I am able to get access token using custom scope user_impersonation.
https://{tenant}.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize?
p=B2C_1A_SIGNUP_SIGNIN&
client_id=IdentityExperienceFrameworkAppId&
nonce=defaultNonce&
redirect_uri=xxx&
scope="https://xx.onmicrosoft.com/xx/user_impersonation"&
response_type=token&
prompt=login
If I change it to User.Read.All I'll got error
This+application+does+not+have+sufficient+permissions+against+this+web+resource+to+perform+the+operation
Below my scope settings. I am trying to read users profile to get email.
I added below API permissions to the Azure AD B2C Application:
I generated the access token via Postman by using below parameters:
When I tried to fetch user's details using the access token, I got the similar error like below:
The error "This application does not have sufficient permissions against this web resource to perform the operation" usually occurs if the access token doesn't have the sufficient permissions to perform the action.
The
aud
of the access token when decoded must be Microsoft Graph not the ClientID of the Application.Azure AD B2C supports only
offline_access
andopenid
Microsoft Graph delegated API permissions.I added API permissions like below:
I used the below authorize endpoint:
Generated the access token:
I am able to fetch the user's successfully like below:
Reference:
Graph API and B2C - Microsoft Q&A by CarlZhao-MSFT