Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

Question

I have an Azure AD B2C protected ASP.NET 6 WebAPI, and a ASP.NET Web site and a native mobile app are using the WebAPI using the authorization code flow (basically I followed https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C). This has been working without any problems.

Now, I need to support calling the WebAPI above from a daemon app. This daemon app will regularly access the WebAPI to trigger maintenance and test type of processing. However, the Azure AD B2C does not support a daemon app according to https://docs.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations.

If there is a common approach to work around it, I'd be interested to know. The only workaround I can think of is to create an app registration in Azure AD (rather than Azure AD B2C) and create a separate instance of the WebAPI (publish WebAPI as a different name) that uses the new Azure AD registration. The daemon app can use the new WebAPI instance using the client ID and secret. I verified this works, but creating a separate WebAPI instance is undesirable and I am hoping to avoid it. Thanks!

Answer 1

I ended up using the ROPC flow on B2C, which can be used as a daemon app.

https://docs.microsoft.com/EN-US/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow

Answer 2

Yes, client credentials flow is not supported.

The docs. do suggest a workaround.

"Although the OAuth 2.0 client credentials grant flow isn't currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token (https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token) endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."