Client credential call failing to fetch access token for B2C Graph API user management

Pdez 21 Reputation points

I am using the following endpoint to fetch an access token to use Graph API for B2C user management:
In the body of the POST I am sending
grant_type: client_credentials
client_id: The client id of an B2C registered app. I used the API Permissions tab to grant access to various Graph API operations
client_secret: <secret>

In the response I am getting:
{ "error": "invalid_grant", "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: <correlationId>\r\nTimestamp: 2022-10-31 16:49:08Z\r\n" }

I found samples to authenticate for B2C Graph access, but they reference an AAD authority url. I don't understand how an access token retrieved from an AAD tenant (e.g.${process.env.TENANT_ID}) will help in performing operations on a B2C tenant.

When I plug the B2C tenant value into the AAD authority URL I predictably get the following error:
AADSTS900023: Specified tenant identifier '<my b2c tenant>' is neither a valid DNS name, nor a valid external domain

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,124 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,722 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,184 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 39,101 Reputation points

    Hi @Pdez

    Don't try to use user flows/custom policies to get tokens for the graph API, user flows/custom policies can only be used to get tokens for your custom web APIs, not the graph APIs. You should use Azure AD-specific authentication to obtain graph API tokens for your Azure AD B2C tenant.

    POST{b2c tenant id}/oauth2/v2.0/token  
    client_id={the client ID of the B2C application}  
    &client_secret={client secret}  

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Bhanu Kiran 3,526 Reputation points

    Hi @Pdez ,

    Hope you are doing good.

    Please refer to this similar QnA post of your described issue:

    hope this helps.

    0 comments No comments