Azure Active Directory B2C - Insufficient privileges to complete the operation

Question

I created Azure AD B2C «MyApplication». When making request to read all users of AD B2C application «MyApplication» we getting following error:

{
  "odata.error": {
    "code": "Authorization_RequestDenied",
    "message": {
      "lang": "en",
      "value": "Insufficient privileges to complete the operation."
    }
  }
}

For authorization, was used a local account with global administrator rights (myuser@myapplication.onmicrosoft.com).

I used next URL for HTTP request to Graph API: " https://graph.windows.net/myapplication.onmicrosoft.com/users?api-version=1.6 "

The AccessToken was successfully received and added to the request header.

ASP.NET MVC 5 application (4.5.2)

Used libraries:

• Microsoft.Azure.ActiveDirectory.GraphClient version="2.1.1"
• Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.17.1"
• Microsoft.IdentityModel.Logging" version="1.1.4"
• Microsoft.IdentityModel.Protocol.Extensions" version="1.0.0"
• Microsoft.IdentityModel.Tokens" version="5.1.4"
• Microsoft.Identity.Client" version="1.1.0-preview"
• Microsoft.Owin.Security.OpenIdConnect" version="3.1.0"

In the App registrations section (More services -> Security + Identity -> App registrations) there is an embedded application called: b2c-extensions-app. Should I use this app and change it "Required permissions" to access the AD B2C application "«MyApplication»" for CRUD operations with users of AD B2C?

Or is there another most correct solution to this problem?

Answer 1

See this guide: Use the Azure AD Graph API: Get an access token .

You obtain access via a shared secret, not a user.

// The ClientCredential is where you pass in your client_id and client_secret, which are
// provided to Azure AD in order to receive an access_token by using the app's identity.
this.credential = new ClientCredential(clientId, clientSecret);