I added below API permissions to the Azure AD B2C Application:
I generated the access token via Postman by using below parameters:
https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token
client_id:ClientID
scope:https://b2caadtenant.onmicrosoft.com/xxx/user_impersonation
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
client_secret:ClientSecret
When I tried to fetch user's details using the access token, I got the similar error like below:
GET https://graph.microsoft.com/v1.0/users
The error "This application does not have sufficient permissions against this web resource to perform the operation" usually occurs if the access token doesn't have the sufficient permissions to perform the action.
Note that: To access the user profiles, you need to grant User.Read.All Microsoft Graph API permission not custom scope.
The aud of the access token when decoded must be Microsoft Graph not the ClientID of the Application.
Azure AD B2C supports only offline_access and openid Microsoft Graph delegated API permissions.
- Don't generate tokens for the Microsoft Graph API using user flows or custom policies, these can only be used to obtain tokens for web APIs, not the Microsoft Graph APIs.
- To obtain Microsoft Graph API tokens for Azure AD B2C tenant, use the authentication flow (auth code flow or ROPC flow) that is specific to Azure AD.
I added API permissions like below:
I used the below authorize endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Generated the access token:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
scope: https://graph.microsoft.com/.default
I am able to fetch the user's successfully like below:
https://graph.microsoft.com/v1.0/users?$select=userPrincipalName
Reference:
Graph API and B2C - Microsoft Q&A by CarlZhao-MSFT
How to read users profile data?
