Add a web API application to your Azure Active Directory B2C tenant

Register web API resources in your tenant so that they can accept and respond to requests by client applications that present an access token. This article shows you how to register a web API in Azure Active Directory B2C (Azure AD B2C).

To register an application in your Azure AD B2C tenant, you can use our new unified App registrations experience or our legacy Applications (Legacy) experience. Learn more about the new experience.

  1. Sign in to the Azure portal.
  2. Select the Directory + subscription filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
  3. In the left menu, select Azure AD B2C. Or, select All services and search for and select Azure AD B2C.
  4. Select App registrations, and then select New registration.
  5. Enter a Name for the application. For example, webapi1.
  6. Under Redirect URI, select Web, and then enter an endpoint where Azure AD B2C should return any tokens that your application requests. In a production application, you might set the redirect URI an endpoint like https://localhost:5000. During development or testing, you can set it to https://jwt.ms, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). You can add and modify redirect URIs in your registered applications at any time.
  7. Select Register.
  8. Record the Application (client) ID for use in your web API's code.

If you have an application that implements the implicit grant flow, for example a JavaScript-based single-page application (SPA), you can enable the flow by following these steps:

  1. Under Manage, select Authentication.
  2. Under Implicit grant, select both the Access tokens and ID tokens check boxes.
  3. Select Save.

Configure scopes

Scopes provide a way to govern access to protected resources. Scopes are used by the web API to implement scope-based access control. For example, users of the web API could have both read and write access, or users of the web API might have only read access. In this tutorial, you use scopes to define read and write permissions for the web API.

  1. Select App registrations.
  2. Select the webapi1 application to open its Overview page.
  3. Under Manage, select Expose an API.
  4. Next to Application ID URI, select the Set link.
  5. Replace the default value (a GUID) with api, and then select Save. The full URI is shown, and should be in the format https://your-tenant-name.onmicrosoft.com/api. When your web application requests an access token for the API, it should add this URI as the prefix for each scope that you define for the API.
  6. Under Scopes defined by this API, select Add a scope.
  7. Enter the following values to create a scope that defines read access to the API, then select Add scope:
    1. Scope name: demo.read
    2. Admin consent display name: Read access to demo API
    3. Admin consent description: Allows read access to the demo API
  8. Select Add a scope, enter the following values to add a scope that defines write access to the API, and then select Add scope:
    1. Scope name: demo.write
    2. Admin consent display name: Write access to demo API
    3. Admin consent description: Allows write access to the demo API

Grant permissions

To call a protected web API from an application, you need to grant your application permissions to the API. For example, in Tutorial: Register an application in Azure Active Directory B2C, a web application named webapp1 is registered in Azure AD B2C. You can use this application to call the web API.

  1. Select App registrations, and then select the web application that should have access to the API. For example, webapp1.
  2. Under Manage, select API permissions.
  3. Under Configured permissions, select Add a permission.
  4. Select the My APIs tab.
  5. Select the API to which the web application should be granted access. For example, webapi1.
  6. Under Permission, expand demo, and then select the scopes that you defined earlier. For example, demo.read and demo.write.
  7. Select Add permissions.
  8. Select Grant admin consent for (your tenant name).
  9. If you're prompted to select an account, select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.
  10. Select Yes.
  11. Select Refresh, and then verify that "Granted for ..." appears under Status for both scopes.

Your application is registered to call the protected web API. A user authenticates with Azure AD B2C to use the application. The application obtains an authorization grant from Azure AD B2C to access the protected web API.