Retrieve an access token for Graph using a B2C tenant and delegated privileges

Alex Mang 1 Reputation point Microsoft Regional Director
2020-03-10T10:55:09.993+00:00

Hi,

I'm trying to retrieve a valid access token to get to the user's audit log.
As of right now, I've tried to retrieve that information both from the Azure Active Directory Graph and Microsoft Graph. Certainly, using an application scope and a sample available here (https://github.com/azure-ad-b2c/graph-api) I was able to do so. However, what I'm interested in is retrieving a users audit log (the currently signed in user) rather than have a report of all audit logs from all users.

In order to achieve that, I've tried to retrieve the token using a TokenAcquisition client, specyfing both Directory.Read.All and Directory.AccessAsUser.All as scopes.
So far, I was only encountering errors of the following type:

  1. Either MsalServiceException: AADB2C90117: The scope 'Directory.Read.All' provided in the request is not supported., when specifying Directory.Read.All as scope
  2. A null reply back when specyfing "https://graph.windows.net/Directory.Read.All" as scope

Any suggestions to what I might be doing wrong?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,652 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,571 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-03-12T06:32:02.87+00:00

    @Alex Mang You need to configure Application permissions and not delegated permissions. If you decode the token at https://jwt.ms, you should see the 'Directory.Read.All' and 'Directory.ReadWrite.All' permissions are Roles, not as SCP (Scope). As per my testing on https://github.com/azure-ad-b2c/graph-api, both 'Directory.Read.All' and 'Directory.ReadWrite.All' are required.

    In this case, we are fetching the audit logs in application context as the token we are using to make the graph call is issued to the application. Delegated permissions are used when the application has to perform certain actions on behalf of the user. Selecting Directory.AccessAsUser.All delegated permission is used when the the application has to impersonate the user for accessing directory data. I don't think this will help you fetching the audit logs specific to that user. Using this sample all audit logs will be exported to JSON format, you can then filter the logs to fetch logs specific to the required user.

    -----------------------------------------------------------------------------------------------------------

    Please Accept as answer wherever the information provided helps you to help others in the community.

    0 comments