Problem with Azure B2C access using NET CORE with Graph API to manage B2C users

Faisal Rashid 60 Reputation points


I have a JavaScript front end html web app that uses msal-browser.js to handle logins from users on an Azure Active Directory (AAD) B2C tenant. I have successfully managed to signup/login users and obtain a token containing Bearer and use this token call my ASP NET 8 Core API backend that uses the protected route. The API checks this token and then provides access to the controller based on a valid token. I have set some sample data to be returned and it works. I want my API to be able to read and update user profiles from B2C, so I am using Microsoft Graph API in my backend app. Since a B2C token is received by the backend API, I can just use this to access an OnBehlafOf token for access to Graph API. I have enabled delegated access to Microsoft Graph in the backend app registration in by B2C directory.

I have the following code in my API.


builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)     .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"))     .EnableTokenAcquisitionToCallDownstreamApi()     .AddMicrosoftGraph(builder.Configuration.GetSection("GraphAPI"))     .AddInMemoryTokenCaches();


using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;
using Microsoft.Graph;
using Microsoft.Identity.Web;
using System;
using System.Threading.Tasks;

namespace Deen_Trust_International_API.Controllers
    public class UsersController : ControllerBase
        private readonly ITokenAcquisition _tokenAcquisition;
        private readonly ILogger
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,634 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 25,306 Reputation points Microsoft Employee

    Hi @Faisal Rashid , Thanks for reaching out.

    On Behalf of flow is suitable for chained Web APIs where one API need to calls another downstream Web API.

    Although Azure AD B2C doesn't support On Behalf of flow, so we can't utilize its token to call another downstream API.

    However, On-Behalf-Of works for applications registered in Microsoft Entra ID, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Microsoft Entra ID or Azure AD B2C) that is issuing the tokens.

    Hope this will help.



    Please remember to "Accept Answer" if answer helped you.