Share via

How to delete azure b2c tenant using rest API mentioned at https://learn.microsoft.com/en-us/rest/api/activedirectory/b2c-tenants/delete?tabs=HTTP

Dharmendra Patidar 40 Reputation points
2023-08-23T10:07:42.5+00:00

I have created an enterprise application and provided user_impersonation permission.

invoked API: https://login.microsoftonline.com/{TenantId}/oauth2/token url to get auth token.

here client_id and client_secret used from enterprise app and TenantId in url belongs to subscription tenant directory.

User's image

getting below exception while invoking delete api using the bearer token obtained from above.

{
    "error": {
        "code": "AuthorizationFailed",
        "message": "The client 'app_client_id' with object id 'app_client_id' does not have authorization to perform action 'Microsoft.AzureActiveDirectory/b2cDirectories/delete' over scope '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupname}/providers/Microsoft.AzureActiveDirectory/b2cDirectories/{directoryname}' or the scope is invalid. If access was recently granted, please refresh your credentials."
    }
}

delete api : DELETE https://management.azure.com/subscriptions/34adfa4f-cedf-4dc0-ba29-b6d1a69ab346/resourceGroups/rg1/providers/Microsoft.AzureActiveDirectory/b2cDirectories/contoso.onmicrosoft.com?api-version=2023-01-18-preview

although Get api is working with the same bearer token.

please suggest some solution, any help would be appreciated.

Microsoft Security Microsoft Entra Microsoft Entra External ID
Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. Erkan Sahin 840 Reputation points
    2023-08-24T11:34:29.7433333+00:00

    I'll try to guide you based on the information you provided.

    1. Application Permissions in Azure AD:
      • Azure AD applications have two types of permissions: Delegated permissions and Application permissions. The difference is that Delegated permissions are used by apps that run with a signed-in user present, whereas Application permissions are used by apps that run as a background service or daemon without a signed-in user.
        • For certain tasks, applications do need specific permissions. For example, to manage objects in the directory, such as users or groups, the application might require directory permissions.
          • However, it's correct that applications cannot be assigned roles like "Global Admin" or "Contributor". Roles like these are designed for users. Instead, you assign the necessary permissions directly to the application or to a security group that the application is a member of.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dharmendra Patidar 40 Reputation points
    2023-08-24T10:15:52.7366667+00:00

    Hi Erkan,

    Thanks for the quick response, I am still not able to resolve the issue, I have verified application permission as shown below, I am not sure whether we can assign contributor or global admin role to applications since I am not able to, seems it is specific to user role.

    User's image

    Also, I could not delete azure b2c directory using below PowerShell script with appropriate value in placeholders.

    User's image

    please suggest any possible solution. Thanks in advance.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.