I have a scenario when I'm developing SPA (React) paired with ASP.net core web API. For now, we use AAD B2C for user authentication. Authentication settings (tenant, client Id+secret) are passed to SPA and are used for configuring web API. SPA authenticates user using MSAL, acquires access tokens and calls web APIs with these access tokens. Web API validates access tokens using Microsoft.Identity.Web AddMicrosoftIdentityWebApi extension and current authentication settings. Everything works fine.

But now I have a requirement to use Entra External ID instead of AAD B2C. EEID must be in multi-tenant mode, so there will be users invited from external tenants.

I tried to replace B2C with EEID using the same scheme but found out that now access tokens have invalid signature.

Turns out EEID responds to SPA with ID tokens issued by EEID tenant but access tokens issued by https://sts.windows.net// with audience of 00000003-0000-0000-c000-000000000000 which is MS Graph ID. Research shows it is due to incorrect scope specified in access token request.

The problem is I can't find a way to provide a correct scope. Entra ID requires it to be scopes for only one resource (audience), and it is recommended to publish API scopes and use them requesting access token, but:

1. In this case I can't get access token at all with this error AADSTS500207: The account type can't be used for the resource you're trying to access. I understand it's because I can't use custom scopes since I have my EEID configured as multi-tenant.

2. Without custom scopes MSAL silently adds default MS Graph scopes openid profile offline_access to acquireTokenSilent and I'm getting access token, but I can't validate it against my auth settings as it was done with B2C.

What am I doing wrong and how I can solve the issue? What would be best solution(s) for my scenario? Any help will be greatly appreciated.