Scenario: Protected web API

In this scenario, you'll learn how to expose a web API and how to protect it so that only authenticated users can access it.

To use your web API, you either enable authenticated users with both work and school accounts or enable Microsoft personal accounts.


The specific information you need to know to protect web APIs are:

  • Your app registration must expose at least one scope or one application role.
    • Scopes are exposed by web APIs that are called on behalf of a user.
    • Application roles are exposed by web APIs called by daemon applications (apps that call your web API on their own behalf).
  • If you create a new web API app registration, choose the access token version accepted by your web API to the value of 2. For legacy web APIs, the accepted token version can be null, but this value restricts the sign-in audience to organizations only, and personal Microsoft accounts (MSA) won't be supported.
  • The code configuration for the web API must validate the token used when the web API is called.
  • The code in the controller actions must validate the roles or scopes in the token.

If you're new to identity and access management (IAM) with OAuth 2.0 and OpenID Connect, or even just new to IAM on the Microsoft identity platform, the following set of articles should be high on your reading list.

Although not required reading before completing your first quickstart or tutorial, they cover topics integral to the platform, and familiarity with them will help you on your path as you build more complex scenarios.

Authentication and authorization

Next steps

Move on to the next article in this scenario, App registration.