Client credential call failing to fetch access token for B2C Graph API user management

Pdez 21 Reputation points
2022-10-31T17:07:27.243+00:00

I am using the following endpoint to fetch an access token to use Graph API for B2C user management:
https://<b2cTenant>.b2clogin.com/<b2cTenant>.onmicrosoft.com/<b2cPolicy>/oauth2/v2.0/token
In the body of the POST I am sending
grant_type: client_credentials
client_id: The client id of an B2C registered app. I used the API Permissions tab to grant access to various Graph API operations
client_secret: <secret>
scope: https://graph.microsoft.com/.default

In the response I am getting:
{ "error": "invalid_grant", "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: <correlationId>\r\nTimestamp: 2022-10-31 16:49:08Z\r\n" }

I found samples to authenticate for B2C Graph access, but they reference an AAD authority url. I don't understand how an access token retrieved from an AAD tenant (e.g. https://login.microsoftonline.com/${process.env.TENANT_ID}) will help in performing operations on a B2C tenant.
See: https://github.com/Azure-Samples/ms-identity-b2c-javascript-nodejs-management/blob/main/Chapter2/bin/authConfig.js#L4

When I plug the B2C tenant value into the AAD authority URL I predictably get the following error:
AADSTS900023: Specified tenant identifier '<my b2c tenant>' is neither a valid DNS name, nor a valid external domain

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,914 questions
Azure Active Directory External Identities
Microsoft Graph Applications API
Microsoft Graph Applications API
A Microsoft API that enables you to manage these resources and actions related to applications in Azure Active Directory.
566 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 23,841 Reputation points
    2022-11-01T06:47:59.41+00:00

    Hi @Pdez

    Don't try to use user flows/custom policies to get tokens for the graph API, user flows/custom policies can only be used to get tokens for your custom web APIs, not the graph APIs. You should use Azure AD-specific authentication to obtain graph API tokens for your Azure AD B2C tenant. 

    POST https://login.microsoftonline.com/{b2c tenant id}/oauth2/v2.0/token  
  
client_id={the client ID of the B2C application}  
&scope=https://graph.microsoft.com/.default  
&client_secret={client secret}  
&grant_type=client_credentials

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bhanu Kiran 3,511 Reputation points
    2022-10-31T21:54:18.14+00:00

    Hi @Pdez ,

    Hope you are doing good.

    Please refer to this similar QnA post of your described issue: https://learn.microsoft.com/en-us/answers/questions/1055427/aadb2c90085-can39t-obtain-token-with-client-creden.html

    hope this helps.

    0 comments