Scenario: Protected web API
In this scenario, you learn how to expose a web API. You also learn how to protect the web API so that only authenticated users can access it.
To use your web API, you need to either enable authenticated users with both work and school accounts or enable Microsoft personal accounts.
Before reading this article, you should be familiar with the following concepts:
- Microsoft identity platform overview
- Authentication basics
- Application and service principals
- Permissions and consent
- ID tokens and access tokens
Here is specific information you need to know to protect web APIs:
- Your app registration must expose at least one scope. The token version accepted by your web API depends on the sign-in audience.
- The code configuration for the web API must validate the token used when the web API is called.