
azure
id
and
then
just
do
the
mapping
of
that
particular
user
and
the
app
roles.
So
that's
the
biggest
difference.
B
That
means
your
roles
stays
the
same
and
you
get
that
information
into
the
idp
for
the
admin
to
map
with
the
groups,
whereas,
if
you're
using
groups,
then
the
group's
ids
are
sent-
and
you
have
to
do
that-
mapping
into
the
app
like
which
groups
map
to
which
particular
role.
So
that's
the
significant
difference
between
two
in
saml.
We
do
provide
a
customization
of
the
claim
where
you
can
say
my
role
particular
claim
looks
at
whether
role
member
of
or
whatever
it
is.
B
If
the
user
is
part
of
multiple
groups,
then
he
can
able
to
receive
multiple
roles
associated
with
the
groups
and
that's
where
the
actual.
You
can
able
to
see
those
particular
roles,
and
I
have
a
quick
example
for
you
to
show
on
this.
I
have
my
sample
app
and
called
azure
ready,
saml
toolkit
app
and
in
this
particular
app
I
configured
different
roles,
so
here
you
can
able
to
see.
I
have
a
finance
group
which
is
in
approver
versus
my
hr
is
an
admin
and
all
everything
users
are
part
of
the
reader.
B
Okay,
let
me
show
you
the
claim
configuration
I
have
done,
which
is
app
role,
member
and
then
user
dot
assign
roles
is
the
key.
I
used
it
so
here
when
I
go
into
the
token
you
can
see
app
roll
member
as
a
claim
name,
and
these
are
multi-valued
attributes
that
I'm
in
admin
and
I'm
also
an
approver
so
based
on
my
particular
user.
B
It
actually
gets
that
particular
all
the
rules
and
they
are
shown
over
here,
but
that's
how
it
works.
So
this
is
possible
into
the
saml.
If
you're
using
jwt,
then
you
will
see
role
as
a
claim
and
then
you
will
able
to
see
the
area
of
the
particular
values
which
you
can
able
to
process
it.
Coming
back
to
our
particular
thing,
I
would
like
now
to
hand
it
over
to
sarah,
so
that
saurop
can
talk
about
particular
app
roles
for
different
objects,
and
how
do
we
do
that?
Using
a
new
interface
yeah.
C
So
app
roles
can
be
configured
and
defined
for
two
or
three
different
possibilities.
One
you
can
do
app
create
define
app
roles
that
are
assignable
to
users
or
groups
which
you
can
do
through
the
enterprise
apps
in
case
you're.
It's
going
through
a
user
assignment
for
for
application.
The
other
one
is
the
other
scenarios.
You
can
configure
app
roles
to
be
assigned
only
to
applications.
So
in
in
a
scenario
where
a
client
app
calls
an
api,
you
can.
C
You
can
assign
app
roles
for
that
scenario
and
that
that
shows
up
in
the
access
token,
in
the
roles
claim
of
the
access
token.
So
this
is.
This
is
particularly
useful
if
you
have
automation
scenarios
where
you
are
trying
to
automate
things
and-
and
you
just
have
like
application
specific
roles
and
you
you're
trying
to
build
automation
based
off
of
that.
So
that's
that's
one
of
the
particular
things.
C
The
next
thing
that
I
want
to
show
here
is
before
I
jump
into
the
interface
one
of
the
major
problems
with
the
app
role
definition
today
that
you
know
we
got
a
lot
of
feedback
on.
Is
it's
hard
to
edit
the
manifest?
And
it's
hard
to
define
app
roles
in
the
manifest
for
for
a
lot
of
reasons,
one
it
requires
it
requires
json
editing,
so
you
have
to
get
into
the
manifest
edit
that
json
either
export
the
manifest
out
and
edit.
C
What
we
have
done,
what
what
we've
done
is
created
this
app
roles,
blade
in
the
app
registrations
and
what
that
provides
is
basically
just
a
representation
of
whatever
is
in
the
manifest.
