Here is the setup we have. There is a web API registered in AADv1.0. There is also a web application registered in AADv1.0 and the aforementioned web API is added to its required permissions list. This works fine and the API is successfully called from the web application's back end.
Now, we are exploring the AADv2.0 endpoint so in that regard we used the preview experience for app registrations and registered a web application in AADv2.0. The only API permission added for this web application is the "Microsoft Graph: User.Read" permission. However the weird and unexpected thing is that this new AADv2.0 web application can also successfully call the AADv1.0 web API.
Can somebody explain how is that possible? Does that mean that any web application we register in AADv2.0 automatically gains access to all our web APIs?
I expected that an explicit addition to the API permissions list is needed: "click add a permission" >> "select APIs my organization uses" >> "select an API from the list" >> "enable permissions">> "click add permissions". What am I missing here?