Identity Identity operations premium

App role

An app role is an application-defined permission or responsibility, such as Reader, Approver, or Orders.Write. The resource application defines the role, and users, groups, or client applications can be assigned to it. When the user or application gets a token, the role can appear as a claim for the application to enforce. In plain terms, app roles let the app describe its own authorization model instead of relying only on generic directory groups. Teams should document the owner, environment, and expected behavior.

Back to glossary browser Open Microsoft Learn source
Aliases
application role, Microsoft Entra app role
Difficulty
fundamentals
CLI mappings
4
Last verified
2026-05-10

Microsoft Learn

An app role is a role defined by an application resource that can authorize users, groups, or client applications and appear as role claims in tokens.

Microsoft Learn: Add app roles and get them from a token2026-05-10

Technical context

Technically, app roles are stored in the application manifest on the resource app registration, usually in the appRoles collection. A role can be user-assignable, application-assignable, or both, and contains values such as id, displayName, value, description, allowed member types, and enabled state. User roles support app-specific RBAC inside applications. Application roles represent app permissions for daemon or backend clients. Tokens can include role claims after assignment and consent, allowing APIs to authorize requests based on resource-defined values.

Why it matters

App roles matter because many applications need authorization that is more specific than sign-in. Being authenticated does not mean a user can approve payments, view payroll, or call a backend API as a daemon. App roles let the resource app publish stable permission values and let administrators assign those values deliberately. They also travel well across tenants compared with hardcoded group names. Without app roles, applications often embed authorization rules in code, overuse broad directory groups, or cannot distinguish users and service clients cleanly. Clear ownership, evidence, and rollback notes turn the concept into something teams can operate safely. That discipline matters when several application, platform, and security teams share responsibility.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

You see it in an app registration manifest or App roles page where the resource application defines assignable role values and allowed member types. during formal reviews

Signal 02

You see it in access tokens as role claims that an API or application reads to authorize users, groups, or app-only clients. before production rollout

Signal 03

You see it in enterprise application assignments when administrators grant a user, group, or service principal a resource-defined application role. with approved ownership with approved ownership

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Determine who or what is allowed to access a resource.
  • Troubleshoot authentication, authorization, consent, or token problems.
  • Separate user access from workload identity and automation access.
  • Prepare least-privilege role assignments before production changes.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Claims approval roles

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Harbor Mutual Insurance needed clear application roles for claims processors, supervisors, and automated fraud services.

Business/Technical Objectives
  • separate user approval rights from app-only fraud access
  • remove hardcoded group names from authorization code
  • show role claims in issued tokens
  • reduce access exceptions before audit
Solution Using App role

The identity and application teams defined app roles in the claims API app registration. User-assignable roles included Claims.Reader and Claims.Approver, while an application-assignable FraudSignals.Read role allowed a backend service to submit fraud checks without a user. Administrators assigned roles through enterprise application access, and developers updated the API to authorize based on role claims. The team exported the manifest, documented allowed member types, and tested tokens for users, groups, and service principals. Access reviews checked whether supervisors still needed approval rights and whether the fraud service retained only the app role it required. The runbook named App role ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout. Reviewers compared production and nonproduction evidence so the team could separate configuration problems from application defects quickly.

Results & Business Impact
  • authorization code stopped depending on environment-specific group names
  • audit reviewers saw role definitions and assignments in one identity model
  • fraud service access was limited to one app-only role
  • claims approval access exceptions fell 37 percent
Key Takeaway for Glossary Readers

App roles are valuable because they turn application authorization into stable, reviewable identity configuration.

Case study 02

Supplier portal separation

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Contoso Manufacturing needed suppliers to view orders while internal buyers could approve purchase changes.

Business/Technical Objectives
  • define portal-specific roles instead of broad directory groups
  • assign suppliers only to read-only capabilities
  • include role claims for API authorization
  • simplify onboarding across multiple supplier tenants
Solution Using App role

The portal team added app roles to the supplier web API app registration. Supplier.Reader allowed order visibility, Buyer.Editor supported internal updates, and Buyer.Approver controlled purchase-change approvals. The application validated role claims rather than mapping external tenant group names. Administrators assigned supplier users and groups through enterprise application assignments, while internal buyer groups received elevated roles. Developers tested tokens for each role and added clear denial messages when claims were missing. Operations documented which roles could be assigned externally and which required internal approval. Quarterly reviews removed dormant supplier assignments. The runbook named App role ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout. Reviewers compared production and nonproduction evidence so the team could separate configuration problems from application defects quickly.

