question

alexmang avatar image
0 Votes"
alexmang asked amanpreetsingh-msft edited

Retrieve an access token for Graph using a B2C tenant and delegated privileges

Hi,

I'm trying to retrieve a valid access token to get to the user's audit log.
As of right now, I've tried to retrieve that information both from the Azure Active Directory Graph and Microsoft Graph. Certainly, using an application scope and a sample available here (https://github.com/azure-ad-b2c/graph-api) I was able to do so. However, what I'm interested in is retrieving a users audit log (the currently signed in user) rather than have a report of all audit logs from all users.

In order to achieve that, I've tried to retrieve the token using a TokenAcquisition client, specyfing both Directory.Read.All and Directory.AccessAsUser.All as scopes.
So far, I was only encountering errors of the following type:
1. Either MsalServiceException: AADB2C90117: The scope 'Directory.Read.All' provided in the request is not supported., when specifying Directory.Read.All as scope
2. A null reply back when specyfing "https://graph.windows.net/Directory.Read.All" as scope

Any suggestions to what I might be doing wrong?



azure-active-directoryazure-ad-b2c
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft edited

@alexmang You need to configure Application permissions and not delegated permissions. If you decode the token at https://jwt.ms, you should see the 'Directory.Read.All' and 'Directory.ReadWrite.All' permissions are Roles, not as SCP (Scope). As per my testing on https://github.com/azure-ad-b2c/graph-api, both 'Directory.Read.All' and 'Directory.ReadWrite.All' are required.

In this case, we are fetching the audit logs in application context as the token we are using to make the graph call is issued to the application. Delegated permissions are used when the application has to perform certain actions on behalf of the user. Selecting Directory.AccessAsUser.All delegated permission is used when the the application has to impersonate the user for accessing directory data. I don't think this will help you fetching the audit logs specific to that user. Using this sample all audit logs will be exported to JSON format, you can then filter the logs to fetch logs specific to the required user.

Please Accept as answer wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.