Azure B2C Client Credentials Flow not working for AzureADMultipleOrgs

Question

Azure B2C Client Credentials Flow not working for AzureADMultipleOrgs

Ricardo Bicho 0

I'm trying to register an application in Azure AD B2C to use Client Credentials flow (Custom Policy).

I'm following this guide: https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-custom-policy.

It all works fine if I use the application type: Accounts in this organizational directory only (Single tenant)

It fails if we register with the application type: Accounts in any organizational directory (Any Azure AD directory – Multitenant), with the error: "An application of version "V1" was found when searching for version "V2" using application identifier "04c7..."

I've updated the manifest and set accessTokenAcceptedVersion=2, but it fails with the same error.

Is there a limitation in the account type (signInAudience) when using Client Credentials flow?

I've used the same application and just by changing the manifest from

"signInAudience": "AzureADandPersonalMicrosoftAccount"

to

"signInAudience": "AzureADMultipleOrgs"

it stops working.

Shweta Mathur 30,271 Reputation points Microsoft Employee

2023-08-07T06:04:11.2166667+00:00

Hi @Ricardo Bicho ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Ricardo Bicho 0 Reputation points

2023-08-07T09:01:17.3833333+00:00
Hi Shweta,

Thank you for the reply.

I appreciate that Client Credentials flow is still in public preview.

Sorry, but I didn't understand the statement: "... if you need to further restricts the user to log in to your application, then RBAC is required...". I don't want to further restrict the user access.

I've used the guide to setup the client credentials flow (Custom Policy) and followed the same flow with 2 app registrations:

Accounts in this organizational directory only (B2C QA only - Single tenant)

This one works fine.

Accounts in any organizational directory (Any Azure AD directory – Multitenant)

This one throws an error and from the logs we have: "An application of version "V1" was found when searching for version "V2" using application identifier "04c7..."

Note that I've updated the manifest property: accessTokenAcceptedVersion=2 (as per the guide).

I would like to know if there's any limitation in using this flow with the account type: Accounts in any organizational directory (Any Azure AD directory – Multitenant) or if it will be updated/fixed, because it's still in public preview.

Thanks,

Ricardo Bicho

1 answer

Your answer

Shweta Mathur 30,271 Reputation points Microsoft Employee

2023-08-07T06:04:11.2166667+00:00

Hi @Ricardo Bicho ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Ricardo Bicho 0 Reputation points

2023-08-07T09:01:17.3833333+00:00

Hi Shweta,

Thank you for the reply.

I appreciate that Client Credentials flow is still in public preview.

Sorry, but I didn't understand the statement: "... if you need to further restricts the user to log in to your application, then RBAC is required...". I don't want to further restrict the user access.

I've used the guide to setup the client credentials flow (Custom Policy) and followed the same flow with 2 app registrations:

Accounts in this organizational directory only (B2C QA only - Single tenant)

This one works fine.

Accounts in any organizational directory (Any Azure AD directory – Multitenant)

This one throws an error and from the logs we have: "An application of version "V1" was found when searching for version "V2" using application identifier "04c7..."

Note that I've updated the manifest property: accessTokenAcceptedVersion=2 (as per the guide).

I would like to know if there's any limitation in using this flow with the account type: Accounts in any organizational directory (Any Azure AD directory – Multitenant) or if it will be updated/fixed, because it's still in public preview.

Thanks,

Ricardo Bicho

Answer 1

Hi @Ricardo Bicho ,

Thanks for reaching out.

Aure AD B2C User flow or custom policies are compatible with B2C specific Application Registration option "Accounts in any identity provider or organizational directory (for authenticating users with user flows)" as B2C is for consumer-based applications.

In Single app and Multi-tenant scenarios, if you need to further restricts the user to log in to your application, then RBAC is required which is not directly supported in Azure AD B2C.

Those are Azure AD/Entra ID concepts that are not respected by Azure AD B2C auth policies.

Note: Client credential flow is still in public preview and not generally available and not recommended to use for production applications.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Share via

Azure B2C Client Credentials Flow not working for AzureADMultipleOrgs

1 answer

Your answer