I'm developing an API that will be used by other application and I'm using Microsoft Identify platform. The API exposes several end-points and one application will use all end-points, while the other will use a subset of them. To accomplish this, in the app registration, I'm creating two app roles (say read and read/write).
Now, the client applications will use either a user secret or a certificate to authenticate, but I cannot find any way to set that a specific user secret/certificate is assigned to one or both roles created. It seems like if a client application uses an user secret/certificate, it gets access to all end-points.
Am I missing something or looking at it from the wrong perspective?
The App roles are not associated with authentication methods. You would need three app registrations in this scenario. One for your API, which defines the App Roles. And one for each client app. Each client app would be granted API permissions to your API app with the appropriate role.
Eg
App Registration MyAPIApp, has Role1, and Role2
App Registration ClientApp1 has API Permission to MyAPIApp with role Role1
App Registration ClientApp2 has API Permission to MyAPIApp with role Role2