Imageine you have an application with enabled authentication. Most easier way to enable AAD in your application is using a connected service.

Once you activate the authentication, the access to application is only via log-on possible. This is ok, but if you have some REST service (controller), which does not need the authentication, you might get confused when looking for a solution.
Typically, when implementing the REST APIs (not a ASP.NET application) the authorize attribute is used on operations and controllers:
[Authorize]
In ASP.NET Core applications this attribute is even not necessary. The authentication is by default globally activated.
To exclude the controller from authentication process you can use
the allow anonymous attribute:
 [AllowAnonymous]
 public class AnonymousController : ControllerBase
 {
 }
 
 [Authorize]
 public class RequiresAuthController1 : ControllerBase
 {
 }
 
 // Authorized activated by default.
 public class RequiresAuthController2 : ControllerBase
 {
 }