MSAL protected API scope format

Question

When I request my scope for my protected api according to the as follows (api client id omitted):

  export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('https://graph.microsoft.com/v1.0/me', ['user.read']);
  protectedResourceMap.set('https://pz-job-tracker-api.azurewebsites.net', ['api://MYGUID/user_impersonation']);

  return {
    interactionType: InteractionType.Redirect,
    protectedResourceMap
  };
}

I get a 401 saying the audience 'IDX10214: Audience validation failed. Audiences: 'api://MYGUID'. Did not match: validationParameters.ValidAudience: 'MYGUID' or validationParameters.ValidAudiences: 'null'.'

If I however change my scope slightly to be like this:

  export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('https://graph.microsoft.com/v1.0/me', ['user.read']);
  protectedResourceMap.set('https://pz-job-tracker-api.azurewebsites.net', ['MYGUID/user_impersonation']);

  return {
    interactionType: InteractionType.Redirect,
    protectedResourceMap
  };
}

It works! But why? I can't find in the docs anywhere them saying that you need to omit the URI part of the client id? And why according to the error message is null audience allowed? This was all set up following MS tutorials on easy auth, where my API app has no auth code in it, it's all handled by Entra and Easy Auth.

Answer 1

From Enable Microsoft Entra ID in your App Service app:

The configured Application (client) ID is always implicitly considered to be an allowed audience. If your application represents an API that will be called by other clients, you should also add the Application ID URI that you configured on the app registration. There's a limit of 500 characters total across the list of allowed audiences.