How to resolve azure b2c application error

William Lane 25 Reputation points
2024-02-22T16:25:53.4133333+00:00

I receive the following trying to sign a user into the MVC app using Microsoft Identity Platform

An unhandled exception occurred while processing the request.

MsalServiceException: AADB2C90117: The scope 'User.Read.All' provided in the request is not supported.
Correlation ID: 3c1cd3f2-775c-48b0-ab13-b43b540e5687
Timestamp: 2024-02-22 16:19:33Z

Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)

  • Stack
  • Query
  • Cookies
  • Headers
  • Routing
  • MsalServiceException: AADB2C90117: The scope 'User.Read.All' provided in the request is not supported. Correlation ID: 3c1cd3f2-775c-48b0-ab13-b43b540e5687 Timestamp: 2024-02-22 16:19:33Z
    • Microsoft.Identity.Client.Internal.Requests.Silent.SilentRequest.ExecuteAsync(CancellationToken cancellationToken)
      • Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
        • Microsoft.Identity.Client.ApiConfig.Executors.ClientApplicationBaseExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenSilentParameters silentParameters, CancellationToken cancellationToken)
          • Microsoft.Identity.Web.TokenAcquisition.GetAuthenticationResultForWebAppWithAccountFromCacheAsync(IConfidentialClientApplication application, ClaimsPrincipal claimsPrincipal, IEnumerable
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,262 questions
0 comments No comments
{count} vote

Accepted answer
  1. Pinaki Ghatak 3,830 Reputation points Microsoft Employee
    2024-02-27T17:33:22.4+00:00

    Hello William Lane

    Let’s address this issue:

    Scope Selection:

    • The scope ‘User.Read.All’ is not supported in Azure AD B2C. Instead, you should use the appropriate Microsoft Graph API permission.
    • To access user profiles, grant the User.Read.All permission from the Microsoft Graph API, rather than using a custom scope.

    Access Token Aud:

    • When decoding the access token, ensure that the audience (aud) corresponds to Microsoft Graph, not the ClientID of your application.
    • Azure AD B2C supports only offline_access and openid Microsoft Graph delegated API permissions.

    Token Generation:

    • Avoid generating tokens for the Microsoft Graph API using user flows or custom policies. These can only be used to obtain tokens for web APIs, not the Microsoft Graph APIs.
    • To obtain Microsoft Graph API tokens for your Azure AD B2C tenant, use the authentication flow specific to Azure AD (auth code flow or ROPC flow). API Permissions:
    • Make sure you’ve added the necessary API permissions to your Azure AD B2C application.
    • Use the correct endpoints for authorization and token generation.

    That should help you further


1 additional answer

Sort by: Most helpful
  1. James Hamil 23,976 Reputation points Microsoft Employee
    2024-02-26T23:08:06.3066667+00:00

    Hi @William Lane , from this thread: "Currently, accessing any Microsoft API isn't supported using an Azure AD B2C-issued token, i.e. using tokens that are issued as result of an Azure AD B2C built-in or custom flow.

    Instead, for a single-page application to access to the Microsoft Graph API, you must bridge them using a proxy API." Please review that page for more details.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.