Call Microsoft graph API using Azure B2C - azure

I am trying to access Microsoft Graph API using Access token of b2c login.
Following are the endpoints azure portal showing.
As I feel we must be able to call https://graph.microsoft.com endpoints according to this. Please correct me if I am wrong. Then I generated access token as follows and Tried to call https://graph.microsoft.com/v1.0/me/ using that token.
The result is as follows.
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"date": "2020-08-25T11:58:07",
"request-id": "c6a9ba06-d41e-49f7-ba94-f75478ce89b0"
}
}
}
I have granted API permissions as follows in my application too

This wont work. Use the Azure AD flows in your AAD B2C tenant.
https://learn.microsoft.com/en-us/graph/auth-v2-service

Related

Use MS Graph API and Postman to call Teams, Unsupported AAD Identity

I tried to create a call in Teams trough Microsoft Graph Api. I created a App with the given permissions but when i try to do the POST on: https://graph.microsoft.com/v1.0/communications/calls i get this error:
{
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"7500\",\"message\":\"Unsupported AAD Identity.\",\"instanceAnnotations\":[]}",
"innerError": {
"date": "2020-11-11T14:38:43",
"request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c",
"client-request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c"
}
}
}
Token and everything looks good. If I change the token I get another error that this one is wrong.
To be honest my knowledge about Azure etc. is very low.
What Shiva said is right. You may have used a user token to call the API, so an error occurred. The API call currently only supports application tokens. You need to grant application permissions to the application and use the client credential flow to obtain Token.

Azure B2C - Automation - EnableIEFKeySetGraphApis Feature

I am trying to automate deployment of B2C TrustFramework policies and keysets.
For Custom policies, everything works as expected but I am having some problem listing keySets using the Graph API.
I've created a local user with B2C IEF Keyset administrator and B2C IEF Policy administrator roles.
I've created an app registration with these delegated permissions: Policy.ReadWrite.TrustFramework, TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All
Calling the AAD Token endpoint, I am able to get an access_token with the desired scopes for the graph api resource.
I am trying then to call the List KeySets endpoint using the access_token (as bearer token in the authorization hearder)
GET https://graph.microsoft.com/beta/trustFramework/keySets HTTP/1.1
Authorization: Bearer {{my access_token}}
And I am getting this response from the Graph API (403 Forbidden):
```
{
"error": {
"code": "AADB2C",
"message": "Unauthorized. Access to this Api requires feature: 'EnableIEFKeySetGraphApis' for the tenant: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.",
"innerError": {
"correlationId": "4674e4c9-933e-4e70-a26b-ed59e40dc088",
"date": "2019-06-04T08:55:32",
"request-id": "d796beda-62be-46a8-afa2-cf53d29409b5"
}
}
}
```
This tenant was created before Custom Policies went GA (so not sure if it is related) but how do I activate the EnableIEFKeySetGraphApis feature ?
There is a private Preview Sample available in GitHub for Graph API Key Sets.
https://github.com/Azure-Samples/ActiveDirectory-B2C-MSGraph-PolicyAndKeysets
try this and see you able to list your keysets or not.

Azure ad and Azure ad b2c token validation failure

I am using Azure ad B2c development Web app,I want use the graph api (msgraph) to get and set the user's group.So,I create a azure ad b2c service name is B2Ctest,and B2CTest based azure ad service name is Adtest.
I use this api Microsoft Graph Client Library for .NET and used Adtest setting msgraph.
I get the B2Ctest service's user token, and passing the token to msgraph get the user own's group.It's throw a exception.
I catch msgraph post http packet.
address:
https://graph.microsoft.com/v1.0/groups
response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "e715c5f9-5c2c-40d8-ad09-71c848205d2c",
"date": "2017-10-09T16:10:20"
}
}
}
aad b2c access token
aad access token
I found,that aad b2c access token and aad access token are not the same.

Accessing /me endpoint with azuread v2.0 and personal accounts

I am trying to have access to information in "/me" with Graph API for a personal account using Azure AD v2.0 but I receive the following error. It works with organizational accounts.
{
"error": {
"code": "UnknownError",
"message": "{\"Status\":500,\"Message\":\"All the offeractions povided in the property bag cannot be validated for the token.\\u000d\\u000a\"}",
"innerError": {
"request-id": "39e23062-80ad-4872-86a7-39f5a5d928ce",
"date": "2017-02-23T15:35:06"
}
}
}
I have the permission User.ReadBasic.All
The scope User.ReadBasic.All grant the permission to read the basic profile of all users in the organization on behalf of the signed-in user. This scope is t only supported for the Azure AD Account. If you just want to read the user’s profile for the Microsoft Account, you could use the scope User.Read . Code flow steps below is for your reference :
Get the authorization code :
Get : https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=<client id>&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
Then get the token :
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=<code>&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&client_id=<client id>&client_secret=<client secret>

Azure AD B2C - Using Azure AD Graph API

I am calling the Azure AD Graph API using a local administrator token. I keep getting the following error messages, no matter what endpoint I call.
How do I get access to the Azure AD Graph API?
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
My URL
https://graph.windows.net/>tenant>/users/821d91b8-36e1-4b89-bd3a-4caecc40e4c9/memberOf?api-version=1.6
The Azure Graph API needs a special application registration alongside the application registration that users log in with.
Follow the guide below:
https://azure.microsoft.com/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

Resources