I have an app that I'm planning to use managed identity for token retrieval to authenticate against an API. The managed identity would be given the appropriate appRoleAssignment to the underlying API service principal role, which I've configured as an 'Application' role type. In order to debug this app on my machine what would I need to do? Would I have to give my Azure account (the one I'm logged into in Visual Studio) the same appRoleAssignment to this role? And if so, would that mean I'd have to make the role an allowedMembershipType of both 'User' and 'Application'? Is this a bad idea? It doesn't seem appropriate to modify my role just so I can debug locally. What's the recommended approach here?
The same app role is needed, this is no doubt. If you are using the user account logged in VS to auth, of course, you need to set allowedMemberTypes with User and Application.
It is not a bad idea, feel free to use it, but if want to avoid this, you can also Register an application with Azure AD and create a service principal and create a secret, use it to auth, I prefer this way. One point is that you don't need to change the allowedMemberTypes, another one is that MSI(managed identity) is also a service principal, this is more similar to the production environment.