Scope User.Read.All not works for azure b2c
I am able to get access token using custom scope user_impersonation.
https://{tenant}.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize?
p=B2C_1A_SIGNUP_SIGNIN&
client_id=IdentityExperienceFrameworkAppId&
nonce=defaultNonce&
redirect_uri=xxx&
scope="https://xx.onmicrosoft.com/xx/user_impersonation"&
response_type=token&
prompt=login
If I change it to User.Read.All I'll got error
This+application+does+not+have+sufficient+permissions+against+this+web+resource+to+perform+the+operation
Below my scope settings. I am trying to read users profile to get email.
How to read users profile data?
I added below API permissions to the Azure AD B2C Application:
I generated the access token via Postman by using below parameters:
https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token
client_id:ClientID
scope:https://b2caadtenant.onmicrosoft.com/xxx/user_impersonation
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
client_secret:ClientSecret
When I tried to fetch user's details using the access token, I got the similar error like below:
GET https://graph.microsoft.com/v1.0/users
The error "This application does not have sufficient permissions against this web resource to perform the operation" usually occurs if the access token doesn't have the sufficient permissions to perform the action.
Note that: To access the user profiles, you need to grant
User.Read.AllMicrosoft Graph API permission not custom scope.
The aud of the access token when decoded must be Microsoft Graph not the ClientID of the Application.
Azure AD B2C supports only offline_access and openid Microsoft Graph delegated API permissions.
- Don't generate tokens for the Microsoft Graph API using user flows or custom policies, these can only be used to obtain tokens for web APIs, not the Microsoft Graph APIs.
- To obtain Microsoft Graph API tokens for Azure AD B2C tenant, use the authentication flow (auth code flow or ROPC flow) that is specific to Azure AD.
I added API permissions like below:
I used the below authorize endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Generated the access token:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
scope: https://graph.microsoft.com/.default
I am able to fetch the user's successfully like below:
https://graph.microsoft.com/v1.0/users?$select=userPrincipalName
Reference:
Graph API and B2C - Microsoft Q&A by CarlZhao-MSFT
- Use managed identity of the web app to manage b2c using graph api
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- no email in claim when logging on via Entra ID
- Azure B2C App Always Redirects to <domain>/MicrosoftIdentity/Account/Error
- How to Implement Direct Username and Password Login with Azure AD B2C in Flutter without Using Microsoft's UI?
- How to properly restrict access to an azur eweb application?
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- I am not able to import the powershell module Microsoft.Graph.Entra.Beta
- B2C Custom Policy: Error changing localAccountPasswordReset Content selfAsserted policy version beyond 1.1.0
- Non Verified Domain as IdntifierUri for Azure B2C IEF Application
- B2C authentication not returning access_token
- How to disable authentication during the start up of an ASP.NET Core 5 Blazor B2C application?
- Email address empty when trying to read it out at the back end
- Creating a user in Azure AD B2C through Microsoft SSO
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Error trying to add JavaScript to Azure B2C Local Signup Page
- Claim groups is not supported in Azure Active Directory Provider
- Getting access token in Blazor WASM Standalone
- Azure AD B2C password expiration
- Creating authentication flow in .NET MAUI app for Azure AD B2C
- Limit Azure Active Directory Registrations
- Custom policy to send OTP code via sendgrid gives exception about otpToVerify not being found but required
- AzureAd .NET - React running on same domain
- Azure B2C: MFA With Email. Field Blank
- How to troubleshoot RESTful endpoint response in custom policy?
- Azure AD B2C - Can I host custom UI pages on private server?
- Microsoft: Unable to resolve Configuration with the provided Issuer
- Getting Redirect URI Mismatch error in Azure AD b2C
- Trigger azure function on user registration in b2c
- Azure AD B2C IEF custom sign-up policy grab query parameters