We are currently using Pingfederate as CAS and Microsoft Azure Entra ID as IDP . We want to switch and only use Azure Entra ID as both CAS and IDP. We are able to authenticate users using Entra ID in thingworx but now we want to do API communication between Thingworx and SAP.

We did a API configuration in entra ID and able to generate token. Now token requests to Thingworx REST endpoints using OAuth 2.0 access tokens (JWTs) from Azure are returning 401 Unauthorized errors. Token validation appears to fail, and Thingworx logs show errors related to authentication failure and SSO component issues.

JWT Token & resource setting file:

Unable to figure out why its getting failed. in logs i dont find much  information .2025-12-01 12:53:58.921+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] Could not handle request
2025-12-01 12:53:58.922+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] errorMessage: [Unauthorized], statusCode: [401]
2025-12-01 12:53:58.922+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] [ null ]
2025-12-01 13:01:04.267+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ???] [S: ] [P: ] [T: https-openssl-nio-443-exec-4] [ Failed to utilize the SSO component for authentication ][ null ]