Share via

Azure B2C Application call Azure AD API

Brandon Weber 6 Reputation points
2021-02-25T22:20:24.29+00:00

I also have an Azure AD tenant (Tenant 1) with an application registered that is providing authentication for a Web API in the same tenant.

I have a web application that I want to support user signup/signin and registration via Azure B2C (Tenant 2) that needs to call the Web API in Tenant 1.

I have both of these applications setup as multi-tenant. I cannot seem to figure out how to configure my applications and successful make the call to the API.

Web App Settings: 

"AzureAd": {
    "Instance": "https://myb2cInstance.b2clogin.com",
    "Domain": "myb2cInstance.onmicrosoft.com",
    "ClientId": "<Client ID of Web App in Tenant 2>",
    "ClientSecret": "<Client Secret of Web App in Tenant 2>",
    "SignedOutCallbackPath": "/signout/B2C_1_susi",
    "SignUpSignInPolicyId": "b2c_1_susi",
    "ResetPasswordPolicyId": "b2c_1_reset",
    "EditProfilePolicyId": "b2c_1_edit_profile",
    "CallbackPath": "/signin-oidc"
  },
  "TodoList": {
    "TodoListAppId": "<Application ID of Web API in Tenant 1>",
    "TodoListScope": "api://MyAPI/.default",
    "TodoListBaseAddress": "https://localhost:44351",
    "AdminConsentRedirectApi": "https://localhost:44351/api/Home"
  }

Startup Config of Web App: 

services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
                    .EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["TodoList:TodoListScope"] })
                    .AddInMemoryTokenCaches();

API App Settings: 

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "<Domain of Tenant 1>",
    "TenantId": "common",
    "ClientId": "<Client ID of Tenant 1>"
  }

Startup Config of API:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);

Trying to sign in, I get this error: "Message contains error: 'invalid_request', error_description: 'AADB2C90117: The scope 'api://ApiTestApp/.default' provided in the request is not supported."

If I remove the EnableTokenAcquisitionToCallDownstreamApi, I can successfully sign in.

I have not found a way to add the API app in Tenant 1 as a permission to the web app in Tenant 2.

Is there anything I am missing? Is this even possible?

Microsoft Security Microsoft Entra Microsoft Entra External ID
Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2021-03-08T20:34:47.68+00:00

    @Brandon Weber
    Thank you for the follow up and I apologize for the delayed response!

    When it comes to the Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C documentation, I tested this out in my own environment and will post my findings below.

    Findings:
    Based off my testing, you should be able to sign-in to your application with any Azure B2C user. However, if you sign-in with a user from your AzureAD tenant, you'll need to use the "social account button" and you'll be prompted to enter a verification code before signing in.

    75526-b2csignin-signup.gif

    If you have any other questions or would like us to take a closer look into your environment, please let me know.
    Thank you again for your time and patience throughout this issue!

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.