You are unable to access Odata API with an AAD account and a 401 Unauthorized error message appears.
In this case we had two security labels AAD & K2SQL. The K2SQL label was set to default in the HostServer.SecurityLabel table in the K2 Database and Basic authentication was enabled on the OData API.
To resolve this please do the following:
1. Disable Basic Authentication for the Odata in the IIS:
2. In the Odata APIs web config \K2\WebServices\API\SmartObjectService.OData\web.config , add the DefaultSecurityLabel key to it pointing to AAD:
<add key="DefaultSecurityLabel" value="AAD" />
3. Setup AAD consent as described here: