This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
we want to automate the setup of our AAD B2C Tenant as far as we can, therefore we want to leverage the REST API as described here: https://learn.microsoft.com/en-us/rest/api/activedirectory/b2c-tenants/create
For now the API calls are made using Postman, an access token is obtained.
With the documentation above, I can list and read existing B2C tenants, but when we attempt to create a new tenant we fail and receive an HTTP 401 response with the message "You do not have permission to view this directory or page.".
The API calls are executed using a service principal which also is an "Owner" of the subscription.
I can't figure out which permissions I must grant on our service principal in order to succeed.
Creating the B2C tenant via the Azure Portal works just fine.
I would appreciate any comments which point me into the right direction.
Thanks!
@Cedric
Thank you for your post!
Based off the documentation, it looks like you'll need to use the OAuth2 implicit Flow with the user_impersonation scope in order to use the REST API. I was able to test out another REST API - Get Secret where that specific API's security section wasn't present in the documentation, and was able to run it without issues.
Can you try using Postman's Authorization flow to see if this helps resolve your issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Thanks for the hint @JamesTran-MSFT - it solved my immediate issue even though it does not solve our problem in the long run.
Using the implicit flow with user impersonation is not something we can embed into our CI / CD setup to rollout changes via service principals and not individual, person bound accounts.
Do you know if anything in this regards is on the roadmap? Right now there is no automation possible, neither via ARM templates, nor Powershell or CLI.
@Cedric
Thank you for the follow up on this!
I'm not aware of anything that would be on the roadmap regarding this, but if you'd like this feature to be implemented I'd recommend leveraging our User Voice forum so our engineering team can take into implementing this.