I have an Azure Web App Service that will be used in a service-to-service environment. I want that this service to use the Azure AD app registration for authentication. This service will due to it's implementation only use client credentials grant type for the authentication process.
I expect that since my client app registration doesn't have any API permissions configured against my service app registration that the authentication should fail, but it doesn't; it returns a valid access token with my service app registration Application ID URI as audience that can be used to access my Azure App Service.
So, why does this happen? I expect that an app registration isn't available until there is an approved API permission configured for my client registration, but this isn't the case.
This is what I have done:
I have created an app registration the following way to make this work:
- Made a app registration manually in Azure AD with
Supported account typesset toAccounts in this organizational directory only- Added an
Application ID URI - Added a client secret (used by the Azure App Service configuration)
- Created an App role (since this is a requirement to be able to use client credentials grant type as far as I have understood)
This app registration is then connected to the Web App service using the Authentication / Authorization configuration on the App Service using advanced configuration (not that this is relevant for this issue).
I also created a another app registration that identifies my client service. This service has not been configured to access the service app registration. I then use this client service credentials to authenticate against my Azure AD using client credentials grant type with the service Application ID URI as scope.
I know that I can limit the access in my code by checking the role, but that's not the issue here, I am wondering why it returns a valid access token at all with my service Application ID URI as audience.
NOTE: I have found that if I go to enterprise applications and set User assignment required? to Yes, it will return 400, but is there any way to have this as default for all new app registrations, to ease the app registration?
