MSAL error AADB2C90146

Question

question

anastasia-3024 asked Apr 27, '22 CarlZhao-MSFT edited Apr 28, '22

MSAL error AADB2C90146

I have a hosted Blazor WebAssembly app secured with Azure AD B2C. I need to call GraphAPI from my app to get some custom user information. I used this article to set up the service, but it doesn't work. I get an error message when I try to access pages that need authentication or log in:

The message is kind of self explaining, but I don't understand how shall I do it.

Here I set AddMsalAuthentication

 builder.Services.AddMsalAuthentication(options =>
 {
     builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
     options.ProviderOptions.DefaultAccessTokenScopes.Add(
         "https://xxx.onmicrosoft.com/xxxxxxx-a5f50ab3378d/API.Access");
    
     options.ProviderOptions.LoginMode = "redirect";
 });

and Microsoft Graph

 builder.Services.AddGraphClient("https://graph.microsoft.com/User.Read");

azure-ad-b2c microsoft-graph-users azure-ad-msal

image.png (30.4 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-04-28T03:08:26.07Z

CarlZhao-MSFT answered Apr 28, '22 CarlZhao-MSFT edited Apr 28, '22

Hi @anastasia-3024

The error is a scope conflict, the https://xxx.onmicrosoft.com/xxxxxxx-a5f50ab3378d/API.Access is your custom web api not graph api. You cannot request tokens for two different types of api, please changed it to graph api.

  builder.Services.AddMsalAuthentication(options =>
  {
      builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
      options.ProviderOptions.DefaultAccessTokenScopes.Add(
          "https://graph.microsoft.com/User.Read");
        
      options.ProviderOptions.LoginMode = "redirect";
  });

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

anastasia-3024 · Apr 28 at 10:06 AM

Hi and thank you for your answer. It looks like it worked when I changed the scope, though I don't quite understand how my Blazor client will call the web api afterwards, since it uses just Graph API scope?
I can not check it for now since I got another error message, but I guess I should open another thread for it?

0 ·

image.png (39.2 KiB)

CarlZhao-MSFT anastasia-3024 · Apr 28 at 10:30 AM

Hi @anastasia-3024 Your custom web api can only be used in user flow or custom policy, only graph api can use Azure AD based authentication flow. So you can only use the graph api scope.

0 ·

CarlZhao-MSFT anastasia-3024 · Apr 28 at 10:31 AM

Hi @anastasia-3024 Yes, you can accept this answer first, then open another thread and share the thread link with me, I will research your problem in the new thread and try to solve it.

0 ·

question