Can I add permissions to Azure Active Directory (Azure AD) Application Role?

Question

I am implementing Role based authorization to my ASP.NET MVC application. We use Azure AD and I know that in Azure AD I can define Application Roles (In Application Manifest file). However, my requirement is to attach permission with each role.

For example:

Role: Admin, Permissions: Insert, Update, Delete, View

Role: Contributor, Permission: Insert, View etc.

I don't see any example in App Manifest file that I can associate Permissions to Application Role in Azure.

Can someone tell me if I am missing something or it's not possible in Azure AD ?

Here is my App Manifest file

"appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Admin",
      "id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
      "isEnabled": true,
      "description": "Admin Have the ability to do all.",
      "value": "Admin"
    },
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Contributor",
      "id": "fcac0bdb-e45d-4cfc-9733-fbea156da358",
      "isEnabled": true,
      "description": "Contributor only have the ability to view tasks and their statuses.",
      "value": "Contributor"
    },

Answer 1

This is not available in Azure AD. You can only specify roles, it is up to your app to decide then what permissions the user has based on the roles.

Answer 2

You are on the right path with defining the roles in App manifest as you have shown, but AFAIK Azure AD will only help you in defining the roles and then to some extent in assigning the roles to users/groups.

Your application will need to be implement some logic to decipher what granular permissions should a role represent. Azure AD application roles schema may not be able to help with this part.

Sample Application Authorization in a web app using Azure AD application roles & role claims