rbac – How do you do you implement roles on your API’s using Azure AD Security groups?

I’m trying to figure out the best way to accomplish using Azure Active Directory Security groups to manage role assignments for an API. I’m trying to evaluate a few different options as well as poll to see what others were doing as solutions.

Option 1 – Include roles in the token claims

  • As far as I can see this would be best performance.
  • Azure App registrations can accomplish this, but it doesn’t apply to
    nested groups, so you’d have to flatten groups or assign all nested groups. (running jobs to keep it up to date)
  • Access expires when the token expires. (unless you blacklist, but that would cost performance)

Option 2 – Call Microsoft Graph API with getMemberGroups

  • Returns transitive groups, so you’d only need to look for the parent groups.
  • You’d need to store a list of all the parent groups and the roles they map to.
  • Returns up to 2046 groups.
  • Would probably require caching the groups for performance.
  • Access expires when the cache expires.

Option 3 – Call Microsoft Graph API with checkMemberGroups

  • Checks transitive groups, so you’d only have to search for parent groups.
  • You’d need to store a list of all the parent groups and the roles they map to.
  • Checks a max of 20 groups at a time.
  • Would probably require caching the checked groups for performance.
  • Access expires when the cache expires.

These are some of the options I found, I’m wondering how some of you are doing this? I also noticed that many of the Microsoft Apps, such as Azure Portal or Teams, do not have role claims on the token. Is there a best practice / industry standard around this?