I made an App in Azure to get access to storage blob and key vault. I used Azure AD tenant(with AD users).
All I need from that App is:
Upload file to Blob
Download file from Blob
Delete file from Blob
Get value of secret from Key Vault.
In Azure AD tenant it works fine. I can request to login.microsoftonline.com with user_impersonation scopes like https://storage.azure.com/user_impersonation and https://vault.azure.net/user_impersonation to get access token enter credentials and get token to my back-end to do all this things listed above.But later customer desided to use custom UX(to hide Microsoft login page) and only one way to get this is to use B2C and local accounts. Afer weeks of exploration I was ready to give up.
Moreover, if you look at these azure-b2c-users-with-dedicated-azure-cloud-resources questions and answers, you can decide that it is impossible to get access to Storage Accounts and Key Vaults from Azure AD B2C for local users.
I created Subscription, created and link to this Subscription B2C tenant. Moved that subscription into the B2C tenant and able to create Key Vault and Storage accounts. I created them. And after that in App registrations in Api Permissions I've got this
It looks very similar to what I saw in Azure AD and I had got hopefulness. I've created a user_flow and got token from link:
redirect_uri=https%3A%2F%2Fjwt.ms%2F& // https://jwt.ms/
scope=https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation& // https://storage.azure.com/user_impersonation
In decoded token claim "aud" has id the same as Azure Storage API from APIs my organization uses tab when I register App, "scp" is "user_impersonation". But using this token i can't get access to storage using Postman (I use it as Bearer token) For example GET request to https://storageName.blob.core.windows.net/?comp=list must return json with list of containers(and in Azure AD it's work) but with this token got an error
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
<AuthenticationErrorDetail>Signature validation failed. Signature key not found.</AuthenticationErrorDetail>
To get token with right permissions I tryed scopes like https://*.dfs.core.windows.net/user_impersonation and https://storageName.dfs.core.windows.net/user_impersonation.
First returned error like
provided in the request is not supported.
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.
At that stage I had got hopefulness again. But I have no idea how to set additioal permissins for this App. Using portal its impossible
So, is it possible to get access to Storage and Key Vault for local users in B2C?
May be I need investigate another ways like custom policies?
Thank you in advanced