Scope User.Read.All not works for azure b2c
I am able to get access token using custom scope user_impersonation.
https://{tenant}.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize?
p=B2C_1A_SIGNUP_SIGNIN&
client_id=IdentityExperienceFrameworkAppId&
nonce=defaultNonce&
redirect_uri=xxx&
scope="https://xx.onmicrosoft.com/xx/user_impersonation"&
response_type=token&
prompt=login
If I change it to User.Read.All I'll got error
This+application+does+not+have+sufficient+permissions+against+this+web+resource+to+perform+the+operation
Below my scope settings. I am trying to read users profile to get email.
How to read users profile data?
I added below API permissions to the Azure AD B2C Application:
I generated the access token via Postman by using below parameters:
https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token
client_id:ClientID
scope:https://b2caadtenant.onmicrosoft.com/xxx/user_impersonation
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
client_secret:ClientSecret
When I tried to fetch user's details using the access token, I got the similar error like below:
GET https://graph.microsoft.com/v1.0/users
The error "This application does not have sufficient permissions against this web resource to perform the operation" usually occurs if the access token doesn't have the sufficient permissions to perform the action.
Note that: To access the user profiles, you need to grant
User.Read.AllMicrosoft Graph API permission not custom scope.
The aud of the access token when decoded must be Microsoft Graph not the ClientID of the Application.
Azure AD B2C supports only offline_access and openid Microsoft Graph delegated API permissions.
- Don't generate tokens for the Microsoft Graph API using user flows or custom policies, these can only be used to obtain tokens for web APIs, not the Microsoft Graph APIs.
- To obtain Microsoft Graph API tokens for Azure AD B2C tenant, use the authentication flow (auth code flow or ROPC flow) that is specific to Azure AD.
I added API permissions like below:
I used the below authorize endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Generated the access token:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
scope: https://graph.microsoft.com/.default
I am able to fetch the user's successfully like below:
https://graph.microsoft.com/v1.0/users?$select=userPrincipalName
Reference:
Graph API and B2C - Microsoft Q&A by CarlZhao-MSFT
- Confused on how to get access tokens from B2C in Blazor App
- Using different layout for unauthenticated users in Blazor WASM
- Add claims into token Azure B2C
- I am getting an error that OAuth2 Code has already been redeemed
- Azure B2C modify SAML AccessTokenLifetime
- Cannot create Azure B2C Tenant
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- Azure B2C user flow without an email
- Azure B2C Custom Policy - REST Call with Bearer Token from OIDC Step
- how to limit code verification email Spaming in Azure B2C
- Local user accounts not created properly in Azure AD B2C
- How do add device management to TOTP custom B2C policy?
- Server error occured while using B2C on Azure API Management Develop portal
- Changing Default Email Address in Azure AD B2C User Flows Without Custom Policies
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- AADB2C90068: The provided application with ID is not valid against this service. Please use an application created via the B2C portal and try again
- Azure B2c error 'Unable to validate the information provided.' when using custom attributes
- Azure B2C multi-tenant Microsoft Entra ID doesn't allow sign in as another Microsoft account
- In Azure AD B2C who provides the ID token?
- Azure: Use App Gateway for Custom B2C Domain instead of Front Door
- How to add UAE Pass as identity provider to Azure AD B2C
- Configuration in Azure AD B2C for Custom Policies
- Azure B2C - Password Rules Not Reflecting (Signup + Password Reset)
- Need help getting Azure AD B2C SSO with Azure AD
- Azure B2C - confusing expiring fields in refresh token
- Azure Static Web App - Only Allow Authenticated Users (Entra, B2C)
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- How do I programmatically clear or update a phone number for Azure AD B2C MFA?
- B2C - How to override sign up now link (custom policy)
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed