Can't authorize token from Client Credentials Authentication Microsoft AD

Question

So I have built an Application using ASP Net Core. here is my code

    services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
    .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

    services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
    {
        // This is a Microsoft identity platform web API.
        options.Authority += "/v2.0";

        // The web API accepts as audiences both the Client ID (options.Audience) and api://{ClientID}.
        options.TokenValidationParameters.ValidAudiences = new[]
        {
         options.Audience,
         $"api://{options.Audience}"
        };
    });

    

This setup is working fine when I using User Password Authentication. But because of some condition, I can only use client_credentials for my other application. I'm using this to get token I successfully get the token but when I'm using the token it gets me Unauthorized

Here is my API Permission that I used

And this one is my decoded token

Answer 1

Please change the scope to: api://{ClientID}/.default.

---

Update:

You need to create another Azure AD application that represents the web api, and then use your client application to call the web api application.

First, you need to expose the api of the application representing the web api, you can configure it according to the following process:

Azure portal>App registrations>Expose an API>Add a scope>Add a client application

Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions)

This is the process of defining the manifest.

This is to grant permissions for the client application:

Finally, you can request a token for your api application: