How to get the user flow ID from Azure Entra ID?
I am trying to disable sign-up flow from my user flow. Apparently, this need to be done by Graph API as described here.
I am stuck trying to retrieve the user flow ID. I get the following error:
{
"error": {
"code": "AADB2C",
"message": "The application does not have any of the required application permissions (Policy.ReadWrite.AuthenticationFlows, EventListener.Read.All, EventListener.ReadWrite.All, Application.Read.All, Application.ReadWrite.All) to access the resource. "
}
}
First, I make a request to get an access token.
POST https://{{domain}}.ciamlogin.com/{{tenantId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com:443
Content-Type: application/x-www-form-urlencoded
client_id={{clientId}}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={{clientSecrect}}
&grant_type=client_credentials
Second, I make a request to get the user flow ID.
GET https://graph.microsoft.com/beta/identity/authenticationEventsFlows HTTP/1.1
Accept: application/json
Authorization: Bearer {{accessToken}}
I get the described permission error above. But I can see that my application has the permission added.
Solution
Here are the steps to (1) get the access token, (2) get the user flow id and (3) disable the sign up flow.
### 1. Get Access Token: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#first-case-access-token-request-with-a-shared-secret
POST https://{{domain}}.ciamlogin.com/{{tenantId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com:443
Content-Type: application/x-www-form-urlencoded
client_id={{clientId}}
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret={{clientSecrect}}
&grant_type=client_credentials
### 2. Get User Flow ID: https://learn.microsoft.com/en-us/answers/questions/1611622/external-identity-user-flows-disabling-sign-up-in
GET https://graph.microsoft.com/beta/identity/authenticationEventsFlows HTTP/1.1
Accept: application/json
Authorization: Bearer {{accessToken}}
### 3. Disable sign up flow: https://learn.microsoft.com/en-us/answers/questions/1611622/external-identity-user-flows-disabling-sign-up-in
PATCH https://graph.microsoft.com/beta/identity/authenticationEventsFlows/{{userFlowId}} HTTP/1.1
Content-Type: application/json
Accept: application/json
Authorization: Bearer {{accessToken}}
{
"@odata.type": "#microsoft.graph.externalUsersSelfServiceSignUpEventsFlow",
"onInteractiveAuthFlowStart":
{
"@odata.type": "#microsoft.graph.onInteractiveAuthFlowStartExternalUsersSelfServiceSignUp",
"isSignUpAllowed": false
}
}
- Use delegated permissions with Client App Registration
- Authorized Client Applications not working with azure-cli
- External Identities - Customize Verification Code mail on signup
- MSGraph Query Not returning group info
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- How can I filter via Get-MgAuditLogDirectoryAudit (through the Microsoft Entra Audit Logs) for a specific IP address?
- Expose api on an app registration using a script
- Entra ID OIDC Failed Auth Attempt Logs
- Get a refresh token of an SPA application using Microsoft Entra(Azure AD)
- How to get the user flow ID from Azure Entra ID?
- How to create an only invitation user flow in Entra External ID
- How to implement user authentication in Blazor Server with Entra External ID?
- Automation Account Script to delete Stale Devices
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Microsoft Entra ID Oauth2 Client Credentials and Group claims
- Microsoft Azure: How to get the Auth Token after SAML authentication on a enterprise application
- Entra ID - Adding actor claim to the token via client credential flow
- SCIM / Entra ID Provisioning: How to remove user attributes in the target system?
- How to access an API with an Azure identity provider from a Python notebook?
- Active Directory Groups on QuestDB
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- generating common access token for MS graph api and custom api
- How to Listen for MSAL Access Token Expiration
- How can I make a powershell script work in an Azure function with PowerShell 5 and module AzureADPreview?
- Enforce MFA on MS Entra only for specific users
- Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails
- Permission based access control using Entra ID with ASP.NET core
- How to assign Entra user User.Read.All and Group.Read.All from Graph Explorer
- Blazor Server: MsalUiRequiredException: No account or login hint was passed to the AcquireTokenSilent call
- How can I force trigger MFA, when logging into Azure?