1

I have an ASP Net Core API where I want to call Graph API. I configure the Authentication as such:

services.AddMicrosoftIdentityWebApiAuthentication(Configuration, configSectionName: Constants.AzureAdB2C)
  .EnableTokenAcquisitionToCallDownstreamApi(options => Configuration.Bind(Constants.AzureAdB2C, options))
  .AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))
  .AddInMemoryTokenCaches();

My appsettings.json file has the following properties:

{
  "AzureAdB2C": {
    "Instance": "https://tenantName.b2clogin.com/",
    "Domain": "tenantName.onmicrosoft.com",
    "TenantId": "tenantId",
    "ClientId": "appId",
    "ClientSecret": "appSecret",
    "SignUpSignInPolicyId": "B2C_1_SignUpSignIn",
    "ResetPasswordPolicyId": "B2C_1_PasswordReset"
  },
  "GraphAPI": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "User.Read Directory.ReadWrite.All"
  }
}

My b2c app is granted permission to these Graph scopes.

I created an endpoint:

[HttpGet]
[Route("me")]
public Task<User> Me()
{
    return this.graphServiceClient.Me.Request().GetAsync();
}

This is where I get this error:

ErrorCode: unsupported_grant_type
Microsoft.Identity.Client.MsalServiceException: AADB2C90086: The supplied grant_type [urn:ietf:params:oauth:grant-type:jwt-bearer] is not supported.

Why can't my API call GraphAPI? All samples that I saw used services.AddMicrosoftIdentityWebAppAuthentication.... Could that be the reason?

Improve this question

1 Answer 1

Reset to default
2

On-behalf-of flow in B2C is not supported: https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens.

Web API chains (On-Behalf-Of) is not supported by Azure AD B2C.

You need to acquire the token using application permissions as your application with client credentials flow. There is some documentation on that: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga#register-management-application. The documentation creates a separate app registration for doing that though I think you can just add the app permissions to your existing registration.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Could you provide an example on how this is done in c# or point me to an appropriate ms sample?
There are samples here how to interact with MS Graph: learn.microsoft.com/en-us/graph/sdks/sdks-overview

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.