0

I have an Azure AD App Registration where I've exposed an API scope called AppUser.

This scope is being used for authentication in my Web API project, and everything works fine when the API is called from our frontend application (which uses delegated user authentication).

Now I have a background service (Azure WebJob) that needs to call the same protected API.

Since there's no user context, I tried using the client credentials flow (application permissions).

However, my API requests from the web job are failing with an authentication/authorization error.

What I've tried:

  • Used client credentials flow with client_id, client_secret, and scope = api://{api-client-id}/.default

  • Verified API permissions in Azure portal

But the API still returns HTTP 401 Unauthorized.

Improve this question

1 Answer 1

Reset to default
2

You should define an app permission (aka app role) and assign it to the other app. Docs: https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps

Scopes are only contained in tokens when acquired with user context as you have seen.

It's a bit confusing but app roles serve double duty in Entra ID:

  1. App permissions
  2. User roles

I guess the idea is that it is a role assigned to the service principal instead of a user principal.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.