Add a web API application to your Azure Active Directory B2C tenant

This article shows you how to register web API resources in your Azure Active Directory B2C (Azure AD B2C) tenant so that they can accept and respond to requests by client applications that present an access token.

To register an application in your Azure AD B2C tenant, you can use the Azure portal's new unified App registrations experience or the legacy Applications (Legacy) experience. Learn more about the new experience.

App registrations

1. Sign in to the Azure portal.
2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
3. In the left menu, select Azure AD B2C. Or, select All services and search for and select Azure AD B2C.
4. Select App registrations, and then select New registration.
5. Enter a Name for the application. For example, webapi1.
6. Under Redirect URI, select Web, and then enter an endpoint where Azure AD B2C should return any tokens that your application requests. In a production application, you might set the redirect URI an endpoint like https://localhost:5000. During development or testing, you can set it to https://jwt.ms, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). You can add and modify redirect URIs in your registered applications at any time.
7. Select Register.
8. Record the Application (client) ID for use in your web API's code.

Applications (Legacy)

1. Sign in to the Azure portal.
2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
4. Select Applications (Legacy), and then select Add.
5. Enter a name for the application. For example, webapi1.
6. For Include web app/ web API and Allow implicit flow, select Yes.
7. For Reply URL, enter an endpoint where Azure AD B2C should return any tokens that your application requests. In your production application, you might set the reply URL to a value such as https://localhost:44332. For testing purposes, set the reply URL to https://jwt.ms.
8. For App ID URI, enter the identifier used for your web API. The full identifier URI including the domain is generated for you. For example, https://contosotenant.onmicrosoft.com/api.
9. Select Create.
10. On the properties page, record the application ID that you'll use when you configure the web application.

Configure scopes

Scopes provide a way to govern access to protected resources. Scopes are used by the web API to implement scope-based access control. For example, users of the web API could have both read and write access, or users of the web API might have only read access. In this tutorial, you use scopes to define read and write permissions for the web API.

App registrations

1. Select App registrations.
2. Select the webapi1 application to open its Overview page.
3. Under Manage, select Expose an API.
4. Next to Application ID URI, select the Add link.
5. Replace the default value (a GUID) with api, and then select Save. The full URI is shown, and should be in the format https://your-tenant-name.onmicrosoft.com/api. When your web application requests an access token for the API, it should add this URI as the prefix for each scope that you define for the API.
6. Under Scopes defined by this API, select Add a scope.
7. Enter the following values to create a scope that defines read access to the API, then select Add scope:
   1. Scope name: demo.read
   2. Admin consent display name: Read access to demo API
   3. Admin consent description: Allows read access to the demo API
8. Select Add a scope, enter the following values to add a scope that defines write access to the API, and then select Add scope:
   1. Scope name: demo.write
   2. Admin consent display name: Write access to demo API
   3. Admin consent description: Allows write access to the demo API

Applications (Legacy)

1. Select Applications (Legacy).
2. Select the webapi1 application to open its Properties page.
3. Select Published scopes. Published scopes can be used to grant a client application certain permissions to the web API.
4. For SCOPE, enter demo.read, and for DESCRIPTION, enter Read access to the web API.
5. For SCOPE, enter demo.write, and for DESCRIPTION, enter Write access to the web API.
6. Select Save.

Grant permissions

To call a protected web API from an application, you need to grant your application permissions to the API. For example, in Tutorial: Register an application in Azure Active Directory B2C, a web application named webapp1 is registered in Azure AD B2C. You can use this application to call the web API.

App registrations

1. Select App registrations, and then select the web application that should have access to the API. For example, webapp1.
2. Under Manage, select API permissions.
3. Under Configured permissions, select Add a permission.
4. Select the My APIs tab.
5. Select the API to which the web application should be granted access. For example, webapi1.
6. Under Permission, expand demo, and then select the scopes that you defined earlier. For example, demo.read and demo.write.
7. Select Add permissions.
8. Select Grant admin consent for (your tenant name).
9. If you're prompted to select an account, select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role.
10. Select Yes.
11. Select Refresh, and then verify that "Granted for ..." appears under Status for both scopes.

Applications (Legacy)

1. Select Applications (Legacy), and then select the web application that should have access to the API. For example, webapp1.
2. Select API access, and then select Add.
3. In the Select API dropdown, select the API to which web application should be granted access. For example, webapi1.
4. In the Select Scopes dropdown, select the scopes that you defined earlier. For example, demo.read and demo.write.
5. Select OK.

Your application is registered to call the protected web API. A user authenticates with Azure AD B2C to use the application. The application obtains an authorization grant from Azure AD B2C to access the protected web API.