Azure Active Directory Daemon Client using certificates

I watched official authentication in Azure AD in certificate applications for Azure Active Directory on GitHub. The web API service does not seem to know about the client at all.

• You are not prompted to log into Azure and add permissions for the daemon client to access the web API using the "Permissions for Other Applications" section.
• The actions of the Web API controller do not check the caller’s requirements to ensure that this is a client application. This one has this code, although I don't quite understand:

public IEnumerable Get ()
{
    //
    // The Scope claim tells you what permissions the client application has in the service.
    // In this case we look for a scope value of user_impersonation, or full access to the service as the user.
    //
    Claim scopeClaim = ClaimsPrincipal.Current.FindFirst ("http://schemas.microsoft.com/identity/claims/scope");
    if (scopeClaim! = null)
    {
        if (scopeClaim.Value! = "user_impersonation")
        {
            throw new HttpResponseException (new HttpResponseMessage {StatusCode = HttpStatusCode.Unauthorized, ReasonPhrase = "The Scope claim does not contain 'user_impersonation' or scope claim not found"});
        }
    }

    // A user To Do list is keyed off of the NameIdentifier claim, which contains an immutable, unique identifier for the user.
    Claim subject = ClaimsPrincipal.Current.FindFirst (ClaimTypes.NameIdentifier);

    return from todo in todoBag
           where todo.Owner == subject.Value
           select todo;
}

I correctly understood that any client registered in my Azure AD can access the web API, since this sample is configured.