So
an
apple
definition
is
is
represented
in
this
ux
here.
So
you
can
see
a
display
name
description,
the
allowed
member
types
value
id
and
the
state
whether
it's
enabled
or
disabled,
and
then,
if
actually
before,
I
move
forward
quick
question.
Is
the
navigation
name
descriptive
of
the
feature,
the
the
blade
name?
That
is.
B
A
C
Yeah
feedback
feedback
taken,
and
I
I
see
that
the
answer
to
this
is
yes
and
which
is
I'm
so
glad
to
hear,
because
we
went
back
and
forth
on
this
on
what
to
and
how
to
name
this
blade.
So
I'm
glad
to
hear
that
okay,
custom
app
rules,
that's
one
option
right.
I
think
so.
The
majority
here
is
a
and
thank
you
so
the
create
and
edit
apple
experience
once
you
click
on
the
button
to
add
app
roles
again,
the
same
properties
that
you
would
add
in
the
manifest.
C
C
The
value
is,
has
all
the
validations
for
you
know,
disallowing
any
spaces,
or
you
know
special
characters
that
you
would
otherwise
not
be
would
not
put
in
the
manifest.
So
you
get
a
direct
feedback
even
before
you
hit
save
it,
validates
the
the
field
here
and
then,
like
you
know,
the
description
enable
is
pretty
self-explanatory.
C
Deletion
goes
to
the
same
rigor
as
what
it
would
do
in
the
app
manifest.
So
if
you
were
trying
to
delete
an
app
role,
it
would
require
you
to
first
disable
it,
and
then
you
would
go
and
be
able
to
delete
that.
The
one
thing
here
is
once
you
do,
disable
the
app
role
deletion
has
all
these
red,
so-called
red
flags
that
stop
you
and
warn
you
from
from
proceeding.
If
make
sure
that
you're
doing
the
right
thing.
C
C
It
will
not
work
since
the
user
or
the
application
will
not
have
the
role
in
their
claim
in
the
role
claim,
so
the
assignment
doesn't
doesn't
go
away,
but
the
reason
we
want
to
call
this
out
is
like,
if
you
go
back
in
the
ui,
create
the
apple
with
the
same
value
which
is
over
here.
It
really
wouldn't
work,
because
the
good
in
the
back
end
would
have
changed
so
you
you
could
be
under
the
assumption
that
you
could
delete
an
apple
and
then
go
back
and
recreate
it.
B
And,
and
just
to
mention
over
here
on
this
particular
slide
about
deletion-
part
that
we
we
don't
check
the
whether
you
have
done
the
assignment
or
not.
So
if
you
delete
the
role
it's
and
you
have
assigned
that
particular
role
to
different
groups,
they
will
not
receive
that.
In
the
token,
so
there
will
be
an
effect
on
that.
You
need
to
consider
that
before
you
are
deleting
and
that's
why
the
disable
option
is
provided
and
then
actually
delete.
B
C
C
I
am
seeing
questions
fly
by
and
I
think
the
last
one
is
what
apple
will
applaud
creation
work
for
users
who
have
owner
rights
on
the
app?
Yes,
it
will
so
any
anybody
who
has
a
global
administrator,
app
admin,
cloud
cloud,
app
admin
or
an
application,
app
owner
role.
They
will
be
able
to
support
b2b
support
obo
flow
as
an
api
developer.
This
is
much
required.
C
B
C
B
Just
to
answer
one
more
question:
I
think
there
are
a
lot
of
b2c,
but
b2c
does
support
approvals,
so
even
in
b2c
you
can
actually
in
the
manifest
also
you
can
able
to
create
the
roles
or
using
the
apis,
and
you
can
able
to
use
it
in
the
same
way.
When
you
are
assigning
that
particular
group
or
a
user
to
the
application
you
can
able
to
assign
different
roles.