Results & Business Impact
  • supplier onboarding avoided custom group mappings for each tenant
  • read-only supplier users could not approve purchase changes
  • token-based authorization tests caught two missing assignments before launch
  • quarterly review removed 18 stale role grants
Key Takeaway for Glossary Readers

App roles help multi-tenant applications express authorization in terms the application owns and understands.

Case study 03

Daemon access to finance API

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Proseware Finance needed a scheduled reconciliation service to call an internal API without pretending to be a user.

Business/Technical Objectives
  • support app-only access for reconciliation jobs
  • avoid granting broad Graph or admin permissions
  • separate read and write capabilities
  • make token claims auditable during job failures
Solution Using App role

The finance API team defined two application-assignable app roles: Reconciliation.Read and Reconciliation.Write. The scheduled service’s app registration requested only Reconciliation.Read for its first phase, and administrators granted consent after reviewing the role description. The API validated role claims from the client-credentials token before allowing access. Operators used CLI and Microsoft Graph queries to document the resource app role IDs, the client service principal, and the granted assignment. When write-back was added later, the team created a separate approval record and tested tokens before enabling the job in production. The runbook named App role ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout. Reviewers compared production and nonproduction evidence so the team could separate configuration problems from application defects quickly.

Results & Business Impact
  • the job ran without storing user credentials
  • initial access was limited to read-only reconciliation
  • audit evidence showed the exact app role assignment
  • write-back permission required a separate reviewed change
Key Takeaway for Glossary Readers

Application-assignable app roles let backend services call APIs as themselves without oversized permissions or user impersonation.

Why use Azure CLI for this?

Azure CLI is useful for App role because it gives operators repeatable evidence instead of one-off portal screenshots. Teams can inspect configuration, compare environments, export review data, and automate safe changes before application authorization changes.

CLI use cases

  • Inventory Microsoft Entra app roles and application manifests across resource groups and subscriptions before a release, migration, audit, or incident review.
  • Show the current Microsoft Entra app roles and application manifests configuration and capture IDs, scopes, names, status fields, or route settings for change evidence.
  • Update nonproduction Microsoft Entra app roles and application manifests settings through a scripted path, then compare the result with the approved production baseline.
  • Export command output as JSON so platform, security, and application teams can review the same facts during troubleshooting.

Before you run CLI

  • Confirm tenant, subscription, resource group, service name, and environment because similarly named resources often exist in several stages.
  • Use an identity with the least privileges required to read or change the resource, and record whether the command is read-only.
  • Check whether the operation affects production traffic, security boundaries, authentication, routing, throttling, or customer-visible behavior.
  • Choose JSON output for evidence, and save the previous configuration before running commands that create, update, or delete settings.

What output tells you

  • Resource IDs and names prove which Azure boundary was inspected, preventing mistakes caused by the wrong subscription or instance.
  • Status, version, route, identity, or policy fields show whether the live configuration matches the intended design or release record.
  • Missing values, empty arrays, or unexpected defaults often reveal incomplete deployment, portal-only drift, or permissions hiding part of the result.
  • Timestamps, provisioning states, and nested properties help separate a failed change from a working configuration that simply needs propagation time.

Mapped Azure CLI commands

Identity operations CLI commands

adjacent
az ad user list --output table
az ad userdiscoverIdentity
read-only Microsoft docs
az ad group list --output table
az ad groupdiscoverIdentity
read-only Microsoft docs
az ad app list --output table
az ad appdiscoverIdentity
read-only Microsoft docs
az role assignment list --assignee <principal-id> --all --output table
az role assignmentdiscoverIdentity
read-only Microsoft docs

