Azure AD B2C token issue while calling Microsoft Graph API using Azure AD B2C token with grant type ROPC

Sateesh Kumar Sharma 21

Hi Team ,

We are planning to automate Application registration and creating credentials and managing the APIs using REST API Call.
First automated call we have considered to invoke MS Graph API - https://graph.microsoft.com/v1.0/applications to register the Application on Azure AD B2C tenant .

Step 1- I have created Azure AAD B2C tenant.
Step 2- created User flow (Sign in using resource owner password credentials (ROPC)
Step 3-created policy(Local IDP)
step4- Register the Application, get the client id .
step 5- Generate the Access token using endpoint :
https://abc.b2clogin.com/cde.onmicrosoft.com/B2C_1\_ABC/oauth2/v2.0/token
grant_type: password
scope : openid ************ offline_access
username: *********
password: *****************
response_type: token

Response 200 OK with access token .

Now When I am trying to call - https://graph.microsoft.com/v1.0/applications
with access token which I received in last call getting error with 401 Unauthenticated :
"error": {
"code": "InvalidAuthenticationToken",
"message": "Invalid x5t claim.",
Can you please look into this and let me know what should I do now to call /applications endpoint and how we can manage MS Graph API from Azure AD B2C tenant .

Your help will be much appreciated :)

Sateesh Sharma

1 answer

AmanpreetSingh-MSFT 56,306 Reputation points

2021-12-15T05:40:45.613+00:00
Hi @Sateesh Kumar Sharma • Thank you for reaching out.

As of now, B2C applications do not support graph operations. This means if you register an app in the B2C tenant using the option highlighted below, you won't be able to perform any graph operations using that app.

Reason: In your case, you need these Permissions to register applications but if you go to the API permissions blade of your application, you won't see these permissions and only openID and offline_access are the available permissions, as shown below:

Currently, you can use the standard Azure AD functionality of B2C tenant for this purpose.

Register the application using any of the first two options (single tenant or multitenant app)

In the application, grant admin consent to these Permissions

Acquire access token using below parameters, and use the token as bearer token to register the applications via graph api. POST https://login.microsoftonline.com/your_tenant.onmicrosoft.com/oauth2/v2.0/token client_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
grant_type:password
scope:https://graph.microsoft.com/.default
username:username@your_tenant.onmicrosoft.com
password:********

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Sateesh Kumar Sharma 21 Reputation points

2021-12-15T07:13:58.37+00:00

Hi @AmanpreetSingh-MSFT -

Thank you for your response :)
I have tried to generate the token using Client credentials grant_type of the Application registered on Azure AD B2C and Identities is on Azure AD .
User endpoint for token same as you mentioned - https://login.microsoftonline.com/\*\*\*\*\*\*/oauth2/v2.0/token
grant_type:client_credentials
client_id:**********
client_secret:******
scope: https://graph.microsoft.com/.default

Got the access token with "x5t" claims and able to register the Application using Graph API.

I did not follow ROPC because of this :

https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
Under ROPC flow note .

AmanpreetSingh-MSFT 56,306 Reputation points

2021-12-15T10:26:05.317+00:00

Hi @Sateesh Kumar Sharma • Thanks for the update. As you are using Client_Credentials, make sure you use Application.ReadWrite.OwnedBy, Application.ReadWrite.All application permissions and not the delegated permissions.

Feel free to tag me in your reply if you have any further questions and please "Accept the answer" if the information helped you.

Sateesh Kumar Sharma 21 Reputation points

2021-12-15T10:31:19.2+00:00

Hi @AmanpreetSingh-MSFT - Thank you for your reply and help ,

Yes I have added All the permission related to Application and It is working as expected .

Sateesh Kumar Sharma 21 Reputation points

2021-12-16T10:55:56.803+00:00

HI @AmanpreetSingh-MSFT -

Thank you for your answer , I have a follow up concern related to the Use case which I am trying to achieve , that will be really helpful if you can help here .
Once My APP registration is done using MS Graph API , I used API -https://graph.microsoft.com/v1.0/applications/{id}/addPassword
to add secret for registered Application .

Now If I have a Web API or Function APP published on Azure AD and would like to associate it with the registered Application .
Meaning ,would like to add Function APP URL to registered APP Application ID URI using Automated REST API Call (If MS Graph API has this API available ) and then to call function API APP with the help of Access token (Generated by using client id and secret of the registered APP by GRAPH API) and subscription id of API Management Service , HOw Can I achieve this ?

Thank you in advance :)

AmanpreetSingh-MSFT 56,306 Reputation points

2021-12-16T11:33:24.023+00:00

@Sateesh Kumar Sharma • You can use below call for this purpose:

Call: PATCH https://graph.microsoft.com/v1.0/applications/object_id_of_registered_app Body: { "identifierUris": [ "api://app_id_of_the_api_or_function_app" ] }

Note: If the URL of the web API or function app doesn't use the verified domain name, setting the URL as App ID URI for the registered app will result in the below error:
Failed to update Application ID URI application property. Error detail: Values of IdentifierUris property must use a verified domain of the organization or its subdomain: https://example.com

Sateesh Kumar Sharma 21 Reputation points

2021-12-16T12:54:20.397+00:00

Hi @AmanpreetSingh-MSFT - Thank you for your reply , Yes I am facing the same issue what you have pointed regarding verified domain ,working on it .

Thank you :)

AmanpreetSingh-MSFT 56,306 Reputation points

2021-12-30T05:10:38.383+00:00

Hi @Sateesh Kumar Sharma · Just checking if you have any further questions on this issue.

Sateesh Kumar Sharma 21 Reputation points

2021-12-30T10:17:30.137+00:00

HI @AmanpreetSingh-MSFT - Thank you , the PATCH call to update identifierUris did work well .
I am struggling to figure out next process after updating Application ID URI.

Use case Summary :
We are having two Azure AD (one Azure AD of Organization and second Azure AD B2C which we have created for this use case ). Azure AD is having API Management Service and Identities is created under this API Management Service. Now I have registered one Application in Azure AD B2C manually ,and associated this with Azure AD Identities with client Id and secret along with required details . B2C App registration i am using to generate access token using client_credentials to call Graph API . Got access token and register new Application
and add password , call PATCH API to update application id uri under the registered APP in Azure AD B2C.
API permission also added .
Now I am getting the access token using the automatically created APP client id and secret with grant type -client_credentials .
Function APP is running on Azure AD . Now the is how to call function APP http endpoint with the Azure AD B2C Application's Access token .

Can you please help here and suggest solution for this :)

Thank you in Advance ..

Sateesh Kumar Sharma 21 Reputation points

2022-01-06T10:51:06.98+00:00

Hi @AmanpreetSingh-MSFT - Can I have any suggestion regarding the above use case

That will be really helpful :)

AmanpreetSingh-MSFT 56,306 Reputation points

2022-01-06T13:47:28.54+00:00

Hi @Sateesh Kumar Sharma · I don't think what you are trying to achieve is possible. As your function App is running on Azure AD, the token it will accept must be issued by the same Azure AD tenant. When federated external IDP (such as Facebook, Google, another Azure AD tenant etc.) issues a token, it is passed to the Azure AD tenant upon receiving the token, the Azure AD tenant issues a new token, which is to be used for the applications federated with that tenant.
Sign in to comment