This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 14.000000000000002%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
I want to add authorization using groups & group claims to an ASP.NET Core Web app that signs-in users with the Microsoft identity platform on Azure AD B2C. So I downloaded the following example.
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-2-Groups
I modify the appsettings.json to the following to use my Azure AD B2C login instead of "https://login.microsoftonline.com/"
I also followed the instruction at
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga#grant-api-access
to grant API access to Microsoft Graph for the registered app.
When I ran this app, it gave me AADB2C90117: The scope 'User.Read' provided in the request is not supported. How can I fix this problem?
Hi, we are investigating your issue and will update you shortly.
Best,
James
Hi @Carol Lai , do you still need help with this question? If not please mark the appropriate answer as "Verified" so other users may reference it.
Thank you,
James
Hi @Carol Lai , are you using B2C authority? Please reference this sample. You may need to add the b2c authority uri to the scope (instead of only user.read), like this:
'https://graph.microsoft.com/v1.0/me', ["https://authorityuri/user.read"]
Please let me know if this works. If not I can help you further.
If this answer helped you, please mark it as "Verified" so other users may reference it.
Thank you,
James Hamil
The example code in
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/appsettings.json
shows the following:
I'm not sure what b2c authority uri I need to use. I tried the following authority uris but none wotks.
with signupsigninpolicyid
use xxx.onmicrosoft.com domain
use xxx.b2clogin.com domain
My apologies @Carol Lai , I never attached the link to the sample I mentioned. Here it is if you want to look at it: https://github.com/Dayzure/active-directory-b2c-dotnetcore-webapp
Best,
James
You example doesn't have any Microsoft Graph api support. I'm trying to get the group claims via Microsoft Graph. Your example exposes the app's own web api not the Microsoft Graph api.
I exposed the app's own web api as the following.
And added your suggested uri as the following
It got the same error.
Hi @Carol Lai ,
Tokens that are issued by Azure AD B2C are intended for use by an Azure AD B2C-registered client with an Azure AD B2C-registered resource.
Microsoft Graph API is not an Azure AD B2C-registered resource so the https://graph.microsoft.com/scopes aren't supported.
Alternatively, you might consider passing the access token as the idp_access_token claim through, from the Microsoft identity provider to your Azure AD B2C-registered client.
A custom policy is needed for the Microsoft identity provider to pass this through.
I hope this helps. If so, please mark this answer as "Verified" so other users may reference it.
Thank you,
James