Add a web API application to your Azure Active Directory B2C tenant
This article shows you how to register web API resources in your Azure Active Directory B2C (Azure AD B2C) tenant so that they can accept and respond to requests by client applications that present an access token.
To register an application in your Azure AD B2C tenant, you can use the following steps:
- Sign in to the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- In the left menu, select Azure AD B2C. Or, select All services and search for and select Azure AD B2C.
- Select App registrations, and then select New registration.
- Enter a Name for the application. For example, webapi1.
- Under Redirect URI, select Web, and then enter an endpoint where Azure AD B2C should return any tokens that your application requests. In a production application, you might set the redirect URI an endpoint like
https://localhost:5000
. During development or testing, you can set it tohttps://jwt.ms
, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). You can add and modify redirect URIs in your registered applications at any time. - Select Register.
- Record the Application (client) ID for use in your web API's code.
Configure scopes
Scopes provide a way to govern access to protected resources. Scopes are used by the web API to implement scope-based access control. For example, users of the web API could have both read and write access, or users of the web API might have only read access. In this tutorial, you use scopes to define read and write permissions for the web API.
- Select App registrations.
- Select the webapi1 application to open its Overview page.
- Under Manage, select Expose an API.
- Next to Application ID URI, select the Add link.
- Replace the default value (a GUID) with
api
, and then select Save. The full URI is shown, and should be in the formathttps://your-tenant-name.onmicrosoft.com/api
. When your web application requests an access token for the API, it should add this URI as the prefix for each scope that you define for the API. - Under Scopes defined by this API, select Add a scope.
- Enter the following values to create a scope that defines read access to the API, then select Add scope:
- Scope name:
demo.read
- Admin consent display name:
Read access to demo API
- Admin consent description:
Allows read access to the demo API
- Scope name:
- Select Add a scope, enter the following values to add a scope that defines write access to the API, and then select Add scope:
- Scope name:
demo.write
- Admin consent display name:
Write access to demo API
- Admin consent description:
Allows write access to the demo API
- Scope name:
Grant permissions
To call a protected web API from an application, you need to grant your application permissions to the API. For example, in Tutorial: Register an application in Azure Active Directory B2C, a web application named webapp1 is registered in Azure AD B2C. You can use this application to call the web API.
- Select App registrations, and then select the web application that should have access to the API. For example, webapp1.
- Under Manage, select API permissions.
- Under Configured permissions, select Add a permission.
- Select the My APIs tab.
- Select the API to which the web application should be granted access. For example, webapi1.
- Under Permission, expand demo, and then select the scopes that you defined earlier. For example, demo.read and demo.write.
- Select Add permissions.
- Select Grant admin consent for (your tenant name).
- If you're prompted to select an account, select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.
- Select Yes.
- Select Refresh, and then verify that "Granted for ..." appears under Status for both scopes.
Your application is registered to call the protected web API. A user authenticates with Azure AD B2C to use the application. The application obtains an authorization grant from Azure AD B2C to access the protected web API.