Azure B2C Application call Azure AD API

Brandon Weber 6 Reputation points
2021-02-25T22:20:24.29+00:00

I also have an Azure AD tenant (Tenant 1) with an application registered that is providing authentication for a Web API in the same tenant.

I have a web application that I want to support user signup/signin and registration via Azure B2C (Tenant 2) that needs to call the Web API in Tenant 1.

I have both of these applications setup as multi-tenant. I cannot seem to figure out how to configure my applications and successful make the call to the API.

Web App Settings: 

"AzureAd": {
    "Instance": "https://myb2cInstance.b2clogin.com",
    "Domain": "myb2cInstance.onmicrosoft.com",
    "ClientId": "<Client ID of Web App in Tenant 2>",
    "ClientSecret": "<Client Secret of Web App in Tenant 2>",
    "SignedOutCallbackPath": "/signout/B2C_1_susi",
    "SignUpSignInPolicyId": "b2c_1_susi",
    "ResetPasswordPolicyId": "b2c_1_reset",
    "EditProfilePolicyId": "b2c_1_edit_profile",
    "CallbackPath": "/signin-oidc"
  },
  "TodoList": {
    "TodoListAppId": "<Application ID of Web API in Tenant 1>",
    "TodoListScope": "api://MyAPI/.default",
    "TodoListBaseAddress": "https://localhost:44351",
    "AdminConsentRedirectApi": "https://localhost:44351/api/Home"
  }

Startup Config of Web App: 

services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
                    .EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["TodoList:TodoListScope"] })
                    .AddInMemoryTokenCaches();

API App Settings: 

"AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "<Domain of Tenant 1>",
    "TenantId": "common",
    "ClientId": "<Client ID of Tenant 1>"
  }

Startup Config of API:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);

Trying to sign in, I get this error: "Message contains error: 'invalid_request', error_description: 'AADB2C90117: The scope 'api://ApiTestApp/.default' provided in the request is not supported."

If I remove the EnableTokenAcquisitionToCallDownstreamApi, I can successfully sign in.

I have not found a way to add the API app in Tenant 1 as a permission to the web app in Tenant 2.

Is there anything I am missing? Is this even possible?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,663 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,665 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,461 Reputation points Microsoft Employee
    2021-03-08T20:34:47.68+00:00

    @Brandon Weber
    Thank you for the follow up and I apologize for the delayed response!

    When it comes to the Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C documentation, I tested this out in my own environment and will post my findings below.

    Findings:
    Based off my testing, you should be able to sign-in to your application with any Azure B2C user. However, if you sign-in with a user from your AzureAD tenant, you'll need to use the "social account button" and you'll be prompted to enter a verification code before signing in.

    75526-b2csignin-signup.gif

    If you have any other questions or would like us to take a closer look into your environment, please let me know.
    Thank you again for your time and patience throughout this issue!

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.