Using one client application for multiple web api's in different azure active directories

Question

I have a client web application and a web api application registered in "AADirectory1" App registrations In order to use web api from client I did:

1. Exposed API in WEB API App registration
2. Added API permissions related to my WEB API for client application
3. Configured app service for my web client (App Services->Authentication / Authorization->Azure Active Directory, and filled Client ID and issuer URL as https://sts.windows.net/)

Now I have WEB API2 which is in AADirectory2. I don't want to create a new application registration in AADirectory2 for web client application. Instead, I want to use the current web client app (which is in AADirectory1). The problem is that I don't know how to set up my web client to be able to call both webapi1 (AADirectory1) and web api2 (AADirectory2) from web client active directory (AADirectory1).

Answer 1

The API 2 needs to be made into a multi-tenant app firstly.

Then you would go through authentication to the API with a URL like:

https://login.microsoftonline.com/directory-1-id/oauth2/authorize?client_id=api-2-client-id&response_type=code&prompt=admin_consent&redirect_uri=api-2-redirect-uri

I'm typing this on mobile, hoping I didn't miss some parameter. After you do that and consent, a service principal for API 2 will be created in directory 1. Then you can require and consent permissions on the client as normal.

Now, the API needs to validate the token was issued by either directory 1 or directory 2. Do not turn off issuer validation as you might typically in a multi-tenant API. Instead define two valid issuers.