Issue with authenticated App Service

The most common cause for an API that works locally but fails with 500 Internal Server Error after deployment to Azure App Service, when using Microsoft Entra ID access tokens, is a mismatch between how tokens are validated in Azure and how the app is configured (audience, issuer, or missing headers/middleware). Another frequent cause is misconfiguration when running behind a gateway/proxy.

Use the following checks and fixes:

1. Check that the API receives a valid Bearer token in Azure
   • Ensure the client calls the Azure-hosted API with an Authorization: Bearer <token> header.
   • If the request has no token or an invalid token, the API can return 401 or 500 depending on error handling.
2. Verify audience (aud) matches what the API expects
   • Decode the JWT at https://jwt.ms.
   • Check the aud claim.
   • Ensure it matches the API’s configured audience (for example, api://<application-client-id> or the App ID URI configured for the API).
   • If the token is issued for a different resource, token validation fails and can surface as 401/500.
3. Align API token validation with Entra configuration
   • In the API’s TokenValidationParameters, ensure ValidAudience/ValidAudiences and ValidIssuer/ValidIssuers match the values from the Entra app registration:
     • aud must match the API’s App ID URI or client ID.
     • iss must match the tenant’s issuer (for example, https://login.microsoftonline.com/<tenant-id>/v2.0).
   • If the API is behind a gateway or uses multiple URLs, add all valid audiences as shown in the gateway troubleshooting guidance.
4. If the API is behind a gateway or proxy, configure forwarded headers
   • When deployed behind a gateway (Front Door, Application Gateway, API Management, etc.), missing forwarded headers can cause redirect or token validation issues.
   • Ensure the middleware order includes forwarded headers before authentication:

          app.UseForwardedHeaders();
          app.UseAuthentication();
          app.UseAuthorization();
     

   • Verify the gateway forwards X-Forwarded-Proto and X-Forwarded-Host.
5. Troubleshoot 401/500 by enabling detailed logging
   • Use JwtBearerEvents or Serilog-based logging to capture token validation errors and see why the API is failing in Azure.
   • Enable debug logging for Microsoft.Identity and Microsoft.IdentityModel to see detailed token validation messages.
6. Check for generic 401/500 causes
   • A 401/500 can also occur if:
     • The token is expired.
     • The token is missing required claims.
     • The token’s issuer or audience does not match the API configuration.
   • Use the logging guidance to confirm which of these applies.
7. If using a gateway, validate the audience and headers again
   • For APIs behind gateways, explicitly check:
     • The aud claim matches one of the configured valid audiences (e.g., api://your-client-id, backend URL, or gateway URL as configured).
     • Forwarded headers are correctly handled and UseForwardedHeaders is configured before authentication.

Applying these checks will typically reveal whether the issue is an audience/issuer mismatch, missing/misrouted headers, or a misconfigured authentication pipeline in Azure App Service.

References:

• 401 Unauthorized errors in ASP.NET Core Web API with Microsoft Entra ID
• Add Microsoft Entra ID authentication to a .NET Aspire app
• Use Serilog to troubleshoot Microsoft Entra protected Web API authentication or authorization errors
• Deploy protected APIs behind gateways
• Deploy web apps behind proxies and gateways
• App Authentication client library for .NET - version 1.6.0
• Tutorial: Connect an App Service app to SQL Database on behalf of the signed-in user