I
personally
tested
this.
Yes,
it
works.
B
C
C
The
one
thing
to
to
call
out
here
is
like,
if
you're
looking
at
the
origin
value,
this
is
the
application
is,
is
where
the
app
role
was
initially
defined.
You
can
define
app
roles
as
a
tenant
admin
on
the
service
principle
as
well,
and
that's
where
this
this
value
would
be
different
so,
but
for
most
of
the
app
rules
which
get
defined
at
the
application
object
level.
You
would
see
the
origin
value
as
application.
C
We
have
microsoft
graph
apis
for
getting
the
information
on
app
roles
and
you
can
do
a
call
to
wac
application.
My
graph
microsoft.com
applications
and
get
a
list
of
all
the
app
roles
or
you
can
go
to
the
service
principle
and
and
get
the
application
rules
on
the
service
principle
as
well,
and
then
there's
a
documentation
link
that
will
be
shared
as
part
of
this
deck.
B
Thank
you.
So
when
we
are
talking
about
the
app
roles
for
single
tenant
applications,
so
there
might
there
are
multi-tenant.
There
are
two
basically
scenarios
we
are
talking
about.
That
means
again,
you
are,
you
might
be
a
line
of
business
application
developer,
where
you
are
developing
application
for
your
own
organization
and
in
that
particular
case,
your
scope
of
the
application
is
very
limited
to
your
particular
tenant
and
the
users
into
that
tenant.
That
does
include
b2b
users.
B
It's
the
same
way
behaves
as
it
behaves
for
your
employees,
so
you
can
actually
configure
the
app
roles
on
the
application
object
and
then
you
can
say
it
can
be
configured
for
users
or
groups
or
applications,
as
actually
serup
just
actually
shown
that
to
us
for
multi-talent
apps.
Now
I
would
like
to
call
out
it's
a
little.
You
need
to
think
little
bit
deeper
on
this.
So
when
you
are
developing
a
multi-tenant
application,
it's
for
all
azure
active
directory,
tenants.
That
means
scope
of
your
application
is
very
wide.
B
That
means
anybody
as
a
azure
active
directory
customer
can
consent
to
your
application,
and
then
they
will
get
a
service
principle
into
the
customers
tenant
and
you
as
an
we
hold.
The
service
principle
object
and
the
application
object
in
in
your
master
tenant.
So
you
can
configure
the
app
roles
for
your
application
object
over
there
and
when
your
customer
actually
cons
consent
for
an
app,
they
will
receive
the
service
principle,
but
they
will
also
receive
the
all
the
particular
rules
associated
with
your
app
and
they
are
coming
from
application
object.
B
So
it's
important
to
understand
that
and
whenever
you
are
making
a
changes
over
there,
it's
directly
going
to
affect
it.
So
let
me
show
you
this
is
my
microsoft.com
tenant
and
I
have
a
multi-tenant
application
over
here
called
azurity
app
gallery
information
and
I
created
three
different
particular
roles
over
here.
You
can
see
it's
a
member
role,
gta
and
admin.
There
are
three
different
roles.
I
have
it,
so
these
are
the
specific
roles
created
for
my
particular
app,
and
this
is
a
multi
turret
application.
That
means
the
scope
of
this
application.
B
Is
customers
can
consent
for
this
particular
app?
And
you
can
see
this
is
a
multi-talent
app
so
now,
when
my
actually
customer,
so
I
have
another
test
tenant
from
where
I
can
able
to
test
this
and
I'll
show
you.
So
this
is
my
test
net,
which
is
given
at
simplytest.net
and
let's
search
for
that
particular
app.
B
This
is
already
app
gallery
information,
so
this
is
a
consented
app,
so
I
have
consented
this
particular
app
from
my
simply
testing
and
to
that
microsoft
the
main
application
is
hosted
in
the
content.
