question

AbhayChandramouli-2076 avatar image
0 Votes"
AbhayChandramouli-2076 asked AbhayChandramouli-2076 commented

MS Graph API | Resource not found and Inssufiecient Priveleges

Hi,
I have developed a login method using Azure AD B2C. I have registered 2 applications, the IdentityFramework and the ProxyFramework. I have created userflows using custom policies and have created multiple users using which I can login.

Now I am trying to update the users password using MS Graph API. I have used the client credentials flow to get the token
![![200185-image.png][1]][1]

Then I use this token to call the users/{id} api but I get Resource Not found for most of the users. I cannot see these users registered to the application ProxyFramework.
Q1: How to make these users automatically register to application on registration/login
Q2: I have some users who are registred to the App. But when I try to change passwords for them, it shows Insufficient Privelges. I have given almost all permisions.


Please help

azure-ad-b2cmicrosoft-graph-users
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AbhayChandramouli-2076 , can you please post a screenshot of the permissions you've given? MS Graph is very picky.

Best,
James

0 Votes 0 ·

200521-image.png


200531-image.png


0 Votes 0 ·
image.png (430.0 KiB)
image.png (263.3 KiB)

1 Answer

CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered AbhayChandramouli-2076 commented

Hi @AbhayChandramouli-2076

Q1: How to make these users automatically register to application on registration/login.

You need to create the signupsignin user flow in your Azure AD B2C portal, then select Run user flow in the portal. For Application, select the web application named ProxyFramework that you previously registered, then click on run user flow and select Sign up now. Refer to the official doc.

Q2: I have some users who are registred to the App. But when I try to change passwords for them, it shows Insufficient Privelges. I have given almost all permisions.

Modifying passwords of B2C users using application permissions is not supported, you should grant Directory.AccessAsUser.All delegate permission for your application and grant admin consent, then use Azure AD based authentication flow (eg: auth code flow) to get the token.

Finally, you only need to modify the password in the passwordProfile field.

200460-image.png


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (38.7 KiB)
· 21
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @CarlZhao-MSFT ,
I have already granted Dicrectory Access As User All permission.. I have attached screenshots as well. Still doesnt work

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT AbhayChandramouli-2076 ·

Did you get the token using the auth code flow?

0 Votes 0 ·

Hi @CarlZhao-MSFT ,

Q1: I have made a custom policy for sign in sign up flow.. I have registered these users via the flow only. Still I can't see any application assigned to them.

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT AbhayChandramouli-2076 ·

Hi @AbhayChandramouli-2076 What do you mean by assigning users to applications? Are you using appRole?

0 Votes 0 ·

I am actually getting this error when I am trying to update the password of a user in registered via Azure AD B2C
avengers@yopmail.com' does not exist or one of its queried reference-property objects are not present."

@CarlZhao-MSFT

0 Votes 0 ·
Show more comments

Hi @CarlZhao-MSFT ,
I am also seeing some discrepancy, when I do /users GET call,

200515-image.png

I get this response, the userPrincipalName here is not the same as in Azure Portal (Users Details Blade). There it shows the email id. Is there any way I can get the user details using user principal name


0 Votes 0 ·
image.png (91.8 KiB)
image.png (102.3 KiB)
CarlZhao-MSFT avatar image CarlZhao-MSFT AbhayChandramouli-2076 ·

For users registered with federated IDP, the username will not be stored in the B2C directory, your real username is actually this:

200506-image.png


0 Votes 0 ·
image.png (35.6 KiB)

Also, will this be a fedarated IDP even though I have registered the user using the registration flow ?

1 Vote 1 ·
Show more comments
CarlZhao-MSFT avatar image CarlZhao-MSFT AbhayChandramouli-2076 ·

So I suggest you use object id to refer to this user.

0 Votes 0 ·

HI @CarlZhao-MSFT ,
Then how to do you suggest we fetch the object id ? I need to call the update password api with the email address I have

0 Votes 0 ·
Show more comments