Can Read Users in B2C Active Directory but cannot Create Users

Question

Can Read Users in B2C Active Directory but cannot Create Users

Joe Thomas 1

I have a B2C AD for which I am able to get a single user and list all users.

I get 401 unauthorised when I try to create a user.

My API app is registered in B2C with permissions Directory.Read.All, Directory.ReadWrite.All and User.ReadWrite.All - all of them indicate they have admin consent.

Client secret is in order.

I am trying to do a simple POST request with the access token I receive from the https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/token end point.

Where am I going wrong?

Thanks

Deva-MSFT 2,231 Reputation points Microsoft Employee

2020-12-10T17:53:46.73+00:00

Added right tag/team to assist

Deva-MSFT 2,231 Reputation points Microsoft Employee

2020-12-10T17:53:46.73+00:00

Added right tag/team to assist

Answer 1

Alfredo Revilla (MSFT) 17,096 Microsoft Employee

Hello, please ensure you're using an Azure AD app registration which differs from a B2C app registration, the later does not support MS Graph. Also that the user being authenticated has directory permissions to create users, such as belonging to a role like User Administrator.

Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

Joe Thomas 1 Reputation point

2020-12-11T22:39:57.69+00:00

Hi alfredorevilla-msft, thanks for the reply. I am already successfully calling GET /users using the B2C registered app. I just can't create users...
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-11T23:43:53.503+00:00

Does the user belongs to an admin role?
Joe Thomas 1 Reputation point

2020-12-12T08:34:25.083+00:00

So I'm building the app in my clients infrastructure and they say they have given me the application administrator role.

Here is an image of my apps permissions, which suggest that admin consent is given...
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-14T23:19:29.013+00:00

The app registration is lacking MS Graph permissions. It should have at least Application.ReadWrite.All.
Joe Thomas 1 Reputation point

2020-12-15T13:13:40.51+00:00

Thank you.

I added the extra permission but it still doesn't authorise the creation of user. Can still read users however.

I am using postman to do these requests and have the azure function running on my local machine for testing
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-15T16:05:03.083+00:00

My bad, apologies referring to application, you need permission User.ReadWrite.All of type delegated.
Joe Thomas 1 Reputation point

2020-12-15T16:28:29.98+00:00

No problem.

User.ReadWrite.All is not available as a delegated permission to the app - this is all that is available:
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-15T17:27:58.617+00:00

They should. Please double check and confirm.
Joe Thomas 1 Reputation point

2020-12-15T18:42:35.11+00:00

No they are not available.

In a B2C app, I don't think they are supposed to be available.
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-15T18:51:36.993+00:00

That's what I stated previously:

Hello, please ensure you're using an Azure AD app registration which differs from a B2C app registration, the later does not support MS Graph.
Joe Thomas 1 Reputation point

2020-12-15T19:51:52.43+00:00

This is really confusing. All the B2C documentation says that you can manage a B2C directory via MS Graph

https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api

The step by step to do this explicitly takes you through the steps of registering an app:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga

To quote - you can do the following:

"Host user registration on your own page, and create user accounts in your Azure AD B2C directory behind the scenes"
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-15T20:16:54.42+00:00

You've to use the Azure Active Directory node app registration, not the Azure AD B2C:
Joe Thomas 1 Reputation point

2020-12-15T21:19:49.687+00:00

And registering my app in AAD would allow me to create users in my AD B2C?
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-15T22:11:38.113+00:00

Yes it will.
Joe Thomas 1 Reputation point

2020-12-17T10:33:31.733+00:00

anonymous user-msft if I navigate to AAD -> App registrations, I can see my apps that I registered in B2C. Should I be looking at enterprise applications?
Joe Thomas 1 Reputation point

2020-12-17T11:06:45.143+00:00

I think the issue maybe that I am doing all this in my B2C tenant and not the AAD tenant.
Joe Thomas 1 Reputation point

2020-12-17T11:56:47.847+00:00

No, still getting 401 unauthorised:
Joe Thomas 1 Reputation point

2020-12-17T15:34:17.957+00:00

I've managed to create a user in my B2C directory using the B2C registered app.

The issue was how my token was being constructed and then getting the correct UPN for the user.

Now to work out how to allow my B2C users to login with their own work email and not the .onmicrosoft one.

See: https://stackoverflow.com/a/65332762/9982309
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-17T18:48:53.29+00:00

That's great. Just to some summarize info: An Azure AD B2C tenants share some features with Azure AD tenants. App registrations are basically the same (that's why you seem them all listed under the Azure AD node), however B2C apps are slightly different and won't expose MS Graph permissions to user flows or journeys (custom policies). How were or are you getting your token constructed? You should not need to do anything special, just follow the appropriate Azure AD Oauth2 flow (EG: Authorization Code Grant). What's your goal? B2C users distinct from pure Azure AD users due having identities other than userPrincipalName (EG: emailAddress for local B2C not federated accounts).
Joe Thomas 1 Reputation point

2020-12-17T22:54:31.613+00:00

Thanks for the summary. I must admit I've never worked with documentation so confusing and seemingly contradictory as B2C and AD.

My goal here is to create user in B2C with local identity logins via the graph, which I have now achieved. Albeit, I'm still not sure why it wasn't working for me initially, as the help I received on stackoverflow basically made me change from using axios to request - I don't know why axios was not constructing the token correctly (or what I was doing wrong with it).
Alfredo Revilla (MSFT) 17,096 Reputation points Microsoft Employee

2020-12-21T19:49:54.73+00:00

Great news. Well axios builds the request. In case you want to take a look of how you can use the browser development/network tools or a tracing tool like fiddler.

Can Read Users in B2C Active Directory but cannot Create Users

1 answer

Activity