Azure AD B2C - Using Azure AD Graph API - azure

I am calling the Azure AD Graph API using a local administrator token. I keep getting the following error messages, no matter what endpoint I call.
How do I get access to the Azure AD Graph API?
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
My URL
https://graph.windows.net/>tenant>/users/821d91b8-36e1-4b89-bd3a-4caecc40e4c9/memberOf?api-version=1.6

The Azure Graph API needs a special application registration alongside the application registration that users log in with.
Follow the guide below:
https://azure.microsoft.com/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

Related

Authentication error when requesting FHIR resource from Azure FHIR Services

I have deployed Healthcare Workspace and HFIR Service to Azure.
I successfully get capability statement and access token.
I'm failing with Get FHIR resource request to get Patient list by Postman.
I can see that this request connects to right App registration by correct secret.
I wonder if API permission of App Registration is correct:
I have given "Azure Healthcare APIs", which has url https://fhir.azurehealthcareapis.com
However Postmain is requesting: https://healthcareworkspace-my123demo.fhir.azurehealthcareapis.com
I wonder where is problem?
https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/using-postman
Get: {{fhirurl}}/Patient
{
"resourceType": "OperationOutcome",
"id": "1111d698deb63c41b7b0a6731a527b15",
"issue": [
{
"severity": "error",
"code": "forbidden",
"diagnostics": "Authorization failed."
}
]
}
You will also need to assign an application role such as "FHIR Data Contributor" to the client app to access the FHIR service. More info at https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/configure-azure-rbac-for-fhir

How to grant Azure CLI graph api permissions

As far as I understand the azcli doesn't have an app registration in AAD, and now that it's possible to make rest calls from the azcli, how does one grant permissions that are required for certain calls?
$ az rest --method get --url https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignments?$filter=subjectId+eq+'xxxxxxx-xxxx-xxxx-xxx-xxxxxxxx'
Unauthorized({
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureResources,PrivilegedAccess.ReadWrite.AzureResources.\",\"target\":null,\"details\":null,\"innerError\":null,\"instanceAnnotations\":[],\"typeAnnotation\":null}",
"innerError": {
"date": "2021-02-18T09:31:46",
"request-id": "989c1555-aa84-45a7-8fd9-e168531fcf88",
"client-request-id": "989c1555-aa84-45a7-8fd9-e168531fcf88"
}
}
})
As Microsoft Graph REST API v1.0 is now GA, we can call it directly with az rest to achieve the same effect as az ad commands, including all latest features from Microsoft Graph. It can automatically authenticate to Microsoft Graph.
And, for this you will have to use v1.0 version of the API: https://graph.microsoft.com/v1.0 Using this, it should work.
Check out this GitHub Issue #12946 about the same for more details.

Call Microsoft graph API using Azure B2C

I am trying to access Microsoft Graph API using Access token of b2c login.
Following are the endpoints azure portal showing.
As I feel we must be able to call https://graph.microsoft.com endpoints according to this. Please correct me if I am wrong. Then I generated access token as follows and Tried to call https://graph.microsoft.com/v1.0/me/ using that token.
The result is as follows.
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"date": "2020-08-25T11:58:07",
"request-id": "c6a9ba06-d41e-49f7-ba94-f75478ce89b0"
}
}
}
I have granted API permissions as follows in my application too
This wont work. Use the Azure AD flows in your AAD B2C tenant.
https://learn.microsoft.com/en-us/graph/auth-v2-service

Azure B2C - Automation - EnableIEFKeySetGraphApis Feature

I am trying to automate deployment of B2C TrustFramework policies and keysets.
For Custom policies, everything works as expected but I am having some problem listing keySets using the Graph API.
I've created a local user with B2C IEF Keyset administrator and B2C IEF Policy administrator roles.
I've created an app registration with these delegated permissions: Policy.ReadWrite.TrustFramework, TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All
Calling the AAD Token endpoint, I am able to get an access_token with the desired scopes for the graph api resource.
I am trying then to call the List KeySets endpoint using the access_token (as bearer token in the authorization hearder)
GET https://graph.microsoft.com/beta/trustFramework/keySets HTTP/1.1
Authorization: Bearer {{my access_token}}
And I am getting this response from the Graph API (403 Forbidden):
```
{
"error": {
"code": "AADB2C",
"message": "Unauthorized. Access to this Api requires feature: 'EnableIEFKeySetGraphApis' for the tenant: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.",
"innerError": {
"correlationId": "4674e4c9-933e-4e70-a26b-ed59e40dc088",
"date": "2019-06-04T08:55:32",
"request-id": "d796beda-62be-46a8-afa2-cf53d29409b5"
}
}
}
```
This tenant was created before Custom Policies went GA (so not sure if it is related) but how do I activate the EnableIEFKeySetGraphApis feature ?
There is a private Preview Sample available in GitHub for Graph API Key Sets.
https://github.com/Azure-Samples/ActiveDirectory-B2C-MSGraph-PolicyAndKeysets
try this and see you able to list your keysets or not.

Azure ad and Azure ad b2c token validation failure

I am using Azure ad B2c development Web app,I want use the graph api (msgraph) to get and set the user's group.So,I create a azure ad b2c service name is B2Ctest,and B2CTest based azure ad service name is Adtest.
I use this api Microsoft Graph Client Library for .NET and used Adtest setting msgraph.
I get the B2Ctest service's user token, and passing the token to msgraph get the user own's group.It's throw a exception.
I catch msgraph post http packet.
address:
https://graph.microsoft.com/v1.0/groups
response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "e715c5f9-5c2c-40d8-ad09-71c848205d2c",
"date": "2017-10-09T16:10:20"
}
}
}
aad b2c access token
aad access token
I found,that aad b2c access token and aad access token are not the same.

Resources