Unable to get UI to call API when using separate registered apps

Lange Gregory 20 Reputation points

I have been trying for weeks to get my UI to be able to call my api. I have followed the standard of one app registration per application and exposed a scope on my API registration. When using IDownstreamAPI helper to call the api i only ever get Unauthorized. If i try to not use the helper class and build it myself per the examples then i says it cannot pull back my token. My UI app has been given admin consent for the tenet i need it on and the API app doesn't have any api permissions needed so i wouldn't think it would need consent also. As a point of reference i have been following https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis to try and get my solution working with not success.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,391 questions
{count} votes

Accepted answer
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee

    @Lange Gregory

    Kindly share the screenshot or full error message after (removing PII) you are getting while trying to call the API from UI app.


    Looks to be a scope relate issue while calling the API. Kindly ensure your app have appropriate scope to get an access token. For ref you may follow : Angular single-page application using MSAL Angular to authenticate users with Azure AD for Customers and call a protected ASP.NET Core web API

    Update 2:

    Below are the things OP changed based off looking at the sample project.

    Program.cs (API)



    app.UseEndpoints(endpoints => {

    _ = endpoints.MapControllers();


    On the controller in question that is calling the IDownstream helper i had to add: [AuthorizeForScopes(ScopeKeySection = "DownstreamApi:Scopes")]


    Akshay Kaushik

    0 comments No comments

0 additional answers

Sort by: Most helpful