2
votes

I want to query application roles and group claims from Azure Active Directory in my Angular 5 Web App. I want to give admins special permissions / access to pages. I have a registered a B2C App in Azure and a Microsoft App at https://apps.dev.microsoft.com and have tried querying data via Microsoft Graph with the MSAL.js.

I used the Application ID from my B2C Web App as the clientID, acquired a token, and called to the endpoint "https://graph.microsoft.com/v1.0/users". The data returns as an array with one user with my information. When I query the groups I get an empty array. My app right now has multiple test users, and a few groups.

It seems I am pulling data unrelated to my app in Azure. Am I querying the right source of data? Do I need to set other permissions or scopes?

I found a post that has useful info about group claims. I've tried applying it to my Angular App, but the .NET libraries seem more fleshed out than Angular's.

More information: It wasn't helpful, but I played around with registering an Active Directory App, created two apis (Microsoft Graph and Windows Azure Active Directory) and set required permissions for both. I tried to use that app's Application ID in MSAL.js with the Azure Graph Api endpoint "https://graph.windows.net" which was unsuccessful. I have played around with using the Graph Explorer but the most I was able to query was that one user.

1
I'm afraid of that you cannot use Microsoft graph to achieve that for now. You'd better use Azure AD Graph API.Wayne Yang
So I switched my endpoint to use the Azure AD Graph: graph.windows.net/myorganization/users?api-version=1.6. I retrieve a token first with MSAL.js (I have verified that a value is populating) and then try to fetch the resource, I get an error with "code": "Authentication_MissingOrMalformed". I have tried a bunch of permutations. Any recommendations?afriedman111
See this answer from Chris Padgettspottedmahn
Actually I wrote a more in-depth answer that can hopefully help others.afriedman111

1 Answers

1
votes

I re-read this article about the Azure AD Graph API noticed that in order to query the Graphs, you need to use a user id that is local to your tenant’s domain and is an admin. When I created and used my tenant’s admin (from that domain), all of the queries worked. Also I needed the Directory.Read scope. I wrote in more detail about this and a few other road blocks I came upon here.