To solve this, you must configure both the resource application (App1) and the client application (App2).

App1, the resource API, must first define the permissions it exposes to other applications. This is accomplished by creating an "App role" (like the 'Writer' role). Therefore, the App roles blade is used to configure App1.

App2, the client application, must then request one of the permissions exposed by App1. This is done on the API permissions blade of App2, where you add a permission and grant it consent. Once granted, Azure AD will include the corresponding 'Writer' role claim in the access token it issues for App2 to call App1.

Microsoft Learn | Microsoft Entra ID Documentation: In the article "Add app roles to your application and receive them in the token," the procedure for a resource API to define its roles is detailed.

Section: "Create app roles by using the Azure portal"

Content: This section explicitly states, "To create an app role by using the Azure portal's user interface: 1. Sign in to the Microsoft Entra admin center... 3. Browse to Identity > Applications > App registrations and then select the app you want to define app roles in... 4. Under Manage, select App roles, and then select Create app role." This confirms that App roles is the correct blade for App1.

Microsoft Learn | Microsoft Entra ID Documentation: The guide "Quickstart: Configure a client application to access a web API" explains how a client app requests permissions.

Section: "Add permissions to access the web API"

Content: This section provides the steps for the client application (App2 in this scenario): "1. Under Manage, select API permissions > Add a permission. 2. Select the My APIs tab. 3. In the list of APIs, select your web API registration... 4. Select Application permissions... 5. In the list of permissions, select the check box next to [the role you defined]... 7. Select Grant admin consent..." This confirms that API permissions is the correct blade for App2.