使用证书的Azure Active Directory守护程序客户端

我一直在使用GitHub上Azure Active Directory的证书示例查看守护程序应用程序中的Azure AD官方身份验证.Web API服务似乎不了解客户端.

您不会被告知登录Azure并使用"对其他应用程序的权限"部分为守护程序客户端添加访问Web API的权限.

Web API控制器操作不检查调用方的声明以确保它是客户端应用程序.它确实有这个代码,但我并不完全理解:

public IEnumerable Get()
{
    //
    // The Scope claim tells you what permissions the client application has in the service.
    // In this case we look for a scope value of user_impersonation, or full access to the service as the user.
    //
    Claim scopeClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/scope");
    if (scopeClaim != null)
    {
        if (scopeClaim.Value != "user_impersonation")
        {
            throw new HttpResponseException(new HttpResponseMessage { StatusCode = HttpStatusCode.Unauthorized, ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found" });
        }
    }

    // A user's To Do list is keyed off of the NameIdentifier claim, which contains an immutable, unique identifier for the user.
    Claim subject = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier);

    return from todo in todoBag
           where todo.Owner == subject.Value
           select todo;
}

我是否认为在我的Azure AD中注册的任何客户端都可以通过设置此示例的方式访问Web API.