Azure Active Directory B2C - Query Graph - Insufficient Privileges

0
votes

So I'm trying to connect an mvc app to AAD B2C, and retrieve the current users groups, so I can add them to their roles. Unfortunately, I am unable to successfully query the graph.

Insufficient privileges error when trying to access Azure Graph APIs

The link above is essentially the situation I'm in, save that I'm connecting to a B2C directory. As near as I can tell, I don't have a way to specify privileges as that questions answer suggested. There is a section for 'Keys' but the keys it generates are really quite different than the keys that regular AD apps generate.

When I do try to use the key, I just get the insufficient privileges error.

I also tried locating my app in the main, regular AD, and adding keys and ALL permissions, but I also got the same error (and there doesn't appear to be any way that I can see to determine if I even got closer)

To add to the confusion, there are different ways to get to the registered "applications" in the Azure portal. I can go in through the B2C settings, or through the regular AD settings. In the B2C side of things, I can generate keys (but as I said, they're quite different from the keys generated on the AD side), but I cannot do annything with Privileges... no option exists. on the AD side, I actually see two apps for my 1 B2C app... it looks like there's one which has the same ID as the B2C app (but using that key and privileges does nothing), and theres another, which also doesn't appear to have any useful qualities that I've figured out.

I'm out of ideas. What else can I try?

edit

I've done some more experimenting, and found that if I use an incorrect ID or Secret, I get appropriate error messages. So, by this I assume that I am "Authenticating" correctly. The problem seems to be that, as the error message indicates, my Key does not have sufficient permissions.

To that end, I've added every single available permission under both "Windows Azure Active Directory" and "Microsoft Graph" ... No improvement, I still fail to have the required privileges. I guess I'll add ALL the available permissions, and see if that seems to help any.

-- Nope, there are NO remmaining privileges to add, but I still get the insufficient Privileges error message.

Additionally, making the login-user an AD administrator, doesn't make any difference.

1
asp.net-mvcazureazure-ad-b2c

1 Answers

0
votes

You're likely missing a so called admin consent in your flow. Basically, its not enough to grant permissions (those which are marked "Requires admin") using the portal, but also a user with admin rights should consent that grant. The tricky thing is that this consent isn't shown automatically when an admin user signs in (like it happens with regular user consent). You have to add a prompt=admin_consent parameter to the url of the page where you enter credentials, press enter, and then login. In this case you will see the admin consent, asking if you want to grant the permissions. You can read more about admin consent here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent.

I also discuss this problem here: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/issues/38#issuecomment-264664883