。NET标准4.7.2 Azure承载令牌授权

我有一个.NET MVC5 / API应用程序，该应用程序通过Azure通过OWIN对用户进行身份验证。本身就很棒。用户使用其Azure AD帐户登录没有问题。我还需要授权从同一AD Azure域进行身份验证的用户，才能从其他应用程序访问此API。 IE客户端应用程序（已具有Azure授权用户）->此服务器应用程序。我的开发客户端是一个使用MSAL模块的Angular应用程序，它确实在其请求中将天蓝色的承载令牌传递给了我的.NET API应用程序（在Fiddler中可见）。但是，响应始终是重定向到microsoft.login，客户端上将其显示为CORS错误。如何配置.NET STANDARD应用程序以通过Azure在本地授权用户并接受已授权的Azure承载令牌？另外，客户端和服务器应用程序权限已在Azure中设置（正确吗？不是100％）。

我的Startup.Auth：

    public partial class Startup
{

    private static string redirectUrl = "Https://" + Settings.RootURL;
    private static string clientId = Settings.GraphClientID;
    private static string aadInstance = "https://login.microsoftonline.com/";
    private static string tenantId = Settings.GraphTenantID;
    private static string authority = aadInstance + tenantId;

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);            
        app.UseCookieAuthentication(new CookieAuthenticationOptions { CookieName = "CIM-Cookie", SlidingExpiration=true });
        app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Sets the ClientId, authority, RedirectUri as obtained from Settings.json
            ClientId = clientId,
            Authority = authority,
            RedirectUri = redirectUrl,
            UseTokenLifetime = false, //set to false to manage session with the cookie middleware
            PostLogoutRedirectUri = redirectUrl,
            Scope = OpenIdConnectScope.OpenIdProfile,

            // ResponseType is set to request the id_token - which contains basic information about the signed-in user
            ResponseType = OpenIdConnectResponseType.IdToken,
            //SignInAsAuthenticationType="Cookies",

            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = false,
                RoleClaimType = "groups",
                NameClaimType = "name",
            },

            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = OnAuthenticationFailed,
                SecurityTokenValidated = (context) =>
                {
                    var identity = context.AuthenticationTicket.Identity;
                    var emailClaim = identity.Claims.Where(r => r.Type == ClaimTypes.Name).FirstOrDefault();
                    identity.AddClaim(emailClaim);
                    return Task.FromResult(0);
                }
            }
        });
    }
    private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
    {
        context.HandleResponse();
        context.Response.Redirect("/?errormessage=" + context.Exception.Message);
        return Task.FromResult(0);
    }
}