AzureAD Authentication: Audience validation failed[Audiences Did not match]

Question

I have App Services deployed in Azure which is an react application using API. Both apps have AzureAD as the authentication source. The scope I am using while requesting the token from the react app is

"api://bxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/.default"

When I attach the token as bearer to an authorization header To call the API's , I get the message:

IDX10214: Audience validation failed. Audiences: 'api://bxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. Did not match: validationParameters.ValidAudience: '
bxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' or validationParameters.ValidAudiences: 'null'.

For the backend, code configuration under services.AddAuthentication the code is

.AddJwtBearer(options =>
            {
                options.Audience = clientId;
                options.Authority = authority;
            })

For clientId I have used both

"bxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

"api://bxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

I tried following other question threads like: https://learn.microsoft.com/en-us/answers/questions/1168505/azuread-token-authentication-not-checking-allowed, but it didn't work for my case.
But neither worked. What can I do to resolve this error.

Answer 1

Hello Mansi Vaishnav,

Thank you for posting this on the Microsoft Q&A Community.

From my understanding, you are experiencing an authentication issue due to audiences not matching.

The focus should be on the SigninAudience. The endpoint used v1.0 or v2.0, is chosen by the client and only impacts the version of id_tokens.

You need to update your Application Manifest to effect this

Follow this link https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest to get more information about the accessTokenAcceptedVersion attribute.

Let me know if further assistance is needed.

Babafemi