Hi @@Bhushan Gawale
Thanks for your time and patience throughout this issue. Please find my response inline.
Can traffic originating from within the Azure region be also considered as a potential attack on B2C infrastructure and will result in getting the IP blacklisted? E.g. if it is an Azure-hosted function app making ROPC calls to AAD B2C, would its outbound IP address be blacklisted too?
Yes, all cloud providers do have internal protections and are configured with appropriate security. If we see, one of the founding principles of Zero Trust is assumes breach and verifies each request as though it originated from an uncontrolled network. Public cloud infrastructure is constantly being used or abused to start attacks. So any traffic originating from any network is considered malicious traffic and will get IP blacklisted.
Where can we find more information about the thresholds before any IP gets blacklisted by B2C infra?
There is no fixed IP Range that can hold to for IP restrictions. ROPC supports only mobile apps running in a native operating system. Any ROPC calls from the browser will end up getting blocked.
While ROPC is a suggested strategy for B2C to B2C user migration, how does it work in that scenario, given that it is also a server-to-server ROPC call? Is it because it is controlled within Azure, with both the source and destination being AAD B2C services, that the limitation of blacklisting IP does not apply to it?
ROPC is never recommended. This is just the sample provided for ROPC call. You can’t use B2C ROPC for server to server because they will get throttled. You must use B2C client credential flow recently introduced in B2C for these server to server calls.
Hope this will help.
Please remember to "Accept Answer" if answer helped you.