Access token on login cannot be used to make calls to graph api?

Frank 6 Reputation points
2022-12-06T15:25:50.077+00:00

Hoping to get some confirmation here. After I've logged in successfully, assuming I have my access token, I can't use that access token to make calls to the graph api?
I've seen some posts elsewhere that I would need to request another access token with graph api as the audience?

So if I look at the API permissions for my registered app I have below. But this wouldn't allow me to invoke calls to graph api after I've logged in with the scope of my registerd app?
Any clarification much appreciated.

267699-image.png

What configuration would I need to add in Azure B2C and or Postman to allow me to access the graph api via postman?

I'm generating an access token via Postman, then using that access token to invoke a graph api request, obviously not possible getting below?

In short I anticipate after a user has logged in they might possibly want to update some personal details via the graph api for example

267844-image.png

Thanks

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,578 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 36,891 Reputation points
    2022-12-07T02:52:19.87+00:00

    Hi @Frank

    Of course, if you want to call the graph API then you must use the graph API as the audience to obtain an access token, it does not support the access token obtained with your custom web API as the audience, nor does it support the authentication method of user flow/custom policy.

    You must use an Azure AD-based authentication flow to obtain an access token for the graph API, for example: ROPC flow or auth code flow.

    267939-page22.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Frank 6 Reputation points
    2022-12-08T16:45:53.357+00:00

    268626-image.png

    Hi having problems following your recommendation. Using the username of a user registered duing the signup b2c flow. Any ideas? I'm using the User Principal Name which is just an email address. I know the the error message is self explanatory but that user is there.

    I've tried adding a user via the portal. Gettting below when I try to get the token

    AADSTS65001: The user or administrator has not consented to use the application with ID '<my_tenant>' named '<my_app_id>'.
    Send an interactive authorization request for this user and resource.
    \r\nTrace ID: f1f913e4-56ca-4d37-afba-b27bb79d1e00\r\nCorrelation ID: eb1eedf2-3b41-4614-b97d-a73a54ae476c\r\nTimestamp: 2022-12-09 12:08:06Z

    The permissions I've got are

    268898-permissions.png

    Thought it might be my scope so updated that to
    https://graph.microsoft.com/User.Read.All offline_access

    Still same issue..............so yeah I'm very confused

    0 comments