I'm attempting create a Blazor Application that integrates with the Microsoft Graph API (specifically OneDrive) and uses Azure AD B2C for authentication.
I'm using Microsoft.Identity.Web 0.3.1-preview
The Setup.cs is as follows:
public void ConfigureServices(IServiceCollection services)
{
// Configuration to sign-in users with Azure AD B2C
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
.EnableTokenAcquisitionToCallDownstreamApi(new string[] { "https://graph.microsoft.com/.default" })
.AddMicrosoftGraph("https://graph.microsoft.com/beta")
.AddInMemoryTokenCaches();
...
The Service then uses ITokenAcquisition to request a token as follows:
public MyService(ITokenAcquisition tokenAcquisition, IOptions<WebOptions> webOptionValue,
AuthenticationStateProvider AuthenticationStateProvider)
{
string result = await tokenAcquisition.GetAccessTokenForUserAsync(new string[] { "user.read" });
I'm authenticating using a Microsoft linked account and can see the live.com claim in the AuthenticationStateProvider.
Passing in the basic user.read to GetAccessTokenForUserAsync results in an exception " The scope 'user.read' provided in the request is not supported". I've tried specifying the scope as https://graph.microsoft.com/user.read however this just returns null.
Any suggestions would be greatly appreciated.
Tokens that are issued by Azure AD B2C are intended for use by an Azure AD B2C-registered client with an Azure AD B2C-registered resource.
Microsoft Graph API is not an Azure AD B2C-registered resource so the https://graph.microsoft.com/ scopes aren't supported.
Alternatively, you might consider passing the access token as the idp_access_token claim through, from the Microsoft identity provider to your Azure AD B2C-registered client.
A custom policy is needed for the Microsoft identity provider to pass this through.