question

BrandonWeber-7519 avatar image
0 Votes"
BrandonWeber-7519 asked ·

Azure B2C Application call Azure AD API

I also have an Azure AD tenant (Tenant 1) with an application registered that is providing authentication for a Web API in the same tenant.

I have a web application that I want to support user signup/signin and registration via Azure B2C (Tenant 2) that needs to call the Web API in Tenant 1.


I have both of these applications setup as multi-tenant. I cannot seem to figure out how to configure my applications and successful make the call to the API.

Web App Settings:
```
"AzureAd": {
"Instance": "https://myb2cInstance.b2clogin.com",
"Domain": "myb2cInstance.onmicrosoft.com",
"ClientId": "<Client ID of Web App in Tenant 2>",
"ClientSecret": "<Client Secret of Web App in Tenant 2>",
"SignedOutCallbackPath": "/signout/B2C_1_susi",
"SignUpSignInPolicyId": "b2c_1_susi",
"ResetPasswordPolicyId": "b2c_1_reset",
"EditProfilePolicyId": "b2c_1_edit_profile",
"CallbackPath": "/signin-oidc"
},
"TodoList": {
"TodoListAppId": "<Application ID of Web API in Tenant 1>",
"TodoListScope": "api://MyAPI/.default",
"TodoListBaseAddress": "https://localhost:44351",
"AdminConsentRedirectApi": "https://localhost:44351/api/Home"
}
```

Startup Config of Web App:
```
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { Configuration["TodoList:TodoListScope"] })
.AddInMemoryTokenCaches();
```

API App Settings:
```
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "<Domain of Tenant 1>",
"TenantId": "common",
"ClientId": "<Client ID of Tenant 1>"
}
```

Startup Config of API:
services.AddMicrosoftIdentityWebApiAuthentication(Configuration);

Trying to sign in, I get this error: "Message contains error: 'invalid_request', error_description: 'AADB2C90117: The scope 'api://ApiTestApp/.default' provided in the request is not supported."

If I remove the EnableTokenAcquisitionToCallDownstreamApi, I can successfully sign in.

I have not found a way to add the API app in Tenant 1 as a permission to the web app in Tenant 2.

Is there anything I am missing? Is this even possible?

azure-active-directoryazure-ad-b2cazure-ad-msal
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BrandonWeber-7519
Thank you for the detailed post!

Have you looked into our Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C documentation? This doc walks you through how to enable sign-in for users using the multi-tenant endpoint for Azure Active Directory (Azure AD). Allowing users from multiple Azure AD tenants to sign in using Azure AD B2C, without you having to configure an identity provider for each tenant.



If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

@BrandonWeber-7519
I just wanted to check in and see if you had a chance to review my previous post or if you were able to resolve this issue?

0 Votes 0 ·

@JamesTran-MSFT Would user accounts then live in our main tenant? We would prefer the customer accounts live within the B2C instance and then we are able to add scopes and call an API in our main tenant.

0 Votes 0 ·

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered ·

@BrandonWeber-7519
Thank you for the follow up and I apologize for the delayed response!

When it comes to the Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C documentation, I tested this out in my own environment and will post my findings below.

Findings:
Based off my testing, you should be able to sign-in to your application with any Azure B2C user. However, if you sign-in with a user from your AzureAD tenant, you'll need to use the "social account button" and you'll be prompted to enter a verification code before signing in.

75526-b2csignin-signup.gif


If you have any other questions or would like us to take a closer look into your environment, please let me know.
Thank you again for your time and patience throughout this issue!


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


b2csignin-signup.gif (590.5 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BrandonWeber-7519
I just wanted to check in and see if you had a chance to review my previous post or if you were able to resolve this issue?

0 Votes 0 ·