I have old asp.net mvc app that uses asp.net membership to login users and issues a sign in cookie. My application needs to call an API protected by Entra ID (users themselves don’t have Entra ID accounts nor access to the API). The app server can acquire a token for the API using client credentials flow (service principal or Azure managed identity).