I have dozens of Azure Active Directory API's and SPA's that talk to each other. Here is an example:
These SPA's and API's each have a single Application and Client ID in Azure Active Directory but they are multi-tenant, in that they serve internal users in multiple countries using Role Based Access Control (RBAC).
All of the above applications run internally but I have a new requirement that we need to hand over the SPA application to users external to the company and that they should not be able to see parts of the SPA for other tenants and also they must not be able to call API's for other tenants. How can this be achieved?
For your scenario, I think you can use Azure AD App roles for it.
For example:
You can create two roles in the Azure AD applicaiton for the SPA. One is Admin,who can access whole SPA site and API 1. One is User, who can only access part SPA and cannot access the API 1. Then you can assign roles to users.If you have AAD basic or Premuim , you can assign roles to groups.
After finishing this, you will get the roles information in id_token. So that you can give them different access to your SPA. The rest work should be built in your SPA to deliver different access to different users.
You can also read this blog written by joonas for more detials.
Addtional, this answer is just a solution as I thought, it may be a little different from your realtic scenario which I cannot test.
Hope this helps!