I am using Azure ad B2c development Web app,I want use the graph api (msgraph) to get and set the user's group.So,I create a azure ad b2c service name is B2Ctest,and B2CTest based azure ad service name is Adtest.
I use this api Microsoft Graph Client Library for .NET and used Adtest setting msgraph.
I get the B2Ctest service's user token, and passing the token to msgraph get the user own's group.It's throw a exception.
I catch msgraph post http packet.
address:
https://graph.microsoft.com/v1.0/groups
response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "e715c5f9-5c2c-40d8-ad09-71c848205d2c",
"date": "2017-10-09T16:10:20"
}
}
}
aad b2c access token
aad access token
I found,that aad b2c access token and aad access token are not the same.
Related
In basic terms, I am trying to get an access token to get Azure Cost Centre Data through the Usage Details API. The problem is that I can't seem to configure my service principal with azure properly. I have:
Created the registered app in Azure Active Directory
added https://www.thunderclient.io/oauth/callback in the redirect URL
generated a client secret
Included the following information in my Generate New Token in Thunder Client:
Request URL:
GET: https://management.azure.com/subscriptions/{subscription-id}/resourceGroupName/{resourceGroupName}/providers/Microsoft.CostManagement/dimensions?api-version=2019-11-01
Grant Type: Authorization Code
Auth Url: https://login.mmicrosoftonline.com/common/oauthorize
Token Url: https://login.microsoft.com/{tenant-id}/oauth2/v2.0/authorize from app registration
callback Url: https://thunderclient.io/oauth/callback
client ID: {{client_id}} from app registration
client secret: {{client_secret}} from app registration
scope: user_impersonation
{
Status 401 Unauthorized
"error": {
"code": "AuthenticationFailed",
"message": Authentication failed."
}
}
Header:
Bearer authorization_uri "https://login.windows.net/{tenant_id}, error= "invalid_token", error description="Could not find identity for access token"
Answering my own question. And big thanks to Guarav Mantri in the comments below.
The Scope should be set to https://management.azure.com/.default
The Grant Type is client credentials and not authorization code
The service principal needs to be added to the resource in azure that is part of the request (i.e. if looking for subscription data, then add the service principal as a reader role to the subscription).
I am trying to access Microsoft Graph API using Access token of b2c login.
Following are the endpoints azure portal showing.
As I feel we must be able to call https://graph.microsoft.com endpoints according to this. Please correct me if I am wrong. Then I generated access token as follows and Tried to call https://graph.microsoft.com/v1.0/me/ using that token.
The result is as follows.
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"date": "2020-08-25T11:58:07",
"request-id": "c6a9ba06-d41e-49f7-ba94-f75478ce89b0"
}
}
}
I have granted API permissions as follows in my application too
This wont work. Use the Azure AD flows in your AAD B2C tenant.
https://learn.microsoft.com/en-us/graph/auth-v2-service
I am trying to automate deployment of B2C TrustFramework policies and keysets.
For Custom policies, everything works as expected but I am having some problem listing keySets using the Graph API.
I've created a local user with B2C IEF Keyset administrator and B2C IEF Policy administrator roles.
I've created an app registration with these delegated permissions: Policy.ReadWrite.TrustFramework, TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All
Calling the AAD Token endpoint, I am able to get an access_token with the desired scopes for the graph api resource.
I am trying then to call the List KeySets endpoint using the access_token (as bearer token in the authorization hearder)
GET https://graph.microsoft.com/beta/trustFramework/keySets HTTP/1.1
Authorization: Bearer {{my access_token}}
And I am getting this response from the Graph API (403 Forbidden):
```
{
"error": {
"code": "AADB2C",
"message": "Unauthorized. Access to this Api requires feature: 'EnableIEFKeySetGraphApis' for the tenant: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.",
"innerError": {
"correlationId": "4674e4c9-933e-4e70-a26b-ed59e40dc088",
"date": "2019-06-04T08:55:32",
"request-id": "d796beda-62be-46a8-afa2-cf53d29409b5"
}
}
}
```
This tenant was created before Custom Policies went GA (so not sure if it is related) but how do I activate the EnableIEFKeySetGraphApis feature ?
There is a private Preview Sample available in GitHub for Graph API Key Sets.
https://github.com/Azure-Samples/ActiveDirectory-B2C-MSGraph-PolicyAndKeysets
try this and see you able to list your keysets or not.
I am trying to have access to information in "/me" with Graph API for a personal account using Azure AD v2.0 but I receive the following error. It works with organizational accounts.
{
"error": {
"code": "UnknownError",
"message": "{\"Status\":500,\"Message\":\"All the offeractions povided in the property bag cannot be validated for the token.\\u000d\\u000a\"}",
"innerError": {
"request-id": "39e23062-80ad-4872-86a7-39f5a5d928ce",
"date": "2017-02-23T15:35:06"
}
}
}
I have the permission User.ReadBasic.All
The scope User.ReadBasic.All grant the permission to read the basic profile of all users in the organization on behalf of the signed-in user. This scope is t only supported for the Azure AD Account. If you just want to read the user’s profile for the Microsoft Account, you could use the scope User.Read . Code flow steps below is for your reference :
Get the authorization code :
Get : https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=<client id>&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
Then get the token :
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=<code>&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&client_id=<client id>&client_secret=<client secret>
I am calling the Azure AD Graph API using a local administrator token. I keep getting the following error messages, no matter what endpoint I call.
How do I get access to the Azure AD Graph API?
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
My URL
https://graph.windows.net/>tenant>/users/821d91b8-36e1-4b89-bd3a-4caecc40e4c9/memberOf?api-version=1.6
The Azure Graph API needs a special application registration alongside the application registration that users log in with.
Follow the guide below:
https://azure.microsoft.com/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/