| title | description | services | author | manager | ms.service | ms.subservice | ms.topic | ms.workload | ms.date | ms.author | ms.reviewer | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Protected web API - overview |
Learn how to build a protected web API (overview). |
active-directory |
cilwerner |
CelesteDG |
active-directory |
develop |
conceptual |
identity |
12/19/2022 |
cwerner |
jmprieur |
aaddev, identityplatformtop40, engagement-fy23 |
In this scenario, you'll learn how to expose a web API and how to protect it so that only authenticated users can access it.
To use your web API, you either enable authenticated users with both work and school accounts or enable Microsoft personal accounts.
The specific information you need to know to protect web APIs are:
- Your app registration must expose at least one scope or one application role.
- Scopes are exposed by web APIs that are called on behalf of a user.
- Application roles are exposed by web APIs called by daemon applications (apps that call your web API on their own behalf).
- If you create a new web API app registration, choose the access token version accepted by your web API to the value of
2. For legacy web APIs, the accepted token version can benull, but this value restricts the sign-in audience to organizations only, and personal Microsoft accounts (MSA) won't be supported. - The code configuration for the web API must validate the token used when the web API is called.
- The code in the controller actions must validate the roles or scopes in the token.
[!INCLUDE recommended-topics]
Move on to the next article in this scenario, App registration.