What value to give for "scope" option when I want to access an Azure function API that is protected with Azure AD in Postman

Question

I am working on an Azure Function API that is protected by Azure AD, it's working fine when I request it with browser once I logged in with a valid account, but when I tried with postman it still shows unauthorized access,

I have got an access token to send with the request, but for the scope property I have given is this value, https://graph.microsoft.com/.default which I think might be the problem. But not sure what I am doing wrong and what to put in the scope field in the get new access tokenoption in postman to authenticate to my API.

HTTP Request Postman Making

GET /api/events/active HTTP/1.1
Host: moya-backend-ascentic.azurewebsites.net
Authorization: Bearer ****IHqMgweN86fDnyL4jvz9P6ZllpjjD9t***
User-Agent: PostmanRuntime/7.13.0
Accept: */*
Cache-Control: no-cache
Postman-Token: 655e0672-4928-409e-a709-841a92ee6f14,22cbf978-f196-4099-ae10-d162d3068507
Host: moya-backend-ascentic.azurewebsites.net
accept-encoding: gzip, deflate
Connection: keep-alive
cache-control: no-cache

Answer 1

If you are using v2.0 endpoint, the scope should be {your_client_id}/.default. Just like @juunas said.

If you are using v1.0 endpoint, you only need resource parameter. The resource should be {your_client_id}

Note: If you are using the 'get new access token' function in postman, the Access Token URL should be https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Answer 2

The scope should be: your-api-client-id/.default. Replace your-api-client-id with the client id/application id for your API app in Azure AD.

Now since browser-based login seems to be working, you may have setup the wrong kind of authentication on the API. If the token still doesn't work, you'll need to setup JWT authentication on the app instead of browser/cookie based.