Some actions of my Blazor WASM app and ASP.NET Core Web API app that the Blazor app calls are protected by application roles applied. For Blazor it means some controls are only visible for users in a certain role. For the API it means only these users in these roles are authorized to call protected actions (protected against direct http calls). The ASP.NET Core Web API is a downstream for the Blazor app and setup as such with Msal authentication.
I created identical roles in each of these two Azure Entra application registration pages (Entra -> App Registrations -> App Roles), and assigned all users in both. It works fine. However problem is when new user created (manually provisioned) I need to duplicate the assignment in both apps, for example:
jdoe -> account.write in Blazorjdoe -> account.write in APII wonder if there is a simpler way of doing that, maybe it's possible to create roles on Entra corp level, instead of app level and somehow pass them in claims? something that did not work out for me.
Another interesting thing I noticed they receive claims in different schemas: Blazor receives claims in JWT claims, while downstream API in saml schema, and I do not know how to make them passed under one schema, so I do not need to read claims under different namespaces.