question

anastasia-3024 avatar image
0 Votes"
anastasia-3024 asked CarlZhao-MSFT edited

MSAL error AADB2C90146

I have a hosted Blazor WebAssembly app secured with Azure AD B2C. I need to call GraphAPI from my app to get some custom user information. I used this article to set up the service, but it doesn't work. I get an error message when I try to access pages that need authentication or log in:

196919-image.png

The message is kind of self explaining, but I don't understand how shall I do it.

Here I set AddMsalAuthentication

 builder.Services.AddMsalAuthentication(options =>
 {
     builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
     options.ProviderOptions.DefaultAccessTokenScopes.Add(
         "https://xxx.onmicrosoft.com/xxxxxxx-a5f50ab3378d/API.Access");
    
     options.ProviderOptions.LoginMode = "redirect";
 });

and Microsoft Graph

 builder.Services.AddGraphClient("https://graph.microsoft.com/User.Read");




azure-ad-b2cmicrosoft-graph-usersazure-ad-msal
image.png (30.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered CarlZhao-MSFT edited

Hi @anastasia-3024

The error is a scope conflict, the https://xxx.onmicrosoft.com/xxxxxxx-a5f50ab3378d/API.Access is your custom web api not graph api. You cannot request tokens for two different types of api, please changed it to graph api.

  builder.Services.AddMsalAuthentication(options =>
  {
      builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
      options.ProviderOptions.DefaultAccessTokenScopes.Add(
          "https://graph.microsoft.com/User.Read");
        
      options.ProviderOptions.LoginMode = "redirect";
  });

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi and thank you for your answer. It looks like it worked when I changed the scope, though I don't quite understand how my Blazor client will call the web api afterwards, since it uses just Graph API scope?
I can not check it for now since I got another error message, but I guess I should open another thread for it?

197250-image.png


0 Votes 0 ·
image.png (39.2 KiB)

Hi @anastasia-3024 Your custom web api can only be used in user flow or custom policy, only graph api can use Azure AD based authentication flow. So you can only use the graph api scope.

0 Votes 0 ·

Hi @anastasia-3024 Yes, you can accept this answer first, then open another thread and share the thread link with me, I will research your problem in the new thread and try to solve it.

0 Votes 0 ·