So
now,
when
I'm
actually
looking
into
users
and
groups,
you
can
able
to
see,
I
select
a
user,
and
I
click
edit-
and
I
do
see
all
three
roles
over
here,
so
that
these
three
particular
roles
are
coming
directly
from
that
particular
app,
which
is,
I
have
consented
for.
B
So
in
this
particular
case,
I
think
when
you
are
modifying
the
roles
you
have
to
be
very
cautious,
because
all
the
customers
will
immediately
receive
the
change
on
their
side.
As
you
update
the
role
on
your
master
app
and
then
they
can
able
to
select
and
use
it.
So
I
think
this
is
what
you
need
to
define
first,
when
you're
actually
creating
a
multi-tenant
app
at
that
time.
You
have
to
think
about
it
like
how
my
customers
are
going
to
get
these
roles
and
what
roles
they
can
use
it.
B
If
you
remove
the
rules,
it's
going
to
get
immediately
affected
to
all
the
customers,
so
you're
not
able
to
see
that
token,
and
the
assignment
is
not
like
immediately.
That
will
assignment
will
show
saying
that
the
the
role
is
gone
now,
which
you
have
previously
used
and
that's
how
the
difference
is
so.
I
can
now
able
to
see
that
I
have
assigned
this
particular
role
to
a
user,
so
that's
the
difference
between
single
tenant
and
multi-tenant,
app
so
think,
twice
about
modifying
it
or
deleting
it.
B
Adding
should
not
be
the
issue
because
you're
just
adding
more
roles
over
there
and
you
can
easily
able
to
pass
these
particular
new
roles
to
your
customers
and
that's
where
your
customers
will
receive
it
and
then
you
can
use
it
in
the
token
for
authorization.
Part
of
it
so
also
shown
you.
We
do
have
an
api
for
that
which
says
on
the
service
principles.
What
are
the
different
app
roles
and
you
can
able
to
see
the
roles
I
created
for
the
app
and
they
are
originating
from
the
application
object.
B
Similarly,
I
can
go
into
the
application
object
also,
and
I
can
able
to
see
it
from
there
saying
that,
which
particular
roles
have
been
created
which
are
app
roles
are
associated,
so
I
can
able
to
see
that
from
the
application
object.
Also.
So
all
these
particular
graph
api
queries
are
available
and
we
have
a
documentation
which
talks
about.
How
do
you
do
the
app
roles
and
the
app
role
assignment
when
you
are
using
this
particular
assignment
to
user
or
groups
or
applications?
There
is
also
an
safe
rate
api
for
that.
B
Okay,
so
now,
when
we
look
at
the
gotchas
before
you
start,
so
I
think
app
roles
is
beta
suited
for
core
screen
authorization.
That
means,
ideally,
although
we
have
a
limit
of
1200
app
roles,
is
the
limit
on
the
object.
So,
ideally
it's
near
to
1200,
it's
not
like
exact
1200,
but
it
is
the
storage
limit
on
the
object
we
have.
B
So,
as
you
are
putting
more
particular
application
roles,
your
particular
object
limit
is
getting
reached
and
that's
where
you
will
start
facing
the
issue,
but
I
have
seen
lot
of
customers
struggle
at
the
limit
of
1200.
So
that's
why
we
call
this
out,
as
1200
is
11.
note,
that
april
value
is
limited
to
255
characters.
That
means
you
cannot
actually
have
a
bigger
than
250
character.
55.
Previously
this
limit
was
130
six
months
back.
We
modified
this
to
255
characters,
msm
access.
In
some
cases
you
will
see
this
role,
but
that's
a
default
role.
B
If
you
add
the
application
from
the
gallery,
then
you
will
see
this
role,
so
please
don't
delete
that
that
will
be
used
in
the
app
gallery
in
that
particular
way.
There
are
some
limitations
on.
You
cannot
use
special
characters
like
space
and
there's
all
that
validation
is
there
into
the
ui
now
so
I
hope
like.
