question

SateeshKumarSharma-2083 avatar image
0 Votes"
SateeshKumarSharma-2083 asked amanpreetsingh-msft commented

Azure AD B2C token issue while calling Microsoft Graph API using Azure AD B2C token with grant type ROPC

Hi Team ,

We are planning to automate Application registration and creating credentials and managing the APIs using REST API Call.
First automated call we have considered to invoke MS Graph API - https://graph.microsoft.com/v1.0/applications to register the Application on Azure AD B2C tenant .

Step 1- I have created Azure AAD B2C tenant.
Step 2- created User flow (Sign in using resource owner password credentials (ROPC)
Step 3-created policy(Local IDP)
step4- Register the Application, get the client id .
step 5- Generate the Access token using endpoint :
https://abc.b2clogin.com/cde.onmicrosoft.com/B2C_1_ABC/oauth2/v2.0/token
grant_type: password
scope : openid offline_access
username:
password:
response_type: token

Response 200 OK with access token .

Now When I am trying to call - https://graph.microsoft.com/v1.0/applications
with access token which I received in last call getting error with 401 Unauthenticated :
"error": {
"code": "InvalidAuthenticationToken",
"message": "Invalid x5t claim.",
Can you please look into this and let me know what should I do now to call /applications endpoint and how we can manage MS Graph API from Azure AD B2C tenant .

Your help will be much appreciated :)

Sateesh Sharma

azure-active-directoryazure-ad-b2cmicrosoft-graph-people
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @SateeshKumarSharma-2083 • Thank you for reaching out.

As of now, B2C applications do not support graph operations. This means if you register an app in the B2C tenant using the option highlighted below, you won't be able to perform any graph operations using that app.

157699-image.png

Reason: In your case, you need these Permissions to register applications but if you go to the API permissions blade of your application, you won't see these permissions and only openID and offline_access are the available permissions, as shown below:

157689-image.png

Currently, you can use the standard Azure AD functionality of B2C tenant for this purpose.

  1. Register the application using any of the first two options (single tenant or multitenant app)

  2. In the application, grant admin consent to these Permissions

  3. Acquire access token using below parameters, and use the token as bearer token to register the applications via graph api.

    POST https://login.microsoftonline.com/your_tenant.onmicrosoft.com/oauth2/v2.0/token

    client_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    grant_type:password
    scope:https://graph.microsoft.com/.default
    username:username@your_tenant.onmicrosoft.com
    password:

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (21.9 KiB)
image.png (34.0 KiB)
· 10
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SateeshKumarSharma-2083 avatar image SateeshKumarSharma-2083 ·

Hi @amanpreetsingh-msft -

Thank you for your response :)
I have tried to generate the token using Client credentials grant_type of the Application registered on Azure AD B2C and Identities is on Azure AD .
User endpoint for token same as you mentioned - https://login.microsoftonline.com//oauth2/v2.0/token
grant_type:client_credentials
client_id:
client_secret:**
scope: https://graph.microsoft.com/.default

Got the access token with "x5t" claims and able to register the Application using Graph API.

I did not follow ROPC because of this :
157729-image.png

https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
Under ROPC flow note .




0 Votes 0 ·
image.png (21.1 KiB)
amanpreetsingh-msft avatar image amanpreetsingh-msft SateeshKumarSharma-2083 ·

Hi @SateeshKumarSharma-2083 • Thanks for the update. As you are using Client_Credentials, make sure you use Application.ReadWrite.OwnedBy, Application.ReadWrite.All application permissions and not the delegated permissions.

Feel free to tag me in your reply if you have any further questions and please "Accept the answer" if the information helped you.

1 Vote 1 ·
SateeshKumarSharma-2083 avatar image SateeshKumarSharma-2083 amanpreetsingh-msft ·

Hi @amanpreetsingh-msft - Thank you for your reply and help ,

Yes I have added All the permission related to Application and It is working as expected .

0 Votes 0 ·
SateeshKumarSharma-2083 avatar image SateeshKumarSharma-2083 amanpreetsingh-msft ·

HI @amanpreetsingh-msft -

Thank you for your answer , I have a follow up concern related to the Use case which I am trying to achieve , that will be really helpful if you can help here .
Once My APP registration is done using MS Graph API , I used API -https://graph.microsoft.com/v1.0/applications/{id}/addPassword
to add secret for registered Application .

Now If I have a Web API or Function APP published on Azure AD and would like to associate it with the registered Application .
Meaning ,would like to add Function APP URL to registered APP Application ID URI using Automated REST API Call (If MS Graph API has this API available ) and then to call function API APP with the help of Access token (Generated by using client id and secret of the registered APP by GRAPH API) and subscription id of API Management Service , HOw Can I achieve this ?

Thank you in advance :)

0 Votes 0 ·
Show more comments