I have an application let's name it 'Apple' which is registered with Azure AD having delegated rights on Azure Management API application. When requested to this application it creates azure resource ex. storage account automatically and this works fine.
I have another application which is MVC application and it's also registered with same AD tenant. The second application uses following code for retrieving access token:
var clientCredentials = new ClientCredential(ConfigurationManager.AppSettings["AD_ClientID"], ConfigurationManager.AppSettings["AD_Client_AccessKey"]);
var authContext = new AuthenticationContext(string.Format(ConfigurationManager.AppSettings["AD_Tenant_Login_Url"], ConfigurationManager.AppSettings["AD_Tenant_Id"]));
var result = authContext.AcquireTokenAsync(ConfigurationManager.AppSettings["AD_Resource"], clientCredentials);
if (result == null)
throw new InvalidOperationException("Could not get the token");
public void ConfigureAuth(IAppBuilder app)
Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
TokenValidationParameters = new TokenValidationParameters
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
To above, question, the answer was, Resource ID (during token request) and Audience Id (during validation of token in second application) were not matching. Keeping those same solved the problem.
Then I ran into another issue, which I have described here
It seems, If I work with newer Azure Portal (which is still in preview version), the
AD token does not include
"Roles" field in
JWT token. If I follow same procedure in Older Portal for configuring apps, then AD includes
"Roles" field in
JWT token and scenario executes as expected.
I should avoid using Azure new portal for preview features at least!