Azure AD: How-to

Create a custom scope

Normally, access tokens issued by Azure AD are issued for Microsoft Graph. However, ModelOp Center requires that the access tokens requested with the following apps be issued for the apps themselves and not Microsoft Graph: gateway-service, internal-client, external-integration-client, and go-cli.

To have Azure AD issue tokens for the aforementioned apps, each app needs a custom scope. For example, custom_scope as the name of the scope.

To create the custom scope, follow these steps for each app:

1. Open the app registration

2. Open “Expose an API” tab

3. Click “Add a scope”

   1. Scope name: custom_scope

   2. Who can consent? Admins and users

   3. Admin consent display name: custom_scope

   4. Admin consent description: A custom ModelOp Center scope

   5. User consent display name:

   6. User consent description:

   7. State: Enabled

Once the custom scope is created, it has to be added as a permission on each ModelOp Center app, except for internal-client, and admin consent must be granted for the app to be able to use it:

1. Open the app registration

2. Open “API permissions” tab

3. Click “Add a permission”

   1. Click “APIs my organization uses”

   2. Search for the app by name. For example, “gateway-service”. Select the app

   3. Click “Delegated permissions”

   4. Select custom_scope

4. Click “Grant admin consent for _”

Create an app role

To create an app role for a given app, follow these steps:

1. Open the app registration

2. Click “Create app role”

   1. Display name: modelop_client

   2. Allowed member types: Applications

   3. Value: modelop_client

   4. Description: This role is used to distinguish between OAuth2 clients and end users in ModelOpCenter