If
you
need
like
particularly
space,
then
you
will
not
able
to
achieve
that,
and
there
are
a
few
some
special
characters.
Even
we
don't
allow
that.
But
all
that
actually
check
is
there
on
the
ui.
B
You
can
consume
the
claim
that
value
in
the
jwt
or
saml
claim
directly.
So
you
can
able
to
do
authorization
and
values
in
the
claims
are
multi-valued.
So
when
I'm
thinking
saying
multivalued,
so
I've
shown
you
that
in
the
sample
how
it
appears
for
particular
jwt,
it
becomes
an
array
and
then
you
can
able
to
see
it
to
get
multiple
value
of
users.
This
is
a
very
important
aspect,
because
the
group
assigned
to
the
application
is
a
premium
feature.
That
means
it
requires
at
least
security
premium
one.
B
You
need
to
think
about
the
rules,
because
the
how
multiple
you,
how
the
same
user
can
get
multiple
roles.
Basically
user
is
part
of
multiple
groups,
say
mg1
and
part
of
group
a
and
group
b,
and
you
are
assigning
role
a
and
role
b
to
the
respective
groups.
Then
I'll
get
both
these
particular
roles,
but
if
I
don't
have
azurity
premium,
I
cannot
actually
assign
these
particular
groups
to
the
application,
and
that
way
I
cannot
actually
able
to
get
multiple
roles.
B
That
means
you
can
only
assign
user
objects
to
the
app
and
then
you
can
only
able
to
assign
one
particular
role.
So
you
have
to
think
very
thoroughly
about
your
licensing
model
for
your
customers.
If
they
have
azurity
premium,
then
they
can
able
to
get
assigned
multiple
roles
to
the
users
and
then
you
can
receive
them
in
the
token.
Otherwise
they
will
only
always
have
like
one
particular
role
if
they
assign
directly
user
to
the
app.
B
B
Remember
about
licensing,
because
if
you
develop
that
way-
and
you
are
expecting
multiple
roles
and
if
your
customer
does
not
have
azure
data
premium,
then
it
will
be
an
situation
over
there,
because
customer
might
not
actually
separately
buy
agility
premium
for
your
app
or,
if
your
app
is,
that
important
that
they
might
be.
But
that
should
be
a
consideration.
B
So
there
is
also
now
a
ui
and
epa
for
configuration.
As
I
said
in
the
chat
window,
ui
is
going
to
come
in
few
more
weeks.
I
think,
and
it
will
allow
you
to
create
the
roles
and
manage
the
roles
very
easily.
If
you
change
the
app
roles
for
multi-tenant
apps,
all
your
customers
are
going
to
immediately
receive
it
so
making
changes.
It
is
important
that
you
consider
that,
and
you
can
also
con
use
this
particular
after
all,
in
the
automation,
particularly
on
the
service
principles.
B
We
suggest
don't
add
too
many
rules.
Otherwise,
it's
like
again
1200
is
the
limit.
As
I
said,
and
I've
seen
in
some
cases
the
token
load
happens.
So
don't
do
that
for
cool
screen
authorization
so
think
more
about
like
20
30
might
be
good
enough,
but
you
can
go
larger
if
you
need
to,
but
should
not
be
like
1200.
B
C
B
Okay,
so
the
app
role
information
goes
into
the
token
and
then
you
can
actually
see
a
lot
of
times.
I
have
seen
the
apps
actually
inside
the
app.
You
have
a
permission
model
saying
that
this
is
my
permission,
and
this
is
the
role
for
it
and
you
just
map
that,
from
the
token
value,
like
the
the
value
which
you
received
in
the
token
to
that
particular
role,
so
role
to
permission
mapping
is
still
happens
into
your
app.
B
B
Can
approach
be
used
to
granulize
graph
api
permission,
especially
high
privilege
api
permission?
