We have SPA where users log in using adb2c. SPA uses backend microservice.
We want to enable users to view/upadte their 2FA phone methods.
When I try to make a request like GraphClient.Users[id].Authentication.PhoneMethods.GetAsync() I get an error that authorization failed.
On the other hand, when I try to do request like GraphClient.Me.Authentication.PhoneMethods.GetAsync() (where I made an instance of a graphClient using jwt token user got when logging into SPA) then i get an error that jwt scopes are not right.
My understanding is that I need to use delegated permissions but I am not sure what does that involve? Is that something just to be turned on once or does each user have to give a consent that API can access their PhoneMethods?
Checking the documentation and it seems that the endpoint is quite secure and requires UserAuthenticationMethod.Read.All to read phone methods of other users.
To have only UserAuthenticationMethod.Read.All permission is not enough. The authenticated user must have Microsoft Entra Role either Global Reader or Privileged Authentication Administrator.