Azure AD B2C Insufficient privileges to complete the operation while using Graph API

0
votes

I have started with https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIdConnect-DotNet as the base

Created sign in profile in Azure B2C preview.

Sign in flows works wonderfully with MFA, used custom pages with the help of https://github.com/azureadquickstarts/b2c-azureblobstorage-client/.

CSS and styling works . However I realized that sign up form will be less onerous with Javascript autocomplete.

B2C dues to security issues had prohibited Javascript.

So I filled email/password with B2C flows and then decided to redirect it my own page within a mvc route of my original project. This one uses https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web/blob/master/WebAppGraphAPI/Controllers/UsersController.cs as an inspiration for Graph API.

I am able to successfully get token via 

adClient = new ActiveDirectoryClient( serviceRoot, async () => await GetAppTokenAsync());

However the following fails with "Insufficient privileges to complete" exception

userResult = (User)adClient.Users.GetByObjectId(userObjectID).ExecuteAsync().Result;

I have tried doing the following https://social.msdn.microsoft.com/Forums/azure/en-US/6dd08794-ab89-4513-91e5-546c97a85adc/graph-client-throwing-insufficient-privileges-to-complete-the-operation-on-creating-ad-user?forum=WindowsAzureAD as well as try https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/issues/27 powershell trick

powershell fails with

C:\Users\Karan\Desktop\dev> $msolcred = Get-Credential cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential PS C:\Users\Karan\Desktop\dev> Connect-MsolService -credential $msolcred Connect-MsolService : Exception of type 'http://Microsoft.Online .Administration.Automation.MicrosoftOnlineException' was thrown. At line:1 char:1 + Connect-MsolService -credential $msolcred + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (:) [Connect-MsolService], Mic rosoftOnlineException + FullyQualifiedErrorId : 0x800488D6,http://Microsoft.Online .Administration.Autom ation.ConnectMsolService .....

also tried steps mentioned in https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet

Also added graph API permissions "Read / write directory" in B2C AD here enter image description here

also ticked more options in Windows Azure Active Directory

As well as ticked then in Old portal.

Clicked on grant permissions too

1
azureazure-ad-b2c
Did you click on the "Grant Permissions" button as well?Saca
Yes I just did. Still running into same error "Insufficient privileges to complete the operation."Karan Bhandari
It takes a bit (I want to say 1 hour max?) for that to take effect. If it still doesn't work, can you copy your access token into jwt.calebb.net and see put a screenshot of the output. I'd like to confirm if that you are not getting the scopes you requested.Saca
Attached decoded JWTKaran Bhandari
After four days wait . Still permissions have not percolatedKaran Bhandari

1 Answers

0
votes

This has been resolved. I had to create a new application. It was clearly written "Do not modify" against my B2C generated application - and I was modifying permissions for that. So I added a new application and granted that read and write directory. My mistake.

enter image description here