active-directory-dotnet-webapp-roleclaims | NET 4.5 MVC web app that uses Azure AD | Identity Management library

I've succesffully created a web API that's hosted in Azure and secured using AAD bearer token authentication to allow a client application (currently just a test console app I built) to access it.

A requirement has come to light that users of the eventual client application (Sharepoint) will fall into 2 separate groups - access to certain areas of the API will be restricted for one of them.

My boss has stipulated that the API should handle all authentication so I need to swap out the current Azure Active Directory Bearer Authentication middleware and replace it with (I think) Open Id Connect Authentication.

I'm having some difficulty in putting a solution together as I'm not really clear on how/if this will work. I've been looking at the provided sample however I don't see how I can utilize it. In the sample, the users log in to the site directly but in my setup they don't log in to the API, they log in to Sharepoint which then calls out - how can the API use the

I am trying to use RBAC for authorization in Azure Web App. I am following the example as described here. But this article points to Old azure portal. How can I create and assign roles (like 'Full-Time Employee', 'Vendor' etc..) in Azure AD in new Azure Portal?

The graphic pretty much tells the story. This is all single tenant, fwiw.

I have my Web API, which is being accessed by a "swagger" UI (which is really a kind of spa) served up from the same location, as well as an MVC app, which has some traditional MVC controllers interacting with the Web API, as well as some SPA experiences that interact directly with the web api.

From what I've read, in addition to my Web API having an app registration in my AD tenant (which has the roles declared in it's manifest in order to support RBAC), I also need to have a separate app registration for the swagger UI, which is granted permissions to access the Web API.

I'm unsure if my MVC app needs 1 AD Tenant registration, or 2 registrations (1 for MVC, 1 for the SPA served up from MVC)

Main questions..

1. Should my MVC/SPA share the same AD registration, or, they should be separated?

2. Does my Web API registration's manifest need to have "oauth2AllowImplicitFlow": true, or only the swagger and SPA app registrations' manifest need that?

3. My MVC, based on this github sample for SPAs, currently uses this middleware: app.UseWindowsAzureActiveDirectoryBearerAuthentication .. but if my MVC is going to do selective things in it's razor or with it's contoller logic, should I also be using these add'l middlewares UseCookieAuthentication and UseOpenIdConnectAuthentication as shown in this non-SPA web app sample