Where should I perform (groups/roles equivalent) in B2C with OIDC and OAuth / API access?

Question

I'm looking at the B2C API demos, and API documentation and I'm unable to determine the preferred method for managing authorization.

Azure AD supports assigning AD Users/Groups to apps, and also roles. Seemingly B2C doesn't support this. (I experimented by using AAD tasks against a B2C tenant. Hopefully I did it correctly)

Given that a singular B2C tenant will offer web sign in, and most likely API access as well, what is the benefit of creating more than one scope as exhibited in the TodoList:TodoListScope.

• Can I conditionally add additional scopes? Using B2C or store it in the graph/application somewhere?

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C

• Or more abstractly, how should I perform authorization to the many different APIs (and apps) when an id_token is exchanged for an access_token?

Perhaps API Management will give me ideas on how to perform RBAC or other permissioning. Added them as a tag as well

Answer 1

There is an RBAC Github sample here that requires you to use work accounts which are called "B2C Users" in the portal below.

Users created this way, can be added to groups located within Azure Active Directory (by script). Testing still in progress