Trying to Secure Web API with Azure AD

Question

I have a Web API project I created using this tutorial that I'm trying to secure using Azure AD.

According to the tutorial, when I create the project, I can select "Change Authentication" and enter my AAD information and the authentication supposed to just "work" as long as I have <Authorize> on the controller I want to secure:

According to the tutorial, I need to add the API as an app in the Azure portal but its steps and screenshots are confusing because they're old and the Azure portal has been reorganized. It says:

Next step is to add the "WebAPIServerSingleTenant" as an app you can access in your native app. Navigate to the "WebAPIClientSingleTenant" app and add "WebAPIServerSingleTenant" to your approved list (tick the checkbox too)

But adding the tenant info from Visual Studio when I created the project creates an app registration in AAD automatically, so I'm not sure what it's asking me to do.

Furthermore, when I try to call the API from Postman, for example, I just get "Authorization has been denied for this request" despite generating and passing an access token in the header of the request that looks right to me.

What steps do I need to follow to secure my web API using Azure AD?

Answer 1

The 'Next step is to add the ..." instruction you quote above is about adding a reference to your API app to the AAD registration of your native app. To register the native app, go to the Azure portal and use App Registration. The instructions for how to do that linked in your article are obsolete - AAD UI is totally different now. Rather use one of the official samples, in particular the one for native client accessing an API.