This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi Everyone,
I followed the instructions mentioned in answer to this question to access a Web API registered in one AAD tenant (Tenant A) from another AAD tenant (Tenant B):
I tried the same process using an application registered in the B2C Tenant. I can see the service principal of the API being created in the B2C Tenant, I also added it as the permission for my B2C Application. But when I try to run my user flow, in the Access token section I do not see the API for this application.
I can provide the screenshots if required.
Any help is appreciated.
Thanks,
Varun
Hi, do you still require assistance? If not, please mark the answer as verified.
Thank you,
James
Hi James,
I haven't been able to resolve the issue, I tried all the steps mentioned in the answer below but it does not work for a B2C tenant. The user flow's error says: This scope is not supported.
Any help will be appreciated.
Thanks,
Varun
Hello @Varun · Thank you for reaching out.
This is expected. Under "Access token" section of User Flow, you will only see the applications which are registered directly under B2C tenant. However, you can manually update the "Run user flow endpoint" to include scope of Web API registered in Tenant A as mentioned below:
In the above example, I have copied "Run user flow endpoint" and updated below parameters:
Redirect_uri : Where the token will be posted.
Scope: Scopes exposed in the api registered in Tenant A. Multiple scopes can be added by using space as separator.
Response_type: Set to token for getting Access token in response. Scopes are included only in Access token as SCP claim and not in id_token.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks for helping out!
I tried to add the additional Web API scope in the 'Run user flow endpoint' URL but it's giving me an error which basically says:
The scope 'API-scope' provided in the request is not supported.
Moreover, I can't find my API scope in the user flow's openid-configuration endpoint, I can only see "opneid" in the scopes supported part of the configuration. Is there a way to add additional scopes to the user flow's configuraiton?
Thanks!
Hello @Varun · openid-configuration endpoint only list scopes for id_token which doesn't support custom scopes as I mentioned above. The response type must be set to token so that you get access token and then scope will be supported in that case. Make sure you have followed the steps provided in this thread before using the custom scope.
To see this working, You can use this link and signup using your email address. After the signup is completed, you will get access token with SCP: Read claim which is exposed on API in the other tenant.
I followed the exact procedure that you recommended but for some reason I am still getting 'Scope not supported' error, even though the permission has clearly been granted to the application and response_type is set to token.
Any thoughts?
Thanks,
Varun