Share via

Documentation Problems with Sample AAD Role based Authorization Sample

Siegfried Heintze 1,906 Reputation points
2021-02-09T22:01:26.317+00:00

I'm trying to follow along with the sample AAD Role Based Authorization.

(1) Is it necessary to call Microsoft Graph in this example? When I look at the source code (AccountController.cs line 42), it appears that Microsoft Graph could be any sample API whose access could be denied for some users. Is this true?

(2) I'd like to follow along and call Microsoft Graph but the instructions at step 10 don't seem to match what I am seeing in the portal.azure.com.

(2a) I click on API Permissions and "Add Permissions" and I see a blade with Microsoft APIs.

(2b) I select the "Microsoft APIs tab and then click on the "Microsoft Graph" (with the nice blue icosahedron icon) and then click on the box "delegated". I don't see the "Commonly Used Microsoft APIs" section.

(2c) I click on the "Delegated Permissions" box and I see check boxes for "offline_access" and "openid". I don't see "User.Read, User.ReadBasic.All & Directory.Read.All". I use the search box but it does not help.

(3) What is the best place for queries like this? I I started to post here, but this looked more like a place for bugs..

(4) Looks this other example of group authorization has the same issue with step 10. There is no GroupMember.Read.All.

Wed Feb 10 2021 Evening Update:
OK, I see the problem. I'm trying to re-use the client I created with 4-2-B2C and I get these results:

66852-image.png

However, when I create a new client following the instructions in the link in the orange rectangle, everything is good: I can add User.ReadBasic.All.

So apparently I need to use this new client to follow along with the exercise... OK... I'll do that.

However, the new question is: how can I enhance 4-2-B2C to incorporate Role/Group authorization? In this example I need to select the green rectangle. But then I cannot add User.ReadBasic.All.

66843-image.png

If I select the red rectangle (as per the instructions for Role Based Authz), then I cannot have the flows for authenticating users).

How can I have both?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

Answer accepted by question author

Shama LNU (Collabera Techonologies Pvt) 76 Reputation points
2021-02-12T17:56:55.343+00:00

Use of groups or appRole based auth is not supported in Azure AD B2C.
For the issue that you have raised related to Microsoft Graph's permissions, B2C only uses offline_access and openid as delegated permissions when Supported Account Types is "Accounts in any identity provider or organizational directory (for authenticating users with user flows)". You can go through Register a Microsoft Graph application document to get more information about it.

Was this answer helpful?

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. DAN CRISTIAN 0 Reputation points
    2024-04-15T02:46:44.96+00:00

    Any sample project using asp. Net core? To give authorization access to user based on roles and how to configure it in B2C tenant? Graph

    Was this answer helpful?

    0 comments
  2. Shama LNU (Collabera Techonologies Pvt) 76 Reputation points
    2021-02-11T02:14:17.55+00:00

    Please find the response for your queries as below:

    1. It is not necessary to call Microsoft Graph. You can call another API and update the value of scope in AuthorizeForScopes attribute.
    2. As per the documentation: 66716-img1.png Below are screenshots from the Portal: 66707-img2.png Here are some of the permissions: User.ReadBasic.All 66708-img3.png GroupMember.Read.All 66717-img4.png
      1. GitHub Issues page, that you have shared, is the best place to raise these issues.
      2. Please refer to point 2.

    Please share if it helps to resolve the issue.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.