User Authentication setup for B2C with custom REST api for Azure SQL Database

Jonah Kornberg 1 Reputation point

Hello my question relates to how I should structure my azure services.
I have a Azure SQL database on my primary tenant (U1) and a B2C tenant to support external users (U2). On U2 I create an app registration that has a user flow which lets users signup/signin. I have a Flask API which should allow signed in users to make api calls to get data from the DB. Should the API be registered as an app in U1 or U2. Additionally should it be configured to "single tenant" or "multi tenant"? And should the API be hosted on U1 or U2.

Thank you

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,722 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,188 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Hazem Elshabini 86 Reputation points

    Since this is an API that you'll probably want to authorize external users to call, then the app registration for the api should be in U2. If the API itself needs to call an Azure resource which resides in a subscription under the AAD tenant (U1), then it can also have another app registration in U1 so that it'll be able to make such calls with the U1 client id and secret. Or it can simply use something like a connection string.

    Whether an app is multi-tenant or a single tenant indicates whether it will allow users only from this directory, or from other directories as well, that is needed in cases where your B2C tenant is federated with an AAD tenant, so that employees can login to the same app much like external users, among many other uses. If all you need is signup/signin for external users, then single tenant will do.

    0 comments No comments