Azure AD: How-to
Create a custom scope
Normally, access tokens issued by Azure AD are issued for Microsoft Graph. However, ModelOp Center requires that the access tokens requested with the following apps be issued for the apps themselves and not Microsoft Graph: gateway-service
, internal-client
, external-integration-client
, and go-cli
.
To have Azure AD issue tokens for the aforementioned apps, each app needs a custom scope. For example, custom_scope
as the name of the scope.
To create the custom scope, follow these steps for each app:
Open the app registration
Open “Expose an API” tab
Click “Add a scope”
Scope name:
custom_scope
Who can consent? Admins and users
Admin consent display name:
custom_scope
Admin consent description: A custom ModelOp Center scope
User consent display name:
User consent description:
State: Enabled
Once the custom scope is created, it has to be added as a permission on each ModelOp Center app, except for internal-client
, and admin consent must be granted for the app to be able to use it:
Open the app registration
Open “API permissions” tab
Click “Add a permission”
Click “APIs my organization uses”
Search for the app by name. For example, “gateway-service”. Select the app
Click “Delegated permissions”
Select
custom_scope
Click “Grant admin consent for _”
Create an app role
To create an app role for a given app, follow these steps:
Open the app registration
Click “Create app role”
Display name:
modelop_client
Allowed member types: Applications
Value:
modelop_client
Description:
This role is used to distinguish between OAuth2 clients and end users in ModelOpCenter