Can client and service web applications share the same Azure Active Directory Application?

Question

I have a ASP.NET Web Forms site where users will login using Azure Active Directory. As a client it calls Asp.Net Core Web Api site, that will return some information depending on customer roles. The approach is similar to https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore sample.

Each application in the sample has it's own Azure Active Directory application. My application has quite a few application roles and maintain them in both applications can be annoying and error-prone. I want client and service to use the same AAD application to avoid maintain the same roles in 2 AAD applications.

I haven't seen such architecture in examples, is any problem with such approach ?

I tried to implement it and received a "promising" error, that "scenario is supported".

AADSTS90009: Application is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.

Unfortunately I don't understand how to specify resource "using the GUID based App Identifier". In the request I already using GUID resource=https%3A%2F%2FMyDomain.onmicrosoft.com%2Fe0a25761-XXXX-XXXX-XXXX-2aefc7e3134d

Advice to change some GUID on MS Forums thread https://social.msdn.microsoft.com/Forums/azure/en-US/3de0c14d-808f-47c3-bdd6-c29758045de9/azure-ad-authentication-issue-aadsts90009?forum=WindowsAzureAD#cf3986f5-3422-44d1-bcb7-3a4201f68fa2(I asked for clarifications there) also is not clear.

So my question is: Can I share the same AAD application between client and Service, and, if yes, how to do it ?

Answer 1

Based on my test, the normal Azure AD tenant doesn't support to mix the client and server apps well.

Here is my trying for your reference:

1 .Grant the permission to the app itself by modifying the manifest like below:

"requiredResourceAccess": [
{
  "resourceAppId": "{AppID}",
  "resourceAccess": [
    {
      "id": "{customOauth2PermissionsId}",
      "type": "Scope"
    }
  ]
},
{
  "resourceAppId": "00000002-0000-0000-c000-000000000000",
  "resourceAccess": [
    {
      "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
      "type": "Scope"
    }
  ]
}
],

2 .Then we can acquire the token using OAuth2 code grant flow
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={appId}&redirect_uri={redirectURL}&resource={appId}

POST:https://login.microsoftonline.com/common/oauth2/token

However, I was not able to find the custom specific permission when pasred the access_token. If you want the Azure AD normal tenant to support this scenario, you can submit the feedback from here .

Answer 2

I tried to add a new App ID URI for AAD application ( identifierURIs []) that is supported according to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-manifest . Manifest allowed to specify multiple identifierURIs , but portals(both new and classic) show only the first of URIs. New portal highlights App ID URI entry box as changed and prompts to save it(effectively removing the second URI).

However I realized that I don't need both AAD applications to have roles. I can have 2 separate AAD applications and keep roles only in one of them. Web Site client will authenticate user, but do not check for roles itself. Instead it will call Web API site that should have AAD application with all application roles declared and assigned to users/user groups. Web API can provide roles/permissions to the client according to client's requests.