0

I have created an App under Azure B2C tenant.

The app is using a custom sign-in/sign-up policy to log in to local users.

However, my app has an admin view, where I would want the log-in users to be able to create accounts for whoever needs access within the app. I have seen that this is possible using Azure Ms Graph API.

However, I keep getting an InvalidAuthenticationToken Error, when I try to call Ms Graph API.

 error:
    code: "InvalidAuthenticationToken"
    innerError: {date: "2021-08-11T14:25:09", request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc", client-request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc"}
    message: "Invalid x5t claim."

I couldn't find any solution online. Is this even possible? And if there's a way around it, how can I do it?

Thank you!.

D.K. Ananias
  • 19
  • 4
  • No, it's not possible. A user's B2C authentication cannot be used to authorize to AAD protected apps, or Microsoft APIs (which are also protected by AAD). As such, when you use MSAL.js, you cannot use the .b2clogin.com/.../token endpoint to obtain a token for MS Graph API. Source: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/working-with-b2c.md – D.K. Ananias Aug 11 '21 at 14:52
  • 1
    What can I do to achieve this? – D.K. Ananias Aug 11 '21 at 14:53

1 Answers1

0

It would help if you went into more detail on your use case.

You have a B2C local account and you want to create users in AAD or in B2C?

If in B2C, yes you can do this as per this article.

If in AAD, see here.

Make sure that your application has the correct permissions.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thank you @rbrayb . I have a B2C account, and I want to create users in B2C account. The local users sign up using userflows. From the article. They stated that **Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph.** – D.K. Ananias Aug 12 '21 at 10:20
  • Agreed but if you look at the B2C article e.g. you see it mentions a secret key. This is because it is not using the authorisation code grant but rather the client credentials grant that operates in the context of the application, not the user. – rbrayb Aug 12 '21 at 20:29