diff --git a/modules/azure/api_management_api/main.tf b/modules/azure/api_management_api/main.tf
index ab88f365..79ae21c6 100644
--- a/modules/azure/api_management_api/main.tf
+++ b/modules/azure/api_management_api/main.tf
@@ -130,9 +130,15 @@ resource "azurerm_api_management_api_policy" "api_policy" {
         <claim name="iss" match="any">
           <value>${var.aad_settings.issuer}</value>
         </claim>
-        %{if var.role_assignment != null}
+        %{if length(var.role_assignments) > 0}
           <claim name="roles" match="any">
-            <value>${var.role_assignment}</value>
+            %{
+  for role in var.role_assignments
+  }
+              <value>${role}</value>
+            %{
+  endfor
+}
           </claim>
         %{endif}
       </required-claims>
diff --git a/modules/azure/api_management_api/variables.tf b/modules/azure/api_management_api/variables.tf
index 3db56c5c..f8aaa5bc 100644
--- a/modules/azure/api_management_api/variables.tf
+++ b/modules/azure/api_management_api/variables.tf
@@ -223,8 +223,8 @@ variable "custom_backend_policy" {
   default     = null
 }
 
-variable "role_assignment" {
-  type        = string
-  description = "Role to validate in the JWT token's 'roles' claim for access control."
-  default     = null
+variable "role_assignments" {
+  type        = list(string)
+  description = "Roles to validate in the JWT token's 'roles' claim for access control."
+  default     = []
 }
\ No newline at end of file
diff --git a/modules/azure/application_service_principal_role_assignment/main.tf b/modules/azure/application_service_principal_role_assignment/main.tf
new file mode 100644
index 00000000..47bbd5a0
--- /dev/null
+++ b/modules/azure/application_service_principal_role_assignment/main.tf
@@ -0,0 +1,30 @@
+terraform {
+  required_version = "~> 1.3"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.36"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azuread" {}
+
+resource "azuread_service_principal" "internal" {
+  for_each     = toset([for assignment in var.assignments : assignment.client_id])
+  client_id    = each.key
+  use_existing = var.use_existing_service_principal
+}
+
+resource "azuread_app_role_assignment" "role_assignment" {
+  for_each = {
+    for assignment in var.assignments :
+    "${assignment.role_id}_${assignment.object_id}_${assignment.client_id}" => assignment
+  }
+  app_role_id         = each.value.role_id
+  principal_object_id = each.value.object_id
+  resource_object_id  = azuread_service_principal.internal[each.value.client_id].object_id
+}
\ No newline at end of file
diff --git a/modules/azure/application_service_principal_role_assignment/outputs.tf b/modules/azure/application_service_principal_role_assignment/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/azure/application_service_principal_role_assignment/variables.tf b/modules/azure/application_service_principal_role_assignment/variables.tf
new file mode 100644
index 00000000..88a4f777
--- /dev/null
+++ b/modules/azure/application_service_principal_role_assignment/variables.tf
@@ -0,0 +1,13 @@
+variable "assignments" {
+  type = list(object({
+    object_id = string,
+    role_id   = string,
+    client_id = string
+  }))
+  description = "The assignments you want to add to an application."
+}
+variable "use_existing_service_principal" {
+  type        = bool
+  default     = false
+  description = "When true, any existing service principal linked to the same application will be automatically imported. When false, an import error will be raised for any pre-existing service principal."
+}
\ No newline at end of file