Hello William Lane
Let’s address this issue:
Scope Selection:
- The scope ‘User.Read.All’ is not supported in Azure AD B2C. Instead, you should use the appropriate Microsoft Graph API permission.
- To access user profiles, grant the User.Read.All permission from the Microsoft Graph API, rather than using a custom scope.
Access Token Aud:
- When decoding the access token, ensure that the audience (aud) corresponds to Microsoft Graph, not the ClientID of your application.
- Azure AD B2C supports only offline_access and openid Microsoft Graph delegated API permissions.
Token Generation:
- Avoid generating tokens for the Microsoft Graph API using user flows or custom policies. These can only be used to obtain tokens for web APIs, not the Microsoft Graph APIs.
- To obtain Microsoft Graph API tokens for your Azure AD B2C tenant, use the authentication flow specific to Azure AD (auth code flow or ROPC flow). API Permissions:
- Make sure you’ve added the necessary API permissions to your Azure AD B2C application.
- Use the correct endpoints for authorization and token generation.
That should help you further