Search code examples
azure-ad-b2cazure-oauth2

Scope User.Read.All not works for azure b2c


I am able to get access token using custom scope user_impersonation.

https://{tenant}.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize? 
p=B2C_1A_SIGNUP_SIGNIN&
client_id=IdentityExperienceFrameworkAppId&
nonce=defaultNonce&
redirect_uri=xxx&
scope="https://xx.onmicrosoft.com/xx/user_impersonation"&
response_type=token&
prompt=login

If I change it to User.Read.All I'll got error

This+application+does+not+have+sufficient+permissions+against+this+web+resource+to+perform+the+operation

Below my scope settings. I am trying to read users profile to get email.

enter image description here How to read users profile data?


Solution

  • I added below API permissions to the Azure AD B2C Application:

    enter image description here

    I generated the access token via Postman by using below parameters:

    https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token
    
    client_id:ClientID
    scope:https://b2caadtenant.onmicrosoft.com/xxx/user_impersonation
    grant_type:authorization_code
    redirect_uri:https://jwt.ms
    code:code
    client_secret:ClientSecret
    

    enter image description here

    When I tried to fetch user's details using the access token, I got the similar error like below:

    GET https://graph.microsoft.com/v1.0/users
    

    enter image description here

    The error "This application does not have sufficient permissions against this web resource to perform the operation" usually occurs if the access token doesn't have the sufficient permissions to perform the action.

    Note that: To access the user profiles, you need to grant User.Read.All Microsoft Graph API permission not custom scope.

    The aud of the access token when decoded must be Microsoft Graph not the ClientID of the Application.

    Azure AD B2C supports only offline_access and openid Microsoft Graph delegated API permissions.

    • Don't generate tokens for the Microsoft Graph API using user flows or custom policies, these can only be used to obtain tokens for web APIs, not the Microsoft Graph APIs.
    • To obtain Microsoft Graph API tokens for Azure AD B2C tenant, use the authentication flow (auth code flow or ROPC flow) that is specific to Azure AD.

    I added API permissions like below:

    enter image description here

    I used the below authorize endpoint:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
    &client_id=ClientID
    &response_type=code
    &redirect_uri=https://jwt.ms
    &response_mode=query
    &scope=https://graph.microsoft.com/.default
    &state=12345
    

    enter image description here

    Generated the access token:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
    
    scope: https://graph.microsoft.com/.default
    

    enter image description here

    I am able to fetch the user's successfully like below:

    https://graph.microsoft.com/v1.0/users?$select=userPrincipalName
    

    enter image description here

    Reference:

    Graph API and B2C - Microsoft Q&A by CarlZhao-MSFT