Getting access denied when accessing Azure Web App via token

Question

We are testing locking down an API hosted on Azure Web Apps by using the built-in Azure Web App Authentication/Authorization with Azure Active Directory.

We are calling POST https://login.microsoftonline.com/{tenantIDhere}/oauth2/v2.0/token with the following parameters in Postman:

grant_type: password
client_id: {ID}
username: {username}@{tenenat}.onmicrosoft.com
password: {password}
scope: https://{webappname}.azurewebsites.net/.default
client_secret: {secret}

Below is the response I get:

"token_type":"Bearer","scope":"https://{webappname}.azurewebsites.net/user_impersonation https://{webappname}.azurewebsites.net/.default","expires_in":3599,"ext_expires_in":3599,"access_token":"{TOKEN HERE}"}

So I take that token and try and access the webpage by passing the token in the header and I get the below error using POST:

https://{webappname}.azurewebsites.net/api/url

Authorization: Bearer {TOKEN HERE}

Response (401 Unauthorized)

You do not have permission to view this directory or page.

I have spent days trying everything I can find. What am I missing?? As soon as I turn off authorization needed for the web app, I get the expected result. But using the grant_type: password, I CANNOT get in! I have a feeling its related to the scope, but I cannot find documentation on what I need here for this. Any ideas?

The user is able to manually login to the webpage and pull the data, so it is not a permission issue. It has something to do with the token I believe.

Answer 1

If you are using v2.0 endpoint, the scope should be {your_client_id}/.default. Replace https://{webappname}.azurewebsites.net with the client id/application id for your API app in Azure AD.

Edit:

As Wayne said, you could also set scope as {your_client_id}/User.Read to get access token.