MSAL error AADB2C90146

anastasia 21 Reputation points
2022-04-27T10:52:30.687+00:00

I have a hosted Blazor WebAssembly app secured with Azure AD B2C. I need to call GraphAPI from my app to get some custom user information. I used this article to set up the service, but it doesn't work. I get an error message when I try to access pages that need authentication or log in:

196919-image.png

The message is kind of self explaining, but I don't understand how shall I do it.

Here I set AddMsalAuthentication

builder.Services.AddMsalAuthentication(options =>  
{  
    builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);  
    options.ProviderOptions.DefaultAccessTokenScopes.Add(  
        "https://xxx.onmicrosoft.com/xxxxxxx-a5f50ab3378d/API.Access");  
  
    options.ProviderOptions.LoginMode = "redirect";  
});  

and Microsoft Graph

builder.Services.AddGraphClient("https://graph.microsoft.com/User.Read");  
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,382 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,759 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,536 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 40,221 Reputation points
    2022-04-28T03:08:26.07+00:00

    Hi @anastasia

    The error is a scope conflict, the https://xxx.onmicrosoft.com/xxxxxxx-a5f50ab3378d/API.Access is your custom web api not graph api. You cannot request tokens for two different types of api, please changed it to graph api.

     builder.Services.AddMsalAuthentication(options =>  
     {  
         builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);  
         options.ProviderOptions.DefaultAccessTokenScopes.Add(  
             "https://graph.microsoft.com/User.Read");  
          
         options.ProviderOptions.LoginMode = "redirect";  
     });  
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful