Web Api - Permission Check instead of checking for role

[kamalsivalingam]

Hello All,
We have been using Azure AD for authentication so far for a new project. We are at a point to add authorization for individual endpoints for example Account GET ALL to check if the USER has this permission. I have gone through the documentation and there are examples of checking for the user role and also scopes.
Below are my questions:

1. Isn't Scope a validation for the client app that calls the API?
2. How do we create user permission and tie it with the role through Azure Portal

Checking on granular permission for each endpoint helps in our use case, so that when we add a new role later, we dont have to go back and add the new role on all the related endpoints

Thanks for your help!

[jmprieur]

@kamalsivalingam
The scope needs to be requested by the client, but validated by the Web API. See https://docs.microsoft.com/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles