Azure AD B2C Token Issue

Rıfat Erdem Sahin picture Rıfat Erdem Sahin · Sep 15, 2017 · Viewed 7.4k times · Source

As an enterprise, we would like to use Azure AD B2C and we have internal and external users.

Azure AD helps us manage our Azure users, corporate users and we can even add users with [email protected] emails.

When we wanted to use Azure AD B2C for our consumers. So we have 2 choices to add our users which is a local user and an external user (Facebook, Google, etc)

If the local user belongs to our corporate it is ok to create the user using the Azure AD B2C portal.

But when we try to create the Azure AD B2C users who have another kind of emails, we need to use our own app which is consuming the Graph API. (that is the Azure portal restriction)

The issue is we are having a hard time getting the users values after the login is they are local users with Gmail or x emails.

We are using MSAL to get the related information instead of ADAL.

We have enabled the scopes and also enabled the API Access but this is the errors we are getting.

enter image description here

Error 1:

acquiring the popup: AADB2C90055: The scope 'openid email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.

Correlation ID: 86d6ff41-1cef-4ba1-9b26-2aa281c92ccd

Timestamp: 2017-09-15 10:22:20Z

Error 2:

invalid_request Error during login: AADB2C90117: The scope 'user_impersonation' provided in the request is not supported.

Correlation ID: 785c6487-cd7f-4750-a769-deb477cb4ba4

Timestamp: 2017-09-15 10:32:39Z

:invalid_request

Error 3:

Error acquiring the popup: AADB2C90055: The scope 'email openid profile' provided in request must specify a resource, such as 'https://example.com/calendar.read'.

Correlation ID: bd714482-8534-473e-94bc-0a4c56da686d

Timestamp: 2017-09-15 10:36:15Z

:invalid_request

Answer

Fei Xue - MSFT picture Fei Xue - MSFT · Sep 19, 2017

Error1 and Error3

There is no need to provide scope openid profile offline_access when we using MSAL library to interact with Azure AD B2C. The SDK will add there scope automatically. We only need to provider the custom scope we defined for the web API app register on Azure AD B2C blade.

Error2

The scope user_impersonation is an custom scope defined by the app by default. We should contain the app id URI(https://{myB2CTenant}.onmicrosoft.com/b2capp2) before it like below:

string[] SCOPES = { "https://{myB2CTenant}.onmicrosoft.com/b2capp2/note_read", "https://{myB2CTenant}.onmicrosoft.com/b2capp2/user_impersonation" };

And AFAIK, the Azure AD B2C doesn't support delegate the user to access the Azure ad Graph at present. We need to register an app via Azure Active Directory->App registrations(not in Azure AD B2C blade) and access the Microsoft or Azure AD Graph via the client credentials flow. Here is a helpful link calling the Graph API in Azure AD B2C:

Azure AD B2C: Use the Graph API

If you want the Azure AD B2C app also support delegating user to calling the Microsoft Graph, you may submit the feedback from here.