Question 420594 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Unable to get a token to create B2C user using Graph API

I’m trying to fetch a token using the endpoint shown in the image. When I use the scope https://graph.microsoft.com/.default, I get an error. However, if I use the scope openid offline_access 7cb56db3, I can get the token successfully.

The problem is that when I use this token to call the Microsoft Graph API to create a user, I get the error: "Access token validation failure. Invalid audience."

I’ve already added the required permissions, like Directory.ReadWrite.All and User.ReadWrite.All, under Microsoft Graph in the app. But despite this, I’m still having issues when trying to get a token with the Graph scope.

Could you please help me figure out what I might be missing?
enter image description here

Tags:

2

Answers


  1. 0

    i think the scope value is wrong in your postman. if the purpose is only to request a token for adding user, you need to pass in scope value as scope: User.ReadWrite.All. if you need multiple scope, you can pass them like this scope: Group.ReadWrite.All GroupMember.ReadWrite.All User.Read User.ReadWrite.All

    POST <tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token HTTP/1.1

grant_type=xxx
&client_id=xxxx
&scope=User.ReadWrite.All
&code=xxxxx...
&redirect_uri=xxxxxx
&client_secret=xxxxx

    You probably want to mask the actual secret in the post man screenshot.

    Login or Signup to reply.
  2. 0

    Please double check the configurations on B2C following the steps and try again.

    Check Application Registration in Azure Portal

    1. Navigate to Azure AD App Registration:

    • Go to the Azure portal.
    • Open Azure Active Directory > App registrations.
    • Select the application you’re using for authentication.

    2. Verify API Permissions:

    • Go to API permissions.
    • Ensure your app has the following delegated or application permissions for Microsoft Graph:
      • User.ReadWrite.All (for creating users).
      • Directory.AccessAsUser.All (if needed for elevated directory access).
    • If these permissions are missing:
      • Click Add a permission > Microsoft Graph.
      • Add the required permissions.
      • Grant admin consent for the permissions.

    3. Expose API (If Needed):

    • Go to Expose an API and ensure your API scopes are properly configured.
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search