How can I call Microsoft Graph API endpoints using the OAuth 2.0 Bearer token released by an Azure AD B2C Tenant App Registration?

Luka 0 Reputation points
2024-08-08T13:55:42.3066667+00:00

I am trying to implement a Microsoft Entra ID SSO in my web application.

I am not the owner of the Azure subscription.

Its owner created an account for me to use, created a B2C Tenant into which he invited my account and made it administrator, and an App Registration inside it for me to use.

Using these I was able to authenticate the user logging with his Microsoft Entra ID account in my B2C Tenant via OAuth 2.0 authentication code flow (setting a redirect URL and creating a client secret in the App Registration) obtaining a JWT Bearer token, but I need some more information about the user which is not contained in it (e.g. his name), so I thought I'd use Microsoft Graph's https://graph.microsoft.com/v1.0/me endpoint to fetch them.

I configured the API Permissions of the App Registration (and the scopes the application requests during OAuth authorization and token endpoint calls) to include the scope User.Read as a Delegated permission, but I get a 401 Unauthorized response.

Reading here some argue this is not possible by design but I failed to find info about it in Azure's documentation:

https://stackoverflow.com/questions/63579290/call-microsoft-graph-api-using-azure-b2c

Reading here some had success with it using a different OAuth flow (client credentials) and Microsoft's .NET Azure and Microsoft Graph's SDKs, but it doesn't seem to be my case:

https://stackoverflow.com/questions/75077793/azure-b2c-how-to-get-user-details-from-microsoft-graph

Is this possible in my scenario? If so, how?

If not, are there other ways about it?

My App Registration API Settings have all scopes regarding OpenId permissions (email, offline_access, openid, profile) and the scope required by the /me Graph API endpoint (User.Read) all of which of Delegated Type.

Screenshot from 2024-08-08 14-59-53

The OAuth 2.0 authorization flow consists of two HTTP requests:

  • the first: POST GET https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize with query parameters (i list them in JSON format for readability) made by the user's browser:
{
  "client_id": 
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,822 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Yakun Huang-MSFT 4,005 Reputation points Microsoft Vendor
    2024-08-09T06:32:11.64+00:00

    Hi @Luka

    When using Auth code flow, interactive login is required, you first need to send a GET request in the browser for user login and authorization, instead of sending a POST request, the request path is as follows:

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
    client_id={clientId}
    &response_type=code
    &redirect_uri=http://localhost
    &response_mode=query
    &scope=email offline_access openid profile User.Read
    &state=123456
    

    As shown in the picture below:

    User's image

    See the link below for details:

    https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

    https://learn.microsoft.com/en-us/graph/auth-v2-user?tabs=http

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  2. Navya 9,320 Reputation points Microsoft Vendor
    2024-08-09T09:36:13.19+00:00

    Hi @Luka

    Thank you for posting this in Microsoft Q&A.

    I understand that an account was created for you, a B2C Tenant was set up where your account was invited and given administrator privileges, and an App Registration was created for your use. You are obtaining a bearer token and with it, you are attempting to access the https://graph.microsoft.com/v1.0/me endpoint, but you are encountering a "401 Unauthorized" error.

    You are utilizing a B2C tenant, and your application is located within this B2C tenant, not in the Microsoft Entra tenant. Therefore, you should use the B2C tenant endpoint instead of the Microsoft Entra endpoint.

    Microsoft Entra endpoints to get authorization code and access token: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

    Get https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
    Post https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    
    

    B2C tenant Endpoints to get authorization code and access token: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow

    GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
    POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token
    

    To retrieve names in a B2C token, there is no necessity to utilize the Graph API endpoint at https://graph.microsoft.com/v1.0/me. Azure AD B2C allows the use of user flows and custom policies to facilitate identity user experiences.

    • User flows are predefined, built-in, configurable policies that we provide so you can create sign-up, sign-in, and policy editing experiences in minutes.
    • Custom policies enable you to create your own user journeys for complex identity experience scenarios that are not supported by user flows. Azure AD B2C uses custom policies to provide extensibility.

    Please follow below steps:

    1.Register a web application, create a client certificate, and ensure to grant administrative consent to the permissions. I believe the owner has already created the application in B2C. I would like to request that you cross-check the application against this document

    2.Create a sign-up and sign-in user flow and test flow you will get token along with claims.

    Please follow the steps outlined in this document.: Create user flows and custom policies in Azure Active Directory B2C

    User's image

    If my understanding of the issue is incorrect, for instance, if your application is hosted within a Microsoft tenant, please let me know, and I will provide assistance.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.