azure ad b2c graph api permissions

2
votes

I have a question about accessing the Microsoft Graph Api once a user is logged in through Azure Ad B2C. I am trying to migrate my app to login through b2clogin.com instead of login.microsoft.com and mostly it works except I can no longer call the Microsoft Graph Api to get the logged in user profile.

I have set up Postman as an Application in my B2C tenant and configured the api permissions with https://graph.microsoft.com/User.Read but when I try to get a token with the https://graph.microsoft.com/User.Read scope I get the following error

AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation

I am not sure what this error means but when I look at the signins for the user in the portal I see 3 signins.

The first has a status of Interrupted with an Failure Reason of

The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.

The second one has a status of Interrupted with an Failure Reason of

Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.

The third one has a status of Success

I have been looking through the documentation for days trying to figure this out.

I am missing some configuration I need to access the Microsoft Graph Api for a B2C user?

1
azure-ad-b2c
Aren't you typically supposed to use client credentials flow to call Graph API?juunas
I am not sure. I have an Angular app and using msal.js so I can't use client credentials flow. I set up the Postman app to confirm it wasn't a problem with msal.js I was calling the 'me' endpoint in the graph api to get the user profile and picture after login from the angular app. Everything was working fine until I switched the authority to b2clogin. After that I can't call the graph api. I am currently working on moving the Graph Api call to my api and using client credentials flow. I hoping that will fix the issue. I already know i can call my api from the angular app.Andrew Alderson

1 Answers

1
votes

The setup you describe is not actually possible. You have created an App Reg in the AAD blade and assigned the Ms graph permissions. Then the error you receive is against the AAD B2C endpoint, not the AAD endpoint for which your app is made for (since AAD B2C apps cannot be assigned permissions for Graph api). So you have used an AAD app and tried to auth against the B2C endpoint - that won’t work properly.

You cannot access ms graph via a B2C user authenticated against the B2C endpoints.

You can access ms graph via an AAD user or AAD user inside a B2C directory via the AAD endpoints of an AAD or AAD B2C directory.

In a B2C scenario the normal pattern is to auth the user against B2C endpoints and have your API auth against the AAD endpoints using client credentials to gain access to Graph API and make operations on the users behalf.