Azure AD B2C 应用程序注册图 API — 说明

Question

So, I am trying to utilize Graph API with Azure AD B2C. My understanding is that it's not possible to use the client_credentials flow when requesting access tokens. When I try to utilize an access token with client_credentials to get /beta/policies/b2cAuthenticationMethods I receive this error:

{
  "error": {
    "code": "AADB2C",
    "message": "User Authorization: Access is denied.",
    "innerError": {
      "correlationId": "4c00031f-febc-4c1a-9728-701f0c1fda00",
      "date": "2021-01-19T18:51:42",
      "request-id": "77a30adb-5103-40ec-84f3-0626800e976a",
      "client-request-id": "77a30adb-5103-40ec-84f3-0626800e976a"
    }
  }
}

Which is expected since I used the client_credentials flow.

But, the documentation states the following:

Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants.

I have gone through the process linked above. However, I am running into one issue and now have questions about this "automated" process:

Question: How do I complete this automated process for requesting and utilizing access tokens with a registered app in B2C if I cannot use the client_credentials flow?

I cannot have any user interaction when this application requests an access token.

Do I have to use a different flow? If so, how do I do it so that things like MFA aren't an issue? I am not using any SDKs, I am just directly querying MGraph using an HttpClient in my application with the Authorization Bearer header passed.

Issue

Why am I not able to complete this part of the above linked documentation.

I am logged in as a global admin for my B2C tenant. I navigate to the Roles and Administrators section

Then, in the Add Assignments popup that appears on the left I start typing the name of my app

and it does not appear, But it is registered: and I can see it in my list of registered applications:

What is the deal here?

I have found many other questions similar, and all have led me to the referenced documentation page. But, I still am not quite understanding the correct procedure to automatically get an access token for a registered app in B2C tenants.

Thanks so much.

Edit

See my answer for both solutions to the problems I had in this post.

Okay, so I managed to find the answer to my issue here .

Just out of curiosity, I made that ServicePrincipal for my application a Global admin. I used the client_crededentials flow again to the beta/policies/b2cAuthenticationMethodsPolicy and STILL received that above error about User Authorization: Access is dened. What the heck? I'm starting to wonder if it's that specific endpoint that's the issue, and not the flow itself. Especially because I can get /beta/users just fine when using the access token from client_credentials flow for my B2C tenant.

Answer 1

Alright, I have found my answers.

To my issue:

I found the answer on this thread https://docs.microsoft.com/en-us/answers/questions/229991/azure-ad-b2c-application-won39t-show-up-as-an-opti.html .

To my question:

I opened an issue on the MSFT Docs GitHub page, and someone was able to answer my question there .