Azure-AD-B2C - How to get "access token" in ASP.NET MVC 3 based application for accessing Graph End Points

Siddartha Pal 20 Reputation points
2023-04-04T16:46:04.48+00:00

Hi All We have a ASP.NET MVC 3 based project (Not .NET core). In that we have added code for Azure AD B2C Integration (after going through sample code provided by Microsoft). What we want? After successful login (user would be using "userName" not email for logging in), we would like to get user profile information from Azure using MS Graph. Why this is required? After successful login, when we check the "HttpContext.User.Identity.Name" in web controllers, we are getting "name" but we want "userName" in the above property(which is actually "User Principal Name" as being shown in "Azure/Users"). We also need access to roles associated with the logged on user (this would get populated during account Migration). Refer the following image Graph API

How to get access to scopes for Graph so that I can get access to "Access token"? is not clear to me. Any pointers would be very helpful. best regards

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,850 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,191 Reputation points Microsoft Employee
    2023-04-05T07:45:33.87+00:00

    Hi @Siddartha Pal , Thanks for reaching out. What we want? After successful login (user would be using "userName" not email for logging in), we would like to get user profile information from Azure using MS Graph. To get the user's details using Graph API, you need to provide the User.Read delegated permissions to your application. To add the permission, navigate to API permissions in your registered application. Select Microsoft Graph and then Delegated permission and add User.Read permission to your application. To get the user profile information from MS Graph you need to call below Graph API endpoints: GET https://graph.microsoft.com/v1.0/me - This endpoint gives the details of signed in user. GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} - This endpoint retrieved the user's profile of the particular user. User's image

    Why this is required? After successful login, when we check the "HttpContext.User.Identity.Name" in web controllers, we are getting "name" but we want "userName" in the above property(which is actually "User Principal Name" as being shown in "Azure/Users"). To get the Username of the user, your need to retrieve identities property of the user representing an identity used to sign into a user account i.e email, username, federated or user principal name. Getting a user only retrieving the default set of properties only. To get the properties and relationships of user object, you need to use $select which will retrieve issuerAssignedId which represents username. You need to call GET https://graph.microsoft.com/v1.0/users/{userId}?$select=displayName,identities to get the username of the user. User's image

    In ASP.net MVC , you can call graph API as below:

    public static async Task<CachedUser> GetUserDetailsAsync(string accessToken)
            {
                var graphClient = new GraphServiceClient(
                    new DelegateAuthenticationProvider(
                        async (requestMessage) =>
                        {
                            requestMessage.Headers.Authorization =
                                new AuthenticationHeaderValue("Bearer", accessToken);
                        }));
    
                var user = await graphClient.Users["{user-id}"].Request()
                    .Select(u => new {
                        u.DisplayName,
                        u.Mail,
                        u.Identities
                    })
                    .GetAsync();
    
    

    We also need access to roles associated with the logged on user (this would get populated during account Migration) To retrieve the list of roles that a user has been granted using below Graph API endpoint: https://graph.microsoft.com/v1.0/users/{user-id}/appRoleAssignments which will require User.ReadBasic.All least privileged permission to your application. You can assign any permission to your application as mentioned above. Reference : https://learn.microsoft.com/en-us/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http How to get access to scopes for Graph so that I can get access to "Access token" You can add permissions(scope) to your application as added above for 'User.Read' which will allow you to add those scope(https://graph.microsoft.com/user.read) in your authorization request to get the access token. Hope this will help. Thanks, Shweta Please remember to "Accept Answer" if answer helped you.