I have a question about accessing the Microsoft Graph Api once a user is logged in through Azure Ad B2C. I am trying to migrate my app to login through b2clogin.com instead of login.microsoft.com and mostly it works except I can no longer call the Microsoft Graph Api to get the logged in user profile.
I have set up Postman as an Application in my B2C tenant and configured the api permissions with https://graph.microsoft.com/User.Read but when I try to get a token with the https://graph.microsoft.com/User.Read scope I get the following error
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation
I am not sure what this error means but when I look at the signins for the user in the portal I see 3 signins.
The first has a status of Interrupted with an Failure Reason of
The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.
The second one has a status of Interrupted with an Failure Reason of
Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.
The third one has a status of Success
I have been looking through the documentation for days trying to figure this out.
I am missing some configuration I need to access the Microsoft Graph Api for a B2C user?
The setup you describe is not actually possible.
You have created an App Reg in the AAD blade and assigned the Ms graph permissions.
Then the error you receive is against the AAD B2C endpoint, not the AAD endpoint for which your app is made for (since AAD B2C apps cannot be assigned permissions for Graph api). So you have used an AAD app and tried to auth against the B2C endpoint - that won’t work properly.
You cannot access ms graph via a B2C user authenticated against the B2C endpoints.
You can access ms graph via an AAD user or AAD user inside a B2C directory via the AAD endpoints of an AAD or AAD B2C directory.
In a B2C scenario the normal pattern is to auth the user against B2C endpoints and have your API auth against the AAD endpoints using client credentials to gain access to Graph API and make operations on the users behalf.
Related
I've registered a single application in Azure AD for the following reasons.
Azure AD SSO (From Any Azure AD directory)
Read users, groups, and their members
Provided following permissions and granted admin consent.
NOTE: We still depend on some of the Azure AD Graph API. So, we have added the legacy API permissions.
I can able to contact the Azure AD using REST API and get the user, groups and other information.
When I try to sign in to the application from any other directory, I'm getting the following consent screen. I can able to provide the consent and proceed to log in.
But, when I try to login into the same directory, I'm not getting the consent screen even when I logged in with the Azure AD admin. Stuck in the following screen.
When I register separate applications for SSO and REST APIs, this issue doesn't occur.
I would like to know why I'm stuck in the above screen when combining both SSO and REST API permissions.
• Please check whether the correct Azure AD roles have been assigned to your account ID, i.e., Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object through the as one of these is needed for you to access the application. Also, ensure that you have assigned your account ID the correct app role assignment for the admin consent to be allowed during the SSO signup process as below: -
You can check the app role assignments for your account ID through the Enterprise application blade and searching your application there, then opening it and selecting the users and groups blade, check the app role assignment that your account ID has to that application while also, giving ‘Azure Service Management’ api permissions for user_impersonification as below, thus ensuring that you account ID will be having correct API permissions.
Once, the above settings are configured correctly, you should be able to access the application through your admin credentials.
I have SAML SSO setup made for an Active Directory. I have another tenant which contains an app service, a webapp, which tries to authenticate using the SAML connection details.
I'm getting:
AADSTS700016: Application with identifier was not found in the directory . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Isn't it possible to authenticate with users from an AD for multiple applications from different tenants using SAML SSO?
External users won't be able to log in to the Single Tenant application. These users would need to be existing in the same Tenant.
Make your app as a Multi-tenent as per rbrayb.
Multiple application that has its own account system, or supports other kinds of sign-ins from other cloud providers, adding Azure AD sign-in from any tenant is simple. Just register your app, add sign-in code via OAuth2, OpenID Connect, or SAML, and put a "Sign in with Microsoft" button in your application.
Based on the error,
Try Solution 1:
Make use of Application Client ID, instead of using any other client ID.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
We are developing an application with a frontend and a backend. The backend should be accessed via Rest API with an OAuth2 token. Authorization provider is Azure AD.
