I'm building a SPA web app and API on MS Azure. The application needs to authenticate users that aren't part of the organization's Azure AD Directory (and shouldn't be). We are using a B2C directory (tied to the same subscription) for this with local users.
We need to store a file in Azure Blob Storage. We set up the container in the organization's AD Tenant. I want the SPA application to retrieve the file directly from Blob Storage. I tried exposing the Blob Storage permissions in the app registrations which are in the B2C Directory, but it won't allow exposing the permission because the Directory doesn't have a subscription (I did register the B2C Tenant with the organization's subscription).
So my question is - do I need to set this up as a multi-tenant situation between the organization's Directory and the B2C Directory? So setup an app registration in the organization's directory, make it multi-tenant, and expose the needed Blob Storage permissions? Or is there a better way to do this?