How can I federate Azure AD B2C to Azure AD to protect an API?

Question

I have the need to incorporate Azure AD B2C into an web app that is already working with Azure AD. I found the poor Microsoft documentation an says that i have to federate Azure Ad B2C to Azure AD (https://learn.microsoft.com/en-us/azure/active-directory-b2c/faq?tabs=app-reg-ga). next I found this article that tries to explain the process https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32 but sadly it´s not clear enough.

If I create 2 different tenants which one should I use to protect my .Net 5 API and which one should I use to authenticate my web Angular 11 App?

Answer 1

You have two options

1. User AAD B2C to federate to AAD using OIDC. Your apps will trust AAD B2C. You need to change the metadata URLs in the APIs to trust B2C tokens.
2. Have your application and APIs trust both tokens, and through the app allow users to login via AAD B2C or AAD accounts.

I would recommend option 1. https://learn.microsoft.com/en-us/azure/active-directory-b2c/code-samples#web-apps-and-apis