For authenticating Entra ID users & services in ASP.NET you’re probably using the Microsoft.Identity.Web with some initialization code looking something like this in your Program.cs:
This will configure authentication based on the values stored in your appsettings’ “AzureAd” section. And it should work fine with “normal” users, but it will not accept Tokens from a Client Credentials Flow that might be used for Service-to-Service communications.
You might see an Error like “System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.“. The reason is that Client Credentails Flow doesn’t include scopes or claims by design.
The trick here is to add the AllowWebApiToBeAuthorizedByACL property to your config. Also make sure that you have an updated version of the Microsoft.Identity.Web package installed. Here’s an example of what the appsettings.json might look like:
{
...
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "[Redacted]",
"ClientId": "[Redacted]",
"TenantId": "[Redacted]",
"AllowWebApiToBeAuthorizedByACL" : true
}
...
}