I've been reading about the features related to Role-based Access Control using Windows Azure AD. This is functionality that will be really helpful to my organization. What I'm wondering is if there is a way to get that level of control with the service management API. For example, I'd like to have one of my applications be able to create and manage jobs in the Azure Scheduler, but I don't want it to be able modify deployments or do basically any other Azure service management.
It seems clear that if I authenticate with a management certificate there is no possibility of doing RBAC. However, I keep reading about authenticating an external application using Azure AD, and it's not clear whether I can treat those applications as users that can be assigned roles for this purpose.
Is it possible to do RBAC with an application in the Service Management API as well as through the portal?