In the second part, we setup application permissions on the API, and see how to test the API using Postman (as a user and as an app)

In the first part in this series, we will look at how to setup Swagger UI so it can be used to test an Azure AD-protected API.

Microsoft has improved the security of all APIs using Azure AD authentication and it's awesome, but it doesn't mean you can relax

Failing to check for permissions in Azure AD access tokens leads to your API being vulnerable

The dangers of embedding secrets in native applications, and how to implement Azure AD authentication there without secrets

Some things to watch out for in your multi-tenant Azure AD applications that support a limited number of tenants

What is the OAuth ROPC flow, why it exists, and why you should not use it for most cases

Some points on why using wildcards (asterisks) in Azure AD app reply URLs may be a bad idea, and how to do it better

Compares two approaches to high-level authorization in an application: groups and app roles

Single Sign-Out enables you to clear the user's session immediately when they sign out from another app