Hi anonymous user • Thank you for reaching out.
Unfortunately, Azure AD doesn't support multiple audiences claim as of now. Which means, you can either specify Graph API scopes or your custom API scopes in a given authentication request.
At this time, we view unbound multi-audience tokens as a security threat that we do not support. Multi-audience bearer tokens can be replayed from one audience to the other insecurely, allowing an attacker who compromises one service to expand their footprint unnecessarily.
Our product team is investigating on proof of possession scheme, to securely support multi-audience tokens that are sender constrained. Hopefully, this will be supported in near future.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.