MS Graph API | Resource not found and Inssufiecient Priveleges

Question

question

AbhayChandramouli-2076 asked May 9, '22 AbhayChandramouli-2076 commented May 10, '22

MS Graph API | Resource not found and Inssufiecient Priveleges

Hi,
I have developed a login method using Azure AD B2C. I have registered 2 applications, the IdentityFramework and the ProxyFramework. I have created userflows using custom policies and have created multiple users using which I can login.

Now I am trying to update the users password using MS Graph API. I have used the client credentials flow to get the token
![![200185-image.png][1]][1]

Then I use this token to call the users/{id} api but I get Resource Not found for most of the users. I cannot see these users registered to the application ProxyFramework.
Q1: How to make these users automatically register to application on registration/login
Q2: I have some users who are registred to the App. But when I try to change passwords for them, it shows Insufficient Privelges. I have given almost all permisions.

Please help

azure-ad-b2c microsoft-graph-users

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesHamil-MSFT · May 09 at 04:40 PM

Hi @AbhayChandramouli-2076 , can you please post a screenshot of the permissions you've given? MS Graph is very picky.

Best,
James

0 ·

AbhayChandramouli-2076 JamesHamil-MSFT · May 10 at 04:25 AM

0 ·

image.png (430.0 KiB)

image.png (263.3 KiB)

Answer 1 · 2022-05-10T06:35:23.963Z

CarlZhao-MSFT answered May 10, '22 AbhayChandramouli-2076 commented May 10, '22

Hi @AbhayChandramouli-2076

Q1: How to make these users automatically register to application on registration/login.

You need to create the signupsignin user flow in your Azure AD B2C portal, then select Run user flow in the portal. For Application, select the web application named ProxyFramework that you previously registered, then click on run user flow and select Sign up now. Refer to the official doc.

Q2: I have some users who are registred to the App. But when I try to change passwords for them, it shows Insufficient Privelges. I have given almost all permisions.

Modifying passwords of B2C users using application permissions is not supported, you should grant Directory.AccessAsUser.All delegate permission for your application and grant admin consent, then use Azure AD based authentication flow (eg: auth code flow) to get the token.

Finally, you only need to modify the password in the passwordProfile field.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

image.png (38.7 KiB)

· 21

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AbhayChandramouli-2076 · May 10 at 06:56 AM

Hi @CarlZhao-MSFT ,
I have already granted Dicrectory Access As User All permission.. I have attached screenshots as well. Still doesnt work

0 ·

CarlZhao-MSFT AbhayChandramouli-2076 · May 10 at 07:02 AM

Did you get the token using the auth code flow?

0 ·

AbhayChandramouli-2076 CarlZhao-MSFT · May 10 at 07:08 AM

@CarlZhao-MSFT
Yes

0 ·

Show more comments

AbhayChandramouli-2076 · May 10 at 07:01 AM

Hi @CarlZhao-MSFT ,

Q1: I have made a custom policy for sign in sign up flow.. I have registered these users via the flow only. Still I can't see any application assigned to them.

0 ·

CarlZhao-MSFT AbhayChandramouli-2076 · May 10 at 07:06 AM

Hi @AbhayChandramouli-2076 What do you mean by assigning users to applications? Are you using appRole?

0 ·

AbhayChandramouli-2076 CarlZhao-MSFT · May 10 at 07:09 AM

I am actually getting this error when I am trying to update the password of a user in registered via Azure AD B2C
avengers@yopmail.com' does not exist or one of its queried reference-property objects are not present."

@CarlZhao-MSFT

0 ·

Show more comments

AbhayChandramouli-2076 · May 10 at 08:20 AM

Hi @CarlZhao-MSFT ,
I am also seeing some discrepancy, when I do /users GET call,

I get this response, the userPrincipalName here is not the same as in Azure Portal (Users Details Blade). There it shows the email id. Is there any way I can get the user details using user principal name

0 ·

image.png (91.8 KiB)

image.png (102.3 KiB)

CarlZhao-MSFT AbhayChandramouli-2076 · May 10 at 08:39 AM

For users registered with federated IDP, the username will not be stored in the B2C directory, your real username is actually this:

0 ·

image.png (35.6 KiB)

AbhayChandramouli-2076 CarlZhao-MSFT · May 10 at 09:04 AM

Also, will this be a fedarated IDP even though I have registered the user using the registration flow ?

1 ·

Show more comments

CarlZhao-MSFT AbhayChandramouli-2076 · May 10 at 08:40 AM

So I suggest you use object id to refer to this user.

0 ·

AbhayChandramouli-2076 CarlZhao-MSFT · May 10 at 08:42 AM

HI @CarlZhao-MSFT ,
Then how to do you suggest we fetch the object id ? I need to call the update password api with the email address I have

0 ·

Show more comments

question