Scenario: Web app that calls web APIs

Learn how to build a web app that signs in users on the Microsoft identity platform and then calls web APIs on behalf of the signed-in user.


Before reading this article, you should be familiar with the following concepts:

This scenario supposes that you've gone through the following scenario:


You add authentication to your Web App, which can therefore sign in users and calls a web API on behalf of the signed-in user.

Web app that calls web APIs

Web Apps that calls web APIs:

  • are confidential client applications.
  • that's why they've registered a secret (application password or certificate) with Azure AD. This secret is passed-in during the call to Azure AD to get a token



Adding sign-in to a Web App does not use the MSAL libraries as this is about protecting the Web App. Protecting libraries is achieved by libraries named Middleware. This was the object of the previous scenario Sign-in users to a Web App

When calling web APIs from a Web App, you will need to get access tokens for these web APIs. You can use MSAL libraries to acquire these tokens.

The end to end experience of developers for this scenario has, therefore, specific aspects as:

  • During the Application registration, you'll need to provide one, or several (if you deploy your app to several locations) Reply URIs, secrets, or certificates need to be shared with Azure AD.
  • The Application configuration needs to provide client credentials as shared with Azure AD during the application registration

Next steps