Merge pull request #219734 from jmprieur/docs-editor/scenario-protected-web-api-ver-1669693618

prmerger-automator[bot] · web-flow · commit 257056f62298 · 2022-11-29T04:11:21.000Z
Fix https://github.com/MicrosoftDocs/azure-docs/issues/91860
diff --git a/articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md b/articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md
@@ -153,7 +153,10 @@ You can also verify the scopes for the whole controller
 
 ##### Verify the scopes on a controller with hardcoded scopes
 
-The following code snippet shows the usage of the `[RequiredScope]` attribute with hardcoded scopes on the controller.
+The following code snippet shows the usage of the `[RequiredScope]` attribute with hardcoded scopes on the controller. To use the RequiredScopeAttribute, you'll need to either:
+
+- Use `AddMicrosoftIdentitWebApi` in the Startup.cs, as seen in [Code configuration](scenario-protected-web-api-app-configuration.md)
+- or otherwise add the `ScopeAuthorizationRequirement` to the authorization policies as explained in [authorization policies](https://github.com/AzureAD/microsoft-identity-web/wiki/authorization-policies).
 
 ```csharp
 using Microsoft.Identity.Web
@@ -250,7 +253,6 @@ private void ValidateScopes(IEnumerable<string> acceptedScopes)
 For a full version of `ValidateScopes` for ASP.NET Core, [_ScopesRequiredHttpContextExtensions.cs_](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/ScopesRequiredHttpContextExtensions.cs)
 
 ---
-
 ## Verify app roles in APIs called by daemon apps
 
 If your web API is called by a [daemon app](scenario-daemon-overview.md), that app should require an application permission to your web API. As shown in [Exposing application permissions (app roles)](./scenario-protected-web-api-app-registration.md#expose-application-permissions-app-roles), your API exposes such permissions. One example is the `access_as_application` app role.
@@ -274,7 +276,6 @@ public class TodoListController : ApiController
     }
 ```
 
-
 Instead, you can use the [Authorize(Roles = "access_as_application")] attributes on the controller or an action (or a razor page).
 
 ```CSharp
@@ -327,7 +328,6 @@ private void ValidateAppRole(string appRole)
 For a full version of `ValidateAppRole` for ASP.NET Core, see [_RolesRequiredHttpContextExtensions.cs_](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/RolesRequiredHttpContextExtensions.cs) code.
 
 ---
-
 ### Verify app roles in APIs called on behalf of users
 
 Users can also use roles claims in user assignment patterns, as shown in [How to add app roles in your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md). If the roles are assignable to both, checking roles will let apps sign in as users and users sign in as apps. We recommend that you declare different roles for users and apps to prevent this confusion.
@@ -376,3 +376,4 @@ If you set `AllowWebApiToBeAuthorizedByACL` to true, this is **your responsibili
 
 Move on to the next article in this scenario,
 [Move to production](scenario-protected-web-api-production.md).
+