In Azure we created 2 app registrations. One for the API, one for the client app. The API registration defines 3 scopes (Read, Write, Delete). The client app registration has delegated permission for these scopes.
We are requesting tokens with the clientID and clientSecret from the client app registration.
When requesting a token for a certain scope, after login and approval of permission grant prompt, I just get an access denied error. Does my user need any additional permission in Azure AD to grant permission for the requested scope?
As a workaround I could add the client app as an 'Authorized client application' in the API registration for all three scopes. But then all three scopes are always returned in the JWT under 'scp' regardless of the scope I am requesting and the user does not see the permission grant prompt anymore. Not sure if I want this. I would rather understand how to solve the access denied.
It seems that user consents are not allowed in my organization's AD tenant. (Enterprise Applications -> Consent and Permission -> User Consent Settings.)
According to this documentation, I can restrict access to applications on an Azure tenant using enterprise applications.
I tried to set this up on my B2C Tenant but when I test my user flows, I can still log in to those applications and receive an ID token.
Should the restrictions also work on the B2C Tenant or is there a different process required for B2C?
Using b2c User flows we can't restrict the user access. You need to handle this from the application side and also using Custom policy you can call the REST API in the user journey and can validate user restrictions.
As an enterprise, we would like to use Azure AD B2C and we have internal and external users.
Azure AD helps us manage our Azure users, corporate users and we can even add users with x#.onmicrosoft.com emails.
When we wanted to use Azure AD B2C for our consumers. So we have 2 choices to add our users which is a local user and an external user (Facebook, Google, etc)
If the local user belongs to our corporate it is ok to create the user using the Azure AD B2C portal.
But when we try to create the Azure AD B2C users who have another kind of emails, we need to use our own app which is consuming the Graph API. (that is the Azure portal restriction)
The issue is we are having a hard time getting the users values after the login is they are local users with Gmail or x emails.
We are using MSAL to get the related information instead of ADAL.
We have enabled the scopes and also enabled the API Access but this is the errors we are getting.
Error 1:
acquiring the popup:
AADB2C90055: The scope 'openid email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.
Correlation ID: 86d6ff41-1cef-4ba1-9b26-2aa281c92ccd
Timestamp: 2017-09-15 10:22:20Z
Error 2:
invalid_request Error during login:
AADB2C90117: The scope 'user_impersonation' provided in the request is not supported.
Correlation ID: 785c6487-cd7f-4750-a769-deb477cb4ba4
Timestamp: 2017-09-15 10:32:39Z
:invalid_request
Error 3:
Error acquiring the popup:
AADB2C90055: The scope 'email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.
Correlation ID: bd714482-8534-473e-94bc-0a4c56da686d
Timestamp: 2017-09-15 10:36:15Z
:invalid_request
Error1 and Error3
There is no need to provide scope openid profile offline_access when we using MSAL library to interact with Azure AD B2C. The SDK will add there scope automatically. We only need to provider the custom scope we defined for the web API app register on Azure AD B2C blade.
Error2
The scope user_impersonation is an custom scope defined by the app by default. We should contain the app id URI(https://{myB2CTenant}.onmicrosoft.com/b2capp2) before it like below:
string[] SCOPES = { "https://{myB2CTenant}.onmicrosoft.com/b2capp2/note_read", "https://{myB2CTenant}.onmicrosoft.com/b2capp2/user_impersonation" };
And AFAIK, the Azure AD B2C doesn't support delegate the user to access the Azure ad Graph at present. We need to register an app via Azure Active Directory->App registrations(not in Azure AD B2C blade) and access the Microsoft or Azure AD Graph via the client credentials flow. Here is a helpful link calling the Graph API in Azure AD B2C:
Azure AD B2C: Use the Graph API
If you want the Azure AD B2C app also support delegating user to calling the Microsoft Graph, you may submit the feedback from here.
For me that error meaned, that I am trying to aquire a accesToken when not having a valid idToken.
So make sure you have a valid idToken before calling acquireTokenSilent().