What are the steps that will happen in the background while validating an Azure AD issued Bearer Token - Microsoft Identity Platform?

tekbyts 1 Reputation point

The examples I find online on this topic only instructs the configuration code used in the Startup.cs class. I could not find details as to how this configuration helps to validate the bearer token received by the API. Does the API contact Azure AD in order to validate the token?

I am curious to understand what happens behind the scenes when token validation happens at the web api. What does this one line code do services.AddMicrosoftIdentityWebApiAuthentication(Configuration); to validate the token? does it make contact to Azure AD to validate the token ? what are the steps that will take place in while the api validate the bearer token?

I have no issues with running the code. it perfectly works fine for me but I could not find the underlying mechanism / steps of token validation. Any help will be highly appreciated.

public void ConfigureServices(IServiceCollection services)

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

    app.UseEndpoints(endpoints =>
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,710 questions
A set of technologies in the .NET Framework for building web applications and XML web services.
3,140 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Michael Wang-MSFT 1,046 Reputation points

    Hi, @tekbyts

    Here is an article of How to secure a Web API built with ASP.NET Core using the Azure AD B2C.

    It demonstrates an ASP.NET Core Web App application calling an ASP.NET Core Web API that is secured using Azure AD B2C.

    1. The client ASP.NET Core Web App application uses the Microsoft Authentication Library Microsoft Authentication Library (MSAL) for .NET to sign-in a user and obtain a JWT access token from Azure AD B2C:
    2. The Access Token is used as a bearer token to authenticate the user when calling the ASP.NET Core Web API.

    The client web application essentially takes the following steps to sign-in the user and obtain a bearer token for the Web API:

    1. Signs-in the user with local or social identities.
    2. Acquires an access token for the Web API.
    3. Calls the Web API using the access token as a bearer token in the authentication header of the Http request. The Web API authorizes the caller (user) using the ASP.NET JWT Bearer Authorization middleware.


    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards,
    Michael Wang

    0 comments No comments