Another rather confusing day trying to figure out the right way to authenticate an SPA to access @azure functions against AD (so there are per-app user accounts).

I just discovered that I should be using AD B2C for that, which is like AD, but different?! https://docs.microsoft.com/en-us/azure/active-directory-b2c/