I have a .NET application with a front-end that uses Azure App Roles to handle permissions to various pages/features. Using Microsoft Graph API, we are able to have configuration pages to add users to groups that are assigned those app roles. This is causing conflicts though in our lower environments (Dev and UAT) as granting a role to a user in Dev will suddenly give them access in Prod.
The first thing I did was split our Azure Groups up so that there is a "Test" copy that our dev/UAT environment only ever interact with when adding users to a group. However the underlying app roles assigned to the groups are still the same.
I have looked at separating the app roles out as well, so there may be a "Provider.Create" and a "Provider.Test.Create", and having our app key off of the "Test" prefix in lower environments. However we are already at over 100 app roles so the claims being sent in the header is very large. How can I scope app roles, and thus the claims being sent down, to only a "test" or "dev" version?
Just for example: Among many modules in our app, there may be a workflow page that allows tracking and working Orders. There are 3 Azure Groups for this module:
Those 3 groups may have a mix of Azure App Roles that correspond to their permissions, such as Order.Create, Order.Edit, Order.Delete, Order.ViewAll, etc.
If I have an admin page to manager the users belonging to the 3 groups, if I add a user to the Admin group in Dev, to test and make sure permissions work, that user will now have Order.ViewAll and other admin app roles in their claims in the prod environment!
Use different application registrations in each environment with the same app role names. Also consider assigning roles to groups to reduce the number direct app role assignments if your AAD license supports it