0

We have application registered in our B2C tenant and we are trying to read user's information after they login in the application using MS Graph SDK.

C#

var me = await graphClient.Me.Request().GetAsync();

Permission

https://graph.microsoft.com/User.Read

We are able to get the access token from login.microsoftonline.com using OAuth 2.0 authorization code flow but not in .b2clogin.com.

Below is the snippet of the code

public async Task<AuthenticationResult> GetUserAccessTokenByAuthorizationCode(string authorizationCode)
    {
        AuthenticationResult aa;
        
        aa = await _app.AcquireTokenByAuthorizationCode(_scopes, authorizationCode).ExecuteAsync();
                  
        return aa;
    }

Below is the result when we get the access token with authorization code from B2C authorization endpoint.

Screenshot where access token is NULL

I found this post(I only quoted some of the comments below from the post)

Mass confusion here. You can definitely do what you are looking to do, except that this is all Azure AD functionality, not Azure AD B2C. So you are not looking to invoke any B2C user flow etc. B2C auths cannot get access to Microsoft APIs, only your own APIs.

AAD tenant - contains only AAD endpoints. It is a single token issuer.

B2C tenant - contains both AAD and B2C token endpoints. There are two token issuers respectively

You cannot use tenantName.b2clogin.com to obtain a token for MS Graph API, based on the above rule set. This means a users B2C authentication cannot be used to authorize to AAD protected apps, or Microsoft APIs.

Based on the comments above, Is it really true that we cannot access the MS Graph from B2C application but we can only access when app is registered in AAD?

I am wondering since login.microsoftonline.com is already deprecated and microsoft advise to use b2clogin instead.

Please share your thoughts. Thank you.

user1805220
  • 61
  • 4
  • I'm pretty sure that you still cannot do that from B2C apps, they need to use client credential flow with an AAD app registration + application permissions. – juunas Aug 12 '20 at 05:53
  • Hello. Does it mean we need to authenticate the user to AAD authorization endpoint and not in B2C authorization endpoint so that we can access MS Graph API? Thanks! – user1805220 Aug 12 '20 at 06:19
  • No, B2C users usually cannot authenticate on the AAD endpoint. Your app back-end would typically use client id + secret/certificate to call MS Graph API as the app, not as the user. – juunas Aug 12 '20 at 06:23
  • You can check instructions here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga – juunas Aug 12 '20 at 06:24
  • My comments are spreading :D yes it’s still true. Use normal AAD flows to achieve your goal. My original comment also explained around deprecation point, it’s not relevant in this scenario either. – Jas Suri - MSFT Aug 12 '20 at 06:44
  • A B2C tenant contains: AAD endpoint: login.microsoftonline.com THIS IS NOT BEING DEPRECATED AAD B2C endpoint: tenantName.b2clogin.com+ B2C policyId parameter – Jas Suri - MSFT Aug 12 '20 at 06:45
  • Hahahha apologies :). In our scenario, we have a custom login policy, thus we need to reach the authorize endpoint: tenant.b2clogin.com/tenant.onmicrosoft.com/b2c_signin_signup/oauth2/v2.0/authorize and receive the authorization code. Then we need to request access token to MS graph but it will not be possible due to the issue mentioned. – user1805220 Aug 12 '20 at 08:40
  • Is it possible in AAD? or do you have references about this? I have been checking this issues for a couple of days already and today I found your comment in other post about this. Thanks! – user1805220 Aug 12 '20 at 08:46

1 Answers1

0

As far as I know, you cannot use the Microsoft Graph API to manage users in the Azure AD B2C directory. For B2C users, you generally use the Azure AD Graph API to perform CRUD operations.

please see: here and here.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • I am not sure but I get the list(and able to perform crud) of B2C users thru Microsoft Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer Query I run: https://graph.microsoft.com/beta/users but I am not able to get thru our web app. – user1805220 Aug 12 '20 at 12:36