I have an ASP.NET Core MVC web app with Identity UI on Razor pages where user can sign in, and it shows the user information.

I also have controllers which different other apps can call different endpoints on to get data. It’s working fine for ADAL packages where it requires user to sign in to see the Razor pages and protect the APIs when any other calls the endpoint without JWT.

I am upgrading to MSAL, and here is my code for startup.cs:

public class Startup(IConfiguration configuration)
{
    public IConfiguration Configuration { get; } = configuration;

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();

        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
            // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
            options.HandleSameSiteCookieCompatibility();
        });

        services.AddOptions();

        services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
            .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
            {
                Configuration.Bind("AzureAd", options);
            })
            .AddMicrosoftIdentityWebApp(microsoftIdentityOptions =>
            {
                Configuration.Bind("AzureAd", microsoftIdentityOptions);
            })
            .EnableTokenAcquisitionToCallDownstreamApi(confidentialClientApplicationOptions =>
            {
                Configuration.Bind("AzureAd", confidentialClientApplicationOptions);
            })
            .AddInMemoryTokenCaches();

        IdentityModelEventSource.ShowPII = true;

        services.AddControllersWithViews(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        }).AddMicrosoftIdentityUI();

        services.AddRazorPages();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        //app.UseCookiePolicy();

        app.UseRouting();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
            endpoints.MapRazorPages();
        });
    }
}

Razor pages are protected with this and user needs to sign in, but the API endpoints are not working when another application calls the endpoint with a valid JWT token, I get this error

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:
Information: Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

But when the same Get URL is opened in browser it works fine.

Can someone point me to where I am missing some stuff?