Authentication of a WebAPI with Azure Active Directory

The behavior ("being redirected to the AAD sign-in page") is what you would expect for a web application such as an ASP.NET MVC web application. However, this behavior doesn't apply to ASP.NET Web API applications. A Web API (REST API) instead expects the client to present the token in the request. If you don't provide one, then the authorization filter rejects the request, which is why you are seeing an HTTP 401 response when you "navigate" to your Web API url.

The Web API project template configures the OWIN middleware for your application to process and validate a JWT token presented by the client. Evidence of this is in the Startup.Auth.cs file in your project.

Therefore, you need to create a client application that authenticates with Azure AD to acquire the token. The client must be registered with Azure AD and given access to your Web API. Then, from the client application you can invoke the Web API using the token issued from Azure AD. For a quick read on this scenario take a look at this MSDN Magazine article. Don't let the date of the article concern you. It still applies for Visual Studio 2013 and 2015, and gives an excellent explanation of how and why this scenario works this way.

Also, for additional scenarios for authenticating and calling Web API's, see the Azure AD Samples on GitHub.