AzureAD Token Authentication not checking Allowed Audiences

Stephen Mallin 26 Reputation points
2023-02-07T15:33:13.76+00:00

I have an App Service deployed in Azure which is an API using AzureAD as the authentication source. When I request an access token, I get the aud claim as the client ID of the app registration of the API. When I attach the token as bearer to an authorization header, I get the message:

IDX10214: Audience validation failed. Audiences: 'a9cxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. Did not match: validationParameters.ValidAudience: 'api://a9cxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' or validationParameters.ValidAudiences: 'null'.

I saw this and thought if I just populate the allowed token audiences field in the portal with just the guid, it would pass audience validation, but I've done that and validationParameters.ValidAudiences is still showing 'null' in this error message:

User's image

User's image

How can I get this authentication to pass the audience check? Thanks.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,271 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,198 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Shweta Mathur 30,301 Reputation points Microsoft Employee
    2023-02-09T09:47:33.6466667+00:00

    Hi @Stephen Mallin ,

    Thanks for reaching out.

    This error message is indicating that the audience claim in the token you are providing is not matching the expected audience. The audience claim in the token should match the client ID of the app registration of the API.

    You can refer https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#identifieruris-attribute to check supported application ID URI formats.

    If your Application ID URI does not start with api:// you'll have to make a manual change to the manifest of your application and switch to access tokens version 2.

    Go in manifest of your registered application and change the value of accessTokenAcceptedVersion from null to 2.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.
    0 comments No comments

  2. risolis 8,741 Reputation points
    2023-02-08T02:24:28.07+00:00

    Hello @Stephen Mallin

    Thank you for posting this concern on this community space.

    I was reading your case scenario issue and I was wondering if you have tried to use the following feature as it is described on the next document below:

    *https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest


    Let me know if that was useful but if not, I can keep assisting you further.

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.