Architecture context

Security: Security depends on designing app roles narrowly and assigning them carefully. Roles should represent meaningful application permissions, not vague administrator labels. Application-assignable roles can grant powerful app-only access, so they require consent and review. User-assignable roles should be limited to people or groups that genuinely need the function. Role claims must be validated by the application; defining a role is not enough. Operators should review disabled roles, stale assignments, overbroad groups, and whether token claims are logged safely without exposing sensitive user or tenant details. Security reviewers should confirm the approved scope, identity path, and logging behavior before production release. Reliability: Reliability improves when authorization decisions use stable app role values instead of changing display names or environment-specific groups. However, apps can fail if role values are renamed, disabled, removed, or assigned inconsistently across tenants. Token caching can also delay visible changes after role assignments. Teams should version role changes carefully, keep old values until clients are updated, and test tokens for expected role claims. Reliable app role design includes clear names, documented allowed member types, ownership, and a decommission plan for roles no longer used. Reliable teams test the setting in nonproduction, document rollback values, and monitor the first production signals after change. Operations: Operations teams manage app roles by reviewing the app registration manifest, checking assignments, validating token claims, and confirming how the application enforces each role. During incidents, they should distinguish between missing authentication, missing consent, missing role assignment, and application-side authorization logic. Change records should state why a role exists, who can assign it, whether it is user or application assignable, and which code path uses it. Periodic access reviews help ensure roles still match real responsibilities instead of accumulating permanent exceptions. Runbooks should include owners, commands, expected outputs, review cadence, and the first checks to perform during incidents. That makes support work repeatable instead of dependent on memory. Cost: App roles have no direct Azure meter, but poor role design creates operational and security cost. Overbroad roles increase review effort and incident blast radius. Too many tiny roles make administration confusing and slow onboarding. Group-based assignment can reduce repetitive work, but oversized groups may grant unintended access. Clear app roles reduce custom authorization code and support tickets because access decisions are visible in identity configuration and tokens. Cost-conscious teams balance granularity with manageability and retire roles that no production feature still uses. Cost owners should review usage, diagnostics, and duplicated environments whenever the setting changes or traffic grows. That prevents small configuration choices from becoming recurring spend nobody owns. Performance: App roles usually have minimal direct performance impact, but they affect token size, token acquisition, and authorization checks. Excessive roles or group overage scenarios can complicate tokens and application logic. Applications should check role claims efficiently and avoid extra directory lookups on every request when the token already contains the needed value. Role changes may not appear immediately because tokens are cached until renewal. Performance reviews should focus on authorization code paths and token handling, not the role definition alone. Performance reviews should compare before-and-after telemetry and separate gateway, identity, network, and backend effects. That prevents teams from blaming the wrong layer when latency changes.

Security

Security depends on designing app roles narrowly and assigning them carefully. Roles should represent meaningful application permissions, not vague administrator labels. Application-assignable roles can grant powerful app-only access, so they require consent and review. User-assignable roles should be limited to people or groups that genuinely need the function. Role claims must be validated by the application; defining a role is not enough. Operators should review disabled roles, stale assignments, overbroad groups, and whether token claims are logged safely without exposing sensitive user or tenant details. Security reviewers should confirm the approved scope, identity path, and logging behavior before production release.

Cost

App roles have no direct Azure meter, but poor role design creates operational and security cost. Overbroad roles increase review effort and incident blast radius. Too many tiny roles make administration confusing and slow onboarding. Group-based assignment can reduce repetitive work, but oversized groups may grant unintended access. Clear app roles reduce custom authorization code and support tickets because access decisions are visible in identity configuration and tokens. Cost-conscious teams balance granularity with manageability and retire roles that no production feature still uses. Cost owners should review usage, diagnostics, and duplicated environments whenever the setting changes or traffic grows. That prevents small configuration choices from becoming recurring spend nobody owns.

Reliability

Reliability improves when authorization decisions use stable app role values instead of changing display names or environment-specific groups. However, apps can fail if role values are renamed, disabled, removed, or assigned inconsistently across tenants. Token caching can also delay visible changes after role assignments. Teams should version role changes carefully, keep old values until clients are updated, and test tokens for expected role claims. Reliable app role design includes clear names, documented allowed member types, ownership, and a decommission plan for roles no longer used. Reliable teams test the setting in nonproduction, document rollback values, and monitor the first production signals after change.

Performance

App roles usually have minimal direct performance impact, but they affect token size, token acquisition, and authorization checks. Excessive roles or group overage scenarios can complicate tokens and application logic. Applications should check role claims efficiently and avoid extra directory lookups on every request when the token already contains the needed value. Role changes may not appear immediately because tokens are cached until renewal. Performance reviews should focus on authorization code paths and token handling, not the role definition alone. Performance reviews should compare before-and-after telemetry and separate gateway, identity, network, and backend effects. That prevents teams from blaming the wrong layer when latency changes.

Operations

Operations teams manage app roles by reviewing the app registration manifest, checking assignments, validating token claims, and confirming how the application enforces each role. During incidents, they should distinguish between missing authentication, missing consent, missing role assignment, and application-side authorization logic. Change records should state why a role exists, who can assign it, whether it is user or application assignable, and which code path uses it. Periodic access reviews help ensure roles still match real responsibilities instead of accumulating permanent exceptions. Runbooks should include owners, commands, expected outputs, review cadence, and the first checks to perform during incidents. That makes support work repeatable instead of dependent on memory.

Common mistakes

  • Changing App role in production before proving the exact scope, owner, and dependency chain that will be affected.
  • Trusting a portal label without exporting the underlying JSON, especially when workspaces, revisions, identities, or environments are involved.
  • Assuming a successful command means the application path works; many Azure settings still require client, network, or policy validation.
  • Ignoring rollback evidence, which turns a small configuration error into a long outage or audit dispute.