We are about to run D365 CRM in Azure and now we are trying to find out how to authorize a call to our onprem api.
The scenario is simplified like; A user is saving an annotation in D365 CRM and when that happens we also want to make a call to our onprem api.
We want to make the call using the Azure ID Token (to be specific NOT Access Token). This is to authorize the user when accessing the api.
Is it possible to get the ID Token and send that with the call? We have so far only managed to pick up the Access Token which is not good enough. How should we do to retrieve the ID Token?
You are mixing fundamental concepts of OAuth / OpenID Connect. You must use an access_token when calling an API. The purpose of id_token is not make authorization decision in an API, but to obtain basic information about the user in Client App.
You can find a really good formulated and compact article on the subject here.
When you have the access_token and when it is the proper one, it includes all the information you need:
Any additional information (that could be part of the id_token) can be obtained using the Microsoft Graph on the back-end side of your API.
Here are some more references that will be helpful:
Pay attention to the claims references in both token types.