How to authenticate app from B2C tenant so it can talk to the app on Entra Id tenant

Piotr Buda 0 Reputation points
2024-04-15T00:43:39.25+00:00

I am trying to handle communication between two web applications (Blazor Server) and a Web Api (ASP.NET). The Api has an access to the Database and resides on Entra Id tenant. WebApp 1 is used by internal users only and has authentication via EntraId and app registration resides on Entra Id Tenant. The WebApp 2 is used by external B2C users and the app registration is set on B2C tenant. How should I set it up on Azure so both WebApp 1 (Entra Id) and WebApp 2 (B2C) can have access to the WebApi?

I have tried multitenant app registrations but cant make the Entra Id app registrations visible in the B2C tenant - therefore it is impossible to expose API of the app reg from Entra Id tenant to the app reg on B2C tenant.

How should I approach it?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,839 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 24,746 Reputation points Microsoft Employee
    2024-04-15T19:01:40.3333333+00:00

    Hi @Piotr Buda , here's a high-level overview of how you can acheive this. Please let me know if I misunderstood your ask or if you have any questions.

    1. Register the WebApi app on the Entra Id tenant and grant permissions to the app registrations of both WebApp 1 and WebApp 2. This will allow both apps to call the WebApi.
    2. Register WebApp 1 on the Entra Id tenant and configure it to use Entra Id authentication.
    3. Register WebApp 2 on the B2C tenant and configure it to use B2C authentication.
    4. Configure the Entra Id tenant to trust the B2C tenant by adding it as an external identity provider. This will allow B2C users to authenticate with Entra Id tenant.
    5. In your WebApp 2, use the OAuth 2.0 client credentials grant flow to authenticate with the WebApi on Entra Id tenant. This flow allows your app to use its own credentials to authenticate when calling the WebApi, instead of impersonating a user.
    6. In your WebApp 1, use the OAuth 2.0 authorization code flow to authenticate with the WebApi on Entra Id tenant. This flow allows your app to obtain an access token on behalf of the user and use it to call the WebApi.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.