API SECURITY FOR DUMMIES | Authentication vs authorization
API Security with ASP.NET Core 5.0 and Azure AD for Dummies

This blog is part of a complete blog series.

Authentication vs authorization

It’s important to understand the difference between these two concepts:


Authentication is the process to determine whether API consumers are who they claim to be.

Within Azure Active Directory, there are different ways to authenticate:

  • Users: username + password, preferably combined with MFA, …
  • Applications: client id + secret, client id + certificate, managed identity, …

As a result of these authentication mechanisms, Azure AD creates signed access tokens (JWT) with a limited lifetime.  These access tokens need to be verified, to ensure the identity of the API consumer.


Authorization: is the process to determine what API consumers are allowed to access

With Azure Active Directory, these are the three main options:

  • Access control list
  • Delegated permissions
  • Application roles

These options will be further explored in the next parts.  There are also custom authorizations possible, which are often implemented in a specific business context.  These are out of scope for this series.



Your Azure Coach is specialized in organizing Azure trainings that are infused with real-life experience. All our coaches are active consultants, who are very passionate and who love to share their Azure expertise with you.