0

Hello my question relates to how I should structure my azure services.

I have a Azure SQL database on my primary tenant (U1) and a B2C tenant to support external users (U2). On U2 I create an app registration that has a user flow which lets users signup/signin. I have a Flask API which should allow signed in users to make api calls to get data from the DB. Should the API be registered as an app in U1 or U2. Additionally should it be configured to "single tenant" or "multi tenant"? And should the API be hosted on U1 or U2.

Thank you

Jonah Kornberg
  • 153
  • 1
  • 8
  • Same answer applies as [here](https://stackoverflow.com/questions/60152023/how-to-combine-ad-b2cmsal-and-cosmosdb/60153620#60153620) – Jas Suri - MSFT Sep 10 '21 at 15:48
  • @JasSuri-MSFT This is great aside from that the article is all designed for the legacy app registration format – Jonah Kornberg Sep 10 '21 at 16:43
  • Users who are signed in to U2 cannot acquire a token for U1. So they cannot get a token for the API if you register it in U1. I think it should be in U2. Also it should not be single tenant or multi-tenant. There is a third option in B2C that allows B2C users. The other two are for regular Azure AD use, not B2C. – juunas Sep 11 '21 at 08:10
  • @juunas So currently I have my B2C with User flows registered in U2, and an app (a1) which represents the mobile app for sign in, a second app in U2 (a2) for the api. a2 has an api exposed to a1. Additionally On U1 I have an app service running a Flask web app which internally validates the access tokens received in a1 from a2's exposed api. Does this sound right? – Jonah Kornberg Sep 11 '21 at 15:16
  • Do you mean the Flask app validates the access token meant for a2? – juunas Sep 11 '21 at 18:32
  • 1
    @juunas Yeah like whenever a1 makes an api call it attaches the access token for the scope from a2 in the header which is verified by the Flask app. By the way thanks – Jonah Kornberg Sep 12 '21 at 02:18

1 Answers1

0

As the Flask API is used by the users in the B2C Tenant (U2), the app registration for API can be created in the U2 tenant.

If you want to allow users from other tenants to use the App registration, the app registration can be configured to multi-tenant.

If you want to allow users from only U2 tenant, the app registration can be configured to single tenant

RamaraoAdapa
  • 2,837
  • 2
  • 5
  • 11