Imageine you have an application with enabled authentication. Most easier way to enable AAD in your application is using a connected service.
Once you activate the authentication, the access to application is only via log-on possible. This is ok, but if you have some REST service (controller), which does not need the authentication, you might get confused when looking for a solution.
Typically, when implementing the REST APIs (not a ASP.NET application) the authorize attribute is used on operations and controllers:
[Authorize]
In ASP.NET Core applications this attribute is even not necessary. The authentication is by default globally activated.
To exclude the controller from authentication process you can use
the allow anonymous attribute:
[AllowAnonymous]
public class AnonymousController : ControllerBase
{
}
[Authorize]
public class RequiresAuthController1 : ControllerBase
{
}
// Authorized activated by default.
public class RequiresAuthController2 : ControllerBase
{
}