How to call an Azure AD protected API from an Azure AD B2C protected API and vice versa?

Hassan Zaidi 0 Reputation points
2023-06-07T09:41:01.72+00:00

I have two APIs: API A and API B. We also have client apps SPA A and SPA B which communicate with API A and API B respectively. I now want to configure communication between API A and API B.

API A is registered as an application in Azure AD B2C. Only authenticated users can access this API, and they therefore must have a JWT token to call this API. AD B2C is used for authentication here and is the provider for the JWT tokens.

API B is registered as an application in Azure AD. Again, we have authenticated users that can only access this API.

I want to provide application permissions to both APIs for one another so that they can communicate with one another.

I understand this in some ways is cross tenant communication, and one solution that was coming to my mind was having two app registrations for each app, one for each tenant. I need to have two app registrations respectively because API A and B both make manipulate their individual tenants using Graph API.

Having these two app registrations for each app whenever API A wants to communicate with API B it would make use of App registration registered in Azure AD. Whenever API A wants to communicate with graph API it'll make use of its App registration registered in Azure AD B2C. The same kinda thing will go for API B wanting to communicate with API A.

A few issues with the above idea that I had:

  • AD B2C does not do service to service communication i.e., it will only allow delegated permissions. This means that for API B to communicate with API A it needs to have a logged in user. This is not possible in my scenario, alternatives here are welcome.
  • API B (registered in Azure AD) makes use of Easy Auth (I don't think that is really a problem but just wanted to highlight it here) (and also it isn't called Easy Auth anymore- if anyone was wondering)

What is the best way I can approach the above-mentioned issue, so that I have least amount of friction whilst communicating from one API to another. Also the above sounds a to me to be a little too arduous and complicated for such a simple scenario, any other alternative methods to enable communication between my two APIs is welcome.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,662 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,656 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 22,081 Reputation points Microsoft Employee
    2023-06-08T23:21:35.8933333+00:00

    Hi @Hassan Zaidi , thanks for the question. Have you looked into using the OAuth 2.0 client credentials flow? This flow allows service-to-service communication without the need for a logged-in user.

    Azure AD B2C doesn't support service-to-service communication using the on-behalf-of flow, but the client credentials flow should work for your scenario.

    Let me know if this looks good for your issues and I can give you a more detailed writeup.

    Best,

    James

    0 comments