You
can
do
that,
but
we
don't
recommend
to
do
it
like,
especially
for
high
privilege
api.
You
use
the
app
rules
rather
than
you
should
use
the
r
back
role
based
access
control.
We
do
have
a
custom
roles,
even
in
app
registration,
even
in
enterprise
app,
so
we
suggest
customers
to
create
that
as
a
developer.
I
think
you
should
think
more
about
giving
an
ability
for
customers
to
create
a
role-based
access
control
on
that,
rather
than
use
in
the
automation.
B
If
you
would
like
to
do
it
that
that
technically
is
possible,
I'm
not
saying
it's
not
possible.
Okay,
any
other
use
cases
where
you'd
not
recommend
to
use
approvals.
As
I
said
like.
If
you
would
like
to
go
fine
grain
where
it
says
like
I
have
thousands
of
rules
and
customization,
then
we
say
just
don't
use
it
in
that
way,
because
it's
too
much
amount
of
operational
for
our
administrators.
B
It
should
be
ideally
very,
of
course,
like
you
can
say,
10
rolls
20
rolls.
Then
that
is
much
more
suitable,
but
in
that
case
I'll
say
just
do
it
in
that
way,
for
asp.net
do
app
role
gets
mapped
to
roles
as
they
just
claims
on
the
user
objects
for
asp.net.
You
can
use
the
square
brackets
and
define
the
role
and
enable
to
process
that
particular
role
from
the
user
object,
so
you
you
can
able
to
use
it
in
that
way.
B
Okay,
russell
has
a
feedback
on
the
link,
is
not
working
so
I'll.
Give
that
feedback
to
stephen
stephen
will
look
into
that
and
we'll
fix
it.
Have
I
missed
any
other?
What
okay?
What
have
you
seen
happen
at
around
1200
rolls?
Okay,
so
what
happens
around
200
rolls?
Is
you
will
not
able
to
edit
the
existing
roles
or
if
you
will
not
able
to
delete
the
roles
or
modify
the
rules?
B
So
that's
the
issue
happens
the
work
around
on
that
you
can
use
graph
api
and
remove
certain
roles
through
the
apis
and
then
that
works
and
I
am
hoping
with
the
new
ui.
That
is
also
going
to
be
possible
because
you
can
easily
able
to
disable
and
delete
the
roles
as
needed,
but
you
will
not
able
to
update
or
add
more
roles
over
there
and
that's
the
major
situation
which
will
happen
so
around
1200
roles.
You
will
feel
you
will.
You
will
see
that
situation.
B
B
B
What
you
set
so
consider,
if
you
just
add
one
particular
role
for
your
app
by
default,
they'll,
get
that
if
you
have
more
than
one
particular
role,
then
the
the
first
role
they
will
get
that
generally,
it
is
msim
access
which
is
default
access
role,
and
then
the
customer
can
choose
saying
that
I,
when
I'm
assigning
this
application
to
other
users
and
groups,
I
have
to
choose
a
specific
role.
So
that's
how
it
works:
okay,
so,
but
who
assign
roles
to
customers?
B
Okay,
so
the
role
assignment
is
always
up
to
the
customer
and
the
admin,
because
in
the
enterprise
application
in
my
tenant,
as
a
customer,
I
decide
which
particular
groups
will
be
assigned
to
the
app
and
what
role
they
get,
whether
I'm
assigning
users
or
whether
I'm
assigning
groups
at
that
time.
The
administrator
actually
selects
the
right
role
for
it.
A
Even
we're
approaching
the
end
of
the
hour,
I'm
not
going
to
stop
you,
but
I
just
want
to
thank
everyone
for
joining
us
today.
We
really
appreciate
your
taking
the
time
to
come
here
and
ask
questions
and
and
and
give
us
that
that's
great.
If
there's
any
last
questions
that
you
want
to
address
you
and
that's
great,
otherwise,
we
can
just
say
bye
to
our
friends.