Merge pull request #203571 from nickludwig/patch-4

PRMerger3 · web-flow · commit 6d13218cfd4b · 2022-07-27T16:58:38.000-07:00
update guidance for validating appid/azp
diff --git a/articles/active-directory/develop/access-tokens.md b/articles/active-directory/develop/access-tokens.md
@@ -269,7 +269,9 @@ Don't use mutable, human-readable identifiers like `email` or `upn` for uniquely
 
 #### Validate application sign-in
 
-Use the `scp` claim to validate that the user has granted the calling application permission to call the API. Ensure the calling client is allowed to call the API using the `appid` claim.
+* Use the `scp` claim to validate that the user has granted the calling app permission to call your API.
+* Ensure the calling client is allowed to call your API using the `appid` claim (for v1.0 tokens) or the `azp` claim (for v2.0 tokens).
+    * You only need to validate these claims (`appid`, `azp`) if you want to restrict your web API to be called only by pre-determined applications (e.g., line-of-business applications or web APIs called by well-known frontends). APIs intended to allow access from any calling application do not need to validate these claims.
 
 ## User and application tokens
 
