This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 57.99999999999999%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Hello my question relates to how I should structure my azure services.
I have a Azure SQL database on my primary tenant (U1) and a B2C tenant to support external users (U2). On U2 I create an app registration that has a user flow which lets users signup/signin. I have a Flask API which should allow signed in users to make api calls to get data from the DB. Should the API be registered as an app in U1 or U2. Additionally should it be configured to "single tenant" or "multi tenant"? And should the API be hosted on U1 or U2.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 86%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHE%3C/text%3E%3C/svg%3E)
Since this is an API that you'll probably want to authorize external users to call, then the app registration for the api should be in U2. If the API itself needs to call an Azure resource which resides in a subscription under the AAD tenant (U1), then it can also have another app registration in U1 so that it'll be able to make such calls with the U1 client id and secret. Or it can simply use something like a connection string.
Whether an app is multi-tenant or a single tenant indicates whether it will allow users only from this directory, or from other directories as well, that is needed in cases where your B2C tenant is federated with an AAD tenant, so that employees can login to the same app much like external users, among many other uses. If all you need is signup/signin for external users, then single tenant will do.