microsoft-graph-apimicrosoft-entra-id

How to get the user flow ID from Microsoft Entra ID?


I am trying to disable sign-up flow from my user flow. Apparently, this need to be done by Graph API as described here.

I am stuck trying to retrieve the user flow ID. I get the following error:

{
  "error": {
    "code": "AADB2C",
    "message": "The application does not have any of the required application permissions (Policy.ReadWrite.AuthenticationFlows, EventListener.Read.All, EventListener.ReadWrite.All, Application.Read.All, Application.ReadWrite.All) to access the resource. "
  }
}

First, I make a request to get an access token.

POST https://{{domain}}.ciamlogin.com/{{tenantId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com:443
Content-Type: application/x-www-form-urlencoded

client_id={{clientId}}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={{clientSecrect}}
&grant_type=client_credentials

Second, I make a request to get the user flow ID.

GET https://graph.microsoft.com/beta/identity/authenticationEventsFlows HTTP/1.1
Accept: application/json
Authorization: Bearer {{accessToken}}

I get the described permission error above. But I can see that my application has the permission added. enter image description here


Solution

  • Here are the steps to (1) get the access token, (2) get the user flow id and (3) disable the sign up flow.

    1. Get Access Token: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#first-case-access-token-request-with-a-shared-secret

       POST https://{{domain}}.ciamlogin.com/{{tenantId}}/oauth2/v2.0/token HTTP/1.1
      Host: login.microsoftonline.com:443
      Content-Type: application/x-www-form-urlencoded
      
      client_id={{clientId}}
      &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
      &client_secret={{clientSecrect}}
      &grant_type=client_credentials
      
    2. Get User Flow ID: https://learn.microsoft.com/en-us/answers/questions/1611622/external-identity-user-flows-disabling-sign-up-in GET https://graph.microsoft.com/beta/identity/authenticationEventsFlows

      HTTP/1.1
      Accept: application/json
      Authorization: Bearer {{accessToken}}
      
    3. Disable sign up flow: https://learn.microsoft.com/en-us/answers/questions/1611622/external-identity-user-flows-disabling-sign-up-in

      PATCH https://graph.microsoft.com/beta/identity/authenticationEventsFlows/{{userFlowId}} HTTP/1.1
      Content-Type: application/json
      Accept: application/json
      Authorization: Bearer {{accessToken}}
      
      {
          "@odata.type": "#microsoft.graph.externalUsersSelfServiceSignUpEventsFlow",
          "onInteractiveAuthFlowStart": 
          {
              "@odata.type": "#microsoft.graph.onInteractiveAuthFlowStartExternalUsersSelfServiceSignUp",
              "isSignUpAllowed": false
          }
      }