Hi @JAL ,
Thanks for reaching out and updating us on your queries.
I understand that you are trying to call API from your SPA client application.
Could you please confirm why you are using On behalf of flow in this scenario. On behalf of flow is required when an API receives the access token from the client application, and which needs to get an access token for a downstream WebAPI.
In this scenario you can use authorization code flow to get the access token for your API.
Also, your understanding is correct here as your users are in different organizations, you need to register your application as multi-tenant application.
For the user from another tenant to access your application, your application's service principal needs to be present in that tenant.
Suppose your application is registered in tenant A and users from tenant B want to access the application. Then
Now make sure to login with the user of tenant B using common endpoint as:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client-id of Tenant A }&response_type=code&redirect_uri={redirect URI registered in Tenant A API}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345 which will ask for user's consent.
Once consent has been provided, the service principal gets registered in Tenant B to access the application registered in Tenant A.
If you are calling middle tire web API to call downstream web API, then the user must grant the middle tier permission to do so in the form of consent. Because the middle tier has no interactive UI of its own, you need to explicitly bind the client app registration in Azure AD with the registration for the web API.
You can do so by adding the "Client ID" of the client app, to the manifest of the web API in the knownClientApplications property.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.