Microsoft.Identity.Web supports daemon scenarios, that is a web app or web API can call a downstream API on behalf of itself instead of on behalf of a user. To support these scenarios, your controller action will use ITokenAcquisition.GetAccessTokenForAppAsync or IDownstreamWebApi.CallWebApiForAppAsync

public async Task<string> ITokenAcquisition.GetAccessTokenForAppAsync(string scope, string? tenant = null)

• The value passed for the scope parameter should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default This value tells the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the /.default scope, see the consent documentation
• The tenant parameter is optional and should only be used in the case where your application needs to access resources in several known tenants. If you use this parameter be sure to pass a tenantId (GUID) or a domain name, but not organizations, common or consumers, otherwise you'll get an ArgumentException (IDW10405) see below.

• "IDW10405: 'tenant' parameter should be a tenant ID or domain name, not 'common', 'organizations' or 'consumers'.": means that you have passed a value to the tenant parameter, that does not uniquely describe a tenant. You need to pass-in null, or a GUID or a domain name.
• "IDW10404: 'scope' parameter should be of the form 'AppIdUri/.default'." The value of the scope you passed-in does not end with "/.default". See the scope parameters above.

Your controller or Blazor page or Razor page will inject a IDownstreamWebApi instance, and call:

public Task<HttpResponseMessage> CallWebApiForAppAsync(
            string serviceName,
            Action<DownstreamWebApiOptions>? downstreamWebApiOptionsOverride = null,
            StringContent? content = null);

• serviceName is the name of the service registered in the Startup.cs by a call to AddDownstreamApi.
• downstreamWebApiOptionsOverride accepts a delegate that enables you to override default values passed-in to the underlying token acquisition interface
• content is the input sent to the web API you call.