Hi @Anonymous • Thank you for reaching out.
From your question, I understood that you are trying to call a REST API via B2C RESTful Technical Profile but the API is behind a firewall that is blocking the Azure AD B2C requests. You want to know which B2C traffic (IP/URLs) should be allowed through the firewall so that it can successfully call the REST API via RESTful Technical profile.
I checked internally if there is a defined IP Range/URL List available for Azure AD B2C that can be whitelisted in your firewall but got the confirmation that outbound IPs for REST calls can be any IP Address within the Azure Datacenter range. So the short answer is no, you cannot use whitelisting as a technique for API security.
As there is no dedicated IP Range/URL List available for Azure AD B2C, you cannot lock down the proxy to only accept requests originating from your ADB2C instance. You will have to accept traffic from the entire Azure Datacenter range.
Instead, rather than using network security, you should work on protecting the API using authentication schemes described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.