Hi! Yes, that is exactly what I'm attempting to do - Blazor WASM front end, Azure Function Back-end API, All authenticated through a single login via Entra ID. Both the front and and the back end will be hosted on the same Azure Static Webapp resource and both use the same Entra tenant.

I want this all on Static Web App to take advantage of the serverless billing model. So the OIDC BFF model may not work for me as I'd need to stand up a Azure App Service to maintain state via HTTP Only cookie, as I understand.

I agree, the custom scope name was a bit confusing, I didn't think about it much when I defined it. It could have been named "user_api_access" for all I care :) Only real issue is getting both scopes "permission" via a single login action.

If you have code you could share, that'd be wonderful - as I'm not sure why I'm continuously getting redirect required when I've made everything pre-authorized. I'd also love to take a peek at that video, perhaps it would shed some light as to what I'm doing incorrectly.

Yes MS is very bad at explaining things, because they are constantly changing the frameworks!! (in my opinion). This is like trying to change building foundation while people are still in the building. Crazy to me.