I've been working through some of the AzureAD samples that are out on GitHub to try to get acquainted with how all this stuff works (i.e. Azure AD, ADAL, OpenID Connect). I was having some problems getting the sample service code running on my machine so I decided to just publish the service to Azure in the hopes that a published app would work better. For some of the samples it did indeed work better, but for the samples that try to illustrate calling a WebAPI from a native client, I was running into a road block where I was getting an Unauthorized error when I sent a request with what looked to be a legit Authorization Header. Just prior to throwing my keyboard at Matt Sampson, I decided to check the instructions one more time to see if there were some specific to publish. Sure enough there were (I had of course skipped these, because if there is one area of web development that I have a lot of experience, it is publishing).
The most important step in these instructions is:
On the Settings tab (of the publish wizard), make sure Enable Organizational Authentication is NOT selected. Click Publish.
That got rid of my Authorization problem, as checking it (which it was by default for this project) caused the web.config to have the ida:Audience setting messed up.
Hopefully this article saves you some time if you run into this. Onto the next Azure AD challenge...