Scenario: Protected web API
In this scenario, we'll show you how you can expose a web API and how you can protect it so that only authenticated users can access the API. You'll want to enable authenticated users with both work and school accounts, or personal Microsoft personal accounts to use your web API.
Before reading this article, you should be familiar with the following concepts or read the following articles:
- Microsoft identity platform overview
- Authentication basics
- Application and service principals
- Permissions and consent
- ID tokens and access tokens
Here are some specifics you need to know to protect web APIs:
- Your app registration must expose at least one scope. The token version accepted by your web API depends on the sign in audience.
- The configuration of the code for the web API must validate the token that's used when calling the web API.