I want to create three separate environments - dev, qa and prod. I've created three resource groups into each I have a B2C tenant, 2 app services (with Identity turned on), a SQL server, a SQL database and a storage account. Security is through managed identities. i.e. only the API app service identity can access the SQL database and storage accounts.
Everything seems to work except for the B2C tenants. It seems like they are entirely separate Active Directory instances and cannot 'see' the app service managed identities (I want to add the API app service identity to a group in the B2C tenant). All B2C tenants are tied to the same single subscription.
I figure I could create three separate subscriptions and have everything completely separate but that seems like a bigger headache to manage. Is this the only way to get this to work?
AAD B2C tenants are indeed separate cloud directories. When you create a Managed Identity in your subscription, it will be created in AAD (sometimes referred to as AAD B2E or Business-to-Enterprise) tenant, the one that is "linked" to your subscription as an authoritative IdP.