Access Microsoft Graph API from Azure B2C

Question

I have an Azure AD B2C tenant with an application running. It is configured to use only Azure AD and Microsoft Accounts to login. This application is used by App Center Auth.

I want to access some Microsoft APIs (Microsoft Graph API, Azure DevOps API) from my mobile application with the same login. Therefore I added the API permissions (Azure DevOps -> user_impersonation and Microsoft Graph -> User.Read) to my application in my Azure AD tenant (not the B2C tenant) to grant these permissions on login.

If I now try to use the access token after the login in my application to access eg the user in Microsoft Graph, I get an Unauthorized error.

// Sign-in succeeded, UserInformation is not null.
var userInfo = await Auth.SignInAsync();

// Get tokens. They are not null.
var idToken = userInfo.IdToken;
var accessToken = userInfo.AccessToken;

Within the same method, I try to get the user photo from Microsoft Graph

var graphAPIEndpoint = "https://graph.microsoft.com/v1.0/me";
var scopes = new[] { "user.read" };

var client = new HttpClient();

var request = new HttpRequestMessage(HttpMethod.Get, graphAPIEndpoint + "/photo/$value");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var response = await client.SendAsync(request);
var image = await response.Content.ReadAsByteArrayAsync();

UserImage.Source = ImageSource.FromStream(() => new MemoryStream(image));

Has anyone an advice how to configure the B2C / Azure AD application to get access to these API with the Access Token? Or am I on the complete wrong way?

Answer 1

Just like @juunas said, as of today,you need to use AAD Graph API to access Azure AD B2C tenant, this is different from the Microsoft Graph API.

Here is the document for this: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet

Answer 2

Take a look at this documentation published about using the Microsoft Graph API and authenticating against it for B2C instances:

https://docs.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=applications

With recent migration away from login.microsoftonline.com to *.b2clogin.com , if you're using MSAL to obtain the authentication token from the AAD B2C instance, you need to override the authority config, and turn off authority validation, as per this document:

https://docs.microsoft.com/bs-latn-ba/azure/active-directory/develop/msal-b2c-overview

In JavaScript, this is done like below:

 const msalConfig = {
     auth: {
         clientId: "e760cab2-b9a1-4c0d-86fb-ff7084abd902" //This is your client/application ID
         authority: "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_susi", //This is your tenant info
         validateAuthority: false
     },
 };

 // create UserAgentApplication instance
 const myMSALObj = new Msal.UserAgentApplication(msalConfig);

In C# with the MSAL.NET library, it would be done with the authority URL passed to the PublicClientApplication class constructor.

Answer 3

I was able to consume Graph REST API using the below steps,

1. Get access token, POST URL: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token form-data: {"client_id": <Registered application clientId>, "client_secret": <Registered application generated secret>, "scope": "https://graph.microsoft.com/.default", "grant_type": "client_credentials"

   Response: {"token_type" : "", "expires_in" : "", "ext_expires_in" : "", "access_token" : ""}

   NOTE: Registered application within b2c tenant should have required grants to access Graph API

2. Pass token to access API resources, ex: to get user details with objectId,

   GET URL: https://graph.microsoft.com/v1.0/users/{objectId}

   set header key

    "Authorization": "Bearer " ++ {access_token from above step 1.>