Azure B2C cannot access graph api

Question

I got an access token to fetch the graph client using the following code:

    string graphResourceID = "https://graph.windows.net";      
    string tenantID = ConfigurationManager.AppSettings["ida:Domain"];
    string aadInstance = "https://login.microsoftonline.com/" + tenantID + 
    "/oauth2/v2.0/token";

Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential credential = new Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential(clientId, appKey);
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance);
authenticationContext.TokenCache.Clear();

var authResult = await authenticationContext.AcquireTokenAsync(graphResourceID,clientcred);

And then tried to use the token to fetch the signed in User's info via the AD graph api:

Uri servicePointUri = new Uri(graphResourceID);
Uri serviceRoot = new Uri(servicePointUri, tenantID);
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,async () => await GetTokenForApplication());    
var result = await activeDirectoryClient.Users.Where(u => u.ObjectId.Equals(userObjectID)).ExecuteAsync();
IUser user = result.CurrentPage.ToList().First();

return View(user);

However, this returns the following error:

"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "2bdae8ff-d935-4e01-80a1-78cbc8acf4de",
"date": "2017-08-09T18:07:40"

I made sure that mu B2C application has the "Read and Write Directory Data" permission for Windows Active Directory :

Can anyone please help? Been stuck on this for a while. TIA

Edit

I also tried using Microsoft.Graph but end up getting the same error. Plus for B2C users I think it's best if we stick to Azure Ad Graph api for now: https://dev.office.com/blogs/microsoft-graph-or-azure-ad-graph

Answer 1

It seems that you use the Azure AD library to operate Graph API. I recommand that you could use Microsoft.Graph to do that. Please also set the permission with Microsoft Graph.

Note: don't forget to click [Grant Permissions] button.

The following is the demo code.

string graphResourceId = "https://graph.microsoft.com/";
string authority = "https://login.microsoftonline.com/{0}";
string tenantId = "tenantId";
string clientId = "client Id";
string secretKey = "secret key"
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId,secret)).Result.AccessToken;
var graphserviceClient = new GraphServiceClient(
                new DelegateAuthenticationProvider(
                    requestMessage =>
                    {
                        requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);

                        return Task.FromResult(0);
                    }));
var user = graphserviceClient.Users.Request().GetAsync().Result.FirstOrDefault();

Test Result:

Update:

I also test with Azure AD graph API with Azure B2c, it also works correctly on my side. I also assign the [Read and write directory data] and click [Grant permissions] without other permission setting.

The following is the demo code I used for test.

 string graphResourceID = "https://graph.windows.net";
 string tenantID = "tenant Id";
 Uri servicePointUri = new Uri(graphResourceID);
 Uri serviceRoot = new Uri(servicePointUri, tenantID);
 ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await GetAppTokenAsync());
 var result =  activeDirectoryClient.Users.ExecuteAsync().Result;
 IUser user = result.CurrentPage.ToList().First();



 private static async Task<string> GetAppTokenAsync()
 {
        string graphResourceID = "https://graph.windows.net";
        string tenantID = "tenant id ";
        //please remove v2 from the link
        string aadInstance = "https://login.microsoftonline.com/" + tenantID +"/oauth2/token";
        var clientId = "client Id";
        var appKey = "secret key";
        // Instantiate an AuthenticationContext for my directory (see authString above).
        AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance, false);
        // Create a ClientCredential that will be used for authentication.
        // This is where the Client ID and Key/Secret from the Azure Management Portal is used.
        ClientCredential clientCred = new ClientCredential(clientId, appKey);
        // Acquire an access token from Azure AD to access the Azure AD Graph (the resource)
        // using the Client ID and Key/Secret as credentials.
        AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(graphResourceID, clientCred); 
        // Return the access token.
        return authenticationResult.AccessToken;
   }

Test Result:

If it still doesn't work for you. I suggest you create a new Azure AD application and try it again.

Packages.config:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Microsoft.Azure.ActiveDirectory.GraphClient" version="2.1.1" targetFramework="net471" />
  <package id="Microsoft.Data.Edm" version="5.6.4" targetFramework="net471" />
  <package id="Microsoft.Data.OData" version="5.6.4" targetFramework="net471" />
  <package id="Microsoft.Data.Services.Client" version="5.6.4" targetFramework="net471" />
  <package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net471" />
  <package id="System.Spatial" version="5.6.4" targetFramework="net471" />
</packages>

Answer 2

Thanks guys it seems I was using the tenant ID of the original directory I used to create my B2C directory. Hence the code could not find my application. I have to use the tenant ID/domain name of my Azure B2C directory where the B2C app is registered by clicking on switch directory in the upper right corner of the portal.