Scope User.Read.All not works for azure b2c

Question

I am able to get access token using custom scope user_impersonation.

https://{tenant}.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize? 
p=B2C_1A_SIGNUP_SIGNIN&
client_id=IdentityExperienceFrameworkAppId&
nonce=defaultNonce&
redirect_uri=xxx&
scope="https://xx.onmicrosoft.com/xx/user_impersonation"&
response_type=token&
prompt=login

If I change it to User.Read.All I'll got error

This+application+does+not+have+sufficient+permissions+against+this+web+resource+to+perform+the+operation

Below my scope settings. I am trying to read users profile to get email.

How to read users profile data?

Answer 1

I added below API permissions to the Azure AD B2C Application:

I generated the access token via Postman by using below parameters:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token

client_id:ClientID
scope:https://b2caadtenant.onmicrosoft.com/xxx/user_impersonation
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
client_secret:ClientSecret

When I tried to fetch user's details using the access token, I got the similar error like below:

GET https://graph.microsoft.com/v1.0/users

The error "This application does not have sufficient permissions against this web resource to perform the operation" usually occurs if the access token doesn't have the sufficient permissions to perform the action.

Note that: To access the user profiles, you need to grant User.Read.All Microsoft Graph API permission not custom scope.

The aud of the access token when decoded must be Microsoft Graph not the ClientID of the Application.

Azure AD B2C supports only offline_access and openid Microsoft Graph delegated API permissions.

• Don't generate tokens for the Microsoft Graph API using user flows or custom policies, these can only be used to obtain tokens for web APIs, not the Microsoft Graph APIs.
• To obtain Microsoft Graph API tokens for Azure AD B2C tenant, use the authentication flow (auth code flow or ROPC flow) that is specific to Azure AD.

I added API permissions like below:

I used the below authorize endpoint:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

Generated the access token:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

scope: https://graph.microsoft.com/.default

I am able to fetch the user's successfully like below:

https://graph.microsoft.com/v1.0/users?$select=userPrincipalName

Reference:

Graph API and B2C - Microsoft Q&A by CarlZhao-MSFT