Azure B2C invalid_grant error when requesting token with app registration created with Graph API
I am setting up applications using the Client Credentials flow in Azure B2C. When I create an application through the Azure Portal, I am able to assign it a secret and API permissions, then call the token endpoint to retrieve an access token. However, when I create an app via the Graph API and assign the same permissions and secret, it returns the following error:
{
"error": "invalid_grant",
"error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: a73a0250-9ee7-4cde-9754-715460bc5fe6\r\nTimestamp: 2023-07-18 20:10:01Z\r\n"
}
Both applications have identical manifests besides GUIDs and names being different. I also checked the service principals via the Graph API and they both look the same besides GUIDs and names. Admin consent has been granted to the permissions of both applications through clicking the "Grant admin consent for {tenant}" button in the API permissions pane of the portal. I have found earlier stackoverflow posts stating that applications created by the Graph API are not eligible for B2C integration, but that does not seem to be the case anymore based on the documentation here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations#applications
Below are the steps I took for creating the application via the Graph API:
POST /v1.0/applications HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer {token from graph API application}
Content-Type: application/json
Content-Length: 29
{
"displayName": "test2"
}
This creates an application registration under the All Applications tab in the App Registrations pane of the Azure portal. Here is the manifest for that created app:
{
"id": "{id}",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "{appId}",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2023-07-18T19:35:48Z",
"description": null,
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "test2",
"notes": null,
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2024-01-14T21:05:11.199Z",
"keyId": "{keyId}",
"startDate": "2023-07-18T20:05:11.199Z",
"value": null,
"createdOn": "2023-07-18T20:05:14.7198454Z",
"hint": "rLR",
"displayName": "clientSecret"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "{tenent}",
"replyUrlsWithType": [],
"requiredResourceAccess": [
{
"resourceAppId": "{API app ID}",
"resourceAccess": [
// records in here for api permissions that match those of the application I create through the portal
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
"type": "Scope"
},
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
I have also created the secret through the API via the below endpoint, and in other testing also added that secret through the portal after the app has been registered with the call above. Neither path makes a difference.
POST /v1.0/applications/0a9334c7-6312-4912-86d4-31d8458cf9f6/addPassword HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer {token from Graph API}
Content-Type: application/json
Content-Length: 80
{
"passwordCredential": {
"displayName" : "clientSecret"
}
}
When I make the call to get the token, the application created in the portal works, and the application created by the API returns the invalid_grant error. Here is how I am making that call:
POST /{tenant}.onmicrosoft.com/{custom policy}/oauth2/v2.0/token?client_id={client_id}&grant_type=client_credentials&scope=https://{tenant}.onmicrosoft.com/{application id URI slug}/.default&client_secret={client_secret} HTTP/1.1
Host: devcloud9fx.b2clogin.com
When calling this in postman, the only things I change are the client_id and the secret.
Initially, I registered one application for Web API in my B2C tenant and added Application ID URI:
Now, I defined Web API roles by adding below JSON in appRoles setting of Manifest file:
"appRoles": [
{
"allowedMemberTypes": ["Application"],
"displayName": "Read",
"id": "xxxxxxxx",
"isEnabled": true,
"description": "Readers have the ability to read tasks.",
"value": "app.read"
},
{
"allowedMemberTypes": ["Application"],
"displayName": "Write",
"id": "xxxxxxxxx",
"isEnabled": true,
"description": "Writers have the ability to create tasks.",
"value": "app.write"
}],
I registered one Azure AD B2C application named test1 from Portal and granted access to above Web API roles like this:
When I make call with application created via Portal, I got token successfully:
POST https://srib2caadtenant.b2clogin.com/srib2caadtenant.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token
client_id:appID
client_secret:secret
grant_type:client_credentials
scope: https://srib2caadtenant.onmicrosoft.com/api/.default
Now I tried to achieve the same by creating application from Graph API with below call:
POST https://graph.microsoft.com/v1.0/applications
Authorization: Bearer {token from graph API application}
Content-Type: application/json
{
"displayName": "test2"
}
I ran below call to create client secret for above application:
POST https://graph.microsoft.com/v1.0/applications/appObjectID/addPassword
Authorization: Bearer {token from Graph API}
Content-Type: application/json
{
"passwordCredential": {
"displayName" : "clientSecret"
}
}
When I make call with application created via API, I got same error saying invalid_grant like this:
POST https://srib2caadtenant.b2clogin.com/srib2caadtenant.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token
client_id:appID
client_secret:secret
grant_type:client_credentials
scope: https://srib2caadtenant.onmicrosoft.com/api/.default
When you create an application from Graph API, API permissions won't be added by default:
To add Web API roles in the application via API call, you can make call to below PATCH request:
PATCH https://graph.microsoft.com/v1.0/applications/appObjID/
Authorization: Bearer {token from Graph API}
Content-Type: application/json
{
"requiredResourceAccess": [
{
"resourceAppId": "web API appID",
"resourceAccess": [
{
"id": "xxxxxxx",
"type": "Role"
},
{
"id": "xxxxxxx",
"type": "Role"
}
]
}
]
}
Make sure to grant admin consent to above API permissions:
Note that, it will take up to 5 minutes to reflect changes after granting admin consent to API permissions.
When I make call again after few minutes with application created via API, I got token successfully like below:
POST https://srib2caadtenant.b2clogin.com/srib2caadtenant.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token
client_id:appID
client_secret:secret
grant_type:client_credentials
scope: https://srib2caadtenant.onmicrosoft.com/api/.default
To confirm that, I decoded the above token in jwt.ms website and got below scp claim with Web API permissions:
Reference: Set up OAuth 2.0 client credentials flow - Azure AD B2C | Microsoft
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages
- Adding custom headers to Azure Functions response
- Azure Queue Trigger is hit but not executing the logic inside of it
- az cli not showing redisenterprise keys
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- Azure Devops Server Pipelines: Any way to have a Stage result as "Succeeded" even if a constituent Job reported "SucceededWithIssues"?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Azure function returns error: No job functions found. Try making your job classes and methods public
- How to view Oldest Query results in Azure Monitor Metrics for an Azure PostgreSQL Flex Server instance
- Authenticate to Azure with certificate from Linux
- What are the minimum Azure permissions required to publish a Power BI report using "App Owns the Data"?
- How to report an Azure Text-to-Speech bug?
- Refresh an Azure search index
- Best way to clean up resources in StatefulService