Grant type client_credentials not working for b2c app registration with "signInAudience": "AzureADMyOrg"

Question

Grant type client_credentials not working for b2c app registration with "signInAudience": "AzureADMyOrg"

Jef Schraag-Halma 21

I can't get tokens via grant_type=client_credentials if the app registration manifest contains "signInAudience": "AzureADMyOrg".

With AzureADMyOrg I get this error:

{
    "error": "invalid_grant",
    "error_description": "AADB2C90085: The service has encountered an internal error. Please reauthenticate and try again.\r\nCorrelation ID: ... \r\nTimestamp: ...\r\n"
}

After updating signInAudience to AzureADandPersonalMicrosoftAccount (and waiting for about 20 minutes), my token requests succeed.

Is it a bug in the B2C client credentials flow that "signInAudience": "AzureADMyOrg" is not working?

Accepted answer

0 additional answers

Your answer

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Jef Schraag-Halma , Thanks for reaching out. Aure AD B2C User flow or custom policies are compatible with B2C specific Application Registration option "Accounts in any identity provider or organizational directory (for authenticating users with user flows)" as B2C is for consumer-based applications. In client credential scenario, "signInAudience": "AzureADandPersonalMicrosoftAccount" is only supported type with Azure AD B2C for all the users. If you are looking to support users only from your organization, then you can use Microsoft Entra Endpoint to get the access token. https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Jef Schraag-Halma 21 Reputation points

2024-01-19T10:01:49.23+00:00
Hi @Shweta Mathur ,

Ok thanks. It is good to know that "AzureADMyOrg" is not supported in this case.

My follow up questions are:

You say "B2C is for consumer-based applications". Is it not a common approach to have all consumers sign up directly into in the B2C tenant, leading to AzureADMyOrg (i.e. only the users from my b2c tenant) to be the a logical choice for the signInAudience property?

The error message I got is returned with HTTP status 400 (Bad request) and the text contains "Please reauthenticate and try again". Why is the system hinting that the problem is in the request while the problem could never be solved by fixing the request?

Is the restriction to use AzureADandPersonalMicrosoftAccount documented anywhere?
Jef Schraag-Halma 21 Reputation points

2024-01-19T10:06:48.2633333+00:00
Hi Shweta,

Ok it is good to know that "AzureADMyOrg" is not supported in this case.

My follow up questions are:

You say "B2C is for consumer-based applications". Is it not a common approach to have all consumers sign up directly into in the B2C tenant, leading to AzureADMyOrg (i.e. only the users from my b2c tenant) to be the a logical choice for the signInAudience property?

The error message I got is returned with HTTP status 400 (Bad request) and the text contains "Please reauthenticate and try again". Why is the system hinting that the problem is in the request while the problem could never be solved by fixing the request?

Is the restriction to use AzureADandPersonalMicrosoftAccount documented anywhere?
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-01-22T12:27:59.5166667+00:00
@Jef Schraag-Halma

You say "B2C is for consumer-based applications". Is it not a common approach to have all consumers sign up directly into in the B2C tenant, leading to AzureADMyOrg (i.e. only the users from my b2c tenant) to be the a logical choice for the signInAudience property? Yes, this is valid for Entra ID users but as consumer tenant is different from Workforce tenant therefore another option is providing here for consumer accounts as users are using social IDP as well to authenticate.

The error message I got is returned with HTTP status 400 (Bad request) and the text contains "Please reauthenticate and try again". Why is the system hinting that the problem is in the request while the problem could never be solved by fixing the request? Thanks for the feedback. As this feature is still in preview, this is generic error message providing something is not correct while coming from request. As you can use this supported type with Microsoft Entra ID endpoint, this is generic error for B2C endpoint.

Is the restriction to use AzureADandPersonalMicrosoftAccount documented anywhere? The document mentioned to update application's manifest with accessTokenAcceptedVersion to 2 which means If value of this is 2, signInAudience is AzureADandPersonalMicrosoftAccount https://learn.microsoft.com/en-us/azure/active-directory-b2c/client-credentials-grant-flow?pivots=b2c-user-flow#step-2-register-an-application https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest#accesstokenacceptedversion-attribute Hope this will help.
Thanks, Shweta
Please remember to "Accept Answer" if answer helped you.

Share via

Grant type client_credentials not working for b2c app registration with "signInAudience": "AzureADMyOrg"

Thanks, Shweta

0 additional answers

Your answer