Client credential call failing to fetch access token for B2C Graph API user management

Pdez 21 Reputation points
2022-10-31T17:07:27.243+00:00

I am using the following endpoint to fetch an access token to use Graph API for B2C user management:
https://<b2cTenant>.b2clogin.com/<b2cTenant>.onmicrosoft.com/<b2cPolicy>/oauth2/v2.0/token
In the body of the POST I am sending
grant_type: client_credentials
client_id: The client id of an B2C registered app. I used the API Permissions tab to grant access to various Graph API operations
client_secret: <secret>
scope: https://graph.microsoft.com/.default

In the response I am getting:
{ "error": "invalid_grant", "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: <correlationId>\r\nTimestamp: 2022-10-31 16:49:08Z\r\n" }

I found samples to authenticate for B2C Graph access, but they reference an AAD authority url. I don't understand how an access token retrieved from an AAD tenant (e.g. https://login.microsoftonline.com/${process.env.TENANT_ID}) will help in performing operations on a B2C tenant.
See: https://github.com/Azure-Samples/ms-identity-b2c-javascript-nodejs-management/blob/main/Chapter2/bin/authConfig.js#L4

When I plug the B2C tenant value into the AAD authority URL I predictably get the following error:
AADSTS900023: Specified tenant identifier '<my b2c tenant>' is neither a valid DNS name, nor a valid external domain

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,124 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,722 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,184 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 39,101 Reputation points
    2022-11-01T06:47:59.41+00:00

    Hi @Pdez

    Don't try to use user flows/custom policies to get tokens for the graph API, user flows/custom policies can only be used to get tokens for your custom web APIs, not the graph APIs. You should use Azure AD-specific authentication to obtain graph API tokens for your Azure AD B2C tenant.

    POST https://login.microsoftonline.com/{b2c tenant id}/oauth2/v2.0/token  
      
    client_id={the client ID of the B2C application}  
    &scope=https://graph.microsoft.com/.default  
    &client_secret={client secret}  
    &grant_type=client_credentials  
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Bhanu Kiran 3,526 Reputation points
    2022-10-31T21:54:18.14+00:00

    Hi @Pdez ,

    Hope you are doing good.

    Please refer to this similar QnA post of your described issue: https://learn.microsoft.com/en-us/answers/questions/1055427/aadb2c90085-can39t-obtain-token-with-client-creden.html

    hope this helps.

    0 comments No comments