Hello, for client, middle-tier and downstream Api scenarios, you can user 1 Azure AD app registration for all of them during initial development/test. However, for production 1 Azure AD app registration for each offers the best in terms scalability, maintainability, security and governance. You can restrict different users or principals per each app, apply different Conditional Access policies, token settings, create and expose specific user or app permissions/roles, and more. E.g. You can create:
- An app for your client, which only allows users of a specific dynamic group, enable PKCE/SPA (no client credentials required or shared).
- An app for your middle tier Api, which exposes a user permission and will trust client app so that consent is not required. Only clients from trusted IPs will connect using password, others will require MFA thanks to CA policies. It can be secured with a client certificate and/or allowing managed identities (like the ones acting on behalf of a deployed SPA in Azure).
- An app for your downstream Api which will only allow the middle tier Api to AuthN, nothing/nobody else. Only clients connecting from an Azure IP range (where the middle tier Api will be deployed) will be able to connect thanks to CA policies.
Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.