Azure-docs: Missing instructions for Interactive

@rrperkin
Thanks for your feedback! We will investigate and update as appropriate.

@rrperkin
Thanks for your feedback! We will investigate and update as appropriate.

Reference SO question here: https://stackoverflow.com/questions/62275609/no-access-token-returned-for-ad-b2c-user-when-requesting-microsoft-graph-delegat/

It contains what I've tried.

Mass confusion here.
You can definitely do what you are looking to do, except that this is all Azure AD functionality, not Azure AD B2C. So you are not looking to invoke any B2C user flow etc. B2C auths cannot get access to Microsoft APIs, only your own APIs.

• AAD tenant - contains only AAD endpoints. It is a single token issuer
• B2C tenant - contains both AAD and B2C token endpoints. There are two token issuers respectively

A B2C tenant contains:

• AAD endpoint: login.microsoftonline.com THIS IS NOT BEING DEPRECATED
• AAD B2C endpoint: tenantName.b2clogin.com+ B2C policyId parameter

Based on the authentication request, the request is routed to the two different token issuers.

The next key point:

• AAD endpoints allow you to obtain tokens to your applications protected by an AAD Application Registration.
• AAD endpoints allow you to obtain tokens to Microsoft APIs, since they are also protected by AAD on our side. Such as MS Graph API.
• AAD endpoints allow client_credentials
• B2C endpoints allow you to obtain tokens to your applications only protected by an AAD B2C Application Registration.
• B2C endpoints do not allow client_credentials

You cannot use tenantName.b2clogin.com to obtain a token for MS Graph API, based on the above rule set.
This means a users B2C authentication cannot be used to authorize to AAD protected apps, or Microsoft APIs. (Eventhough the new App Reg experience allows assigning the permissions to MS Graph for B2C Application Registrations- we are looking to fix that).

When you use login.microsoftonline.com and don't provide any policy id parameters against a B2C tenant, you hit the AAD endpoints of the B2C tenant, again it works. You can get tokens to Microsoft Graph API for example, using the users context.

When you use tenantName.b2clogin.com and provide any policy id parameters against a B2C tenant, you hit the AAD B2C endpoints of the B2C tenant, now it will not work as you expected it to. Hopefully the above clarifies why. And since there is no deprecation of the AAD endpoint, you don't need to be using this domain name for this type of call.

The summary is, treat your scenario as a pure Azure AD scenario, as per this sample. You create an Application Registration for Accounts in this organizational directory only. when prompted for the type.

OK, now I'm even more confused.

First there's this, from December 4th of last year: [https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/]

On December 4th, 2020, the login.microsoftonline.com endpoint will be deprecated for accessing B2C tenants. Existing tenants will need to move onto B2Clogin.com before that date, and all functionality will remain the same on the B2Clogin.com endpoint. See how to migrate your applications and web APIs to use B2Clogin.com.

New tenants created after this announcement will no longer be able to accept requests from login.microsoftonline.com. This doesn’t impact Azure Active Directory (Azure AD) tenants and is only for Azure Active Directory B2C tenants.

If you have any questions, please contact us.

So... which is it? Deprecated or not deprecated?

There's also this: https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin

Deprecation of login.microsoftonline.com

On 04 December 2019, we announced the scheduled retirement of login.microsoftonline.com support in Azure AD B2C on 04 December 2020:

Azure Active Directory B2C is deprecating login.microsoftonline.com

The deprecation of login.microsoftonline.com goes into effect for all Azure AD B2C tenants on 04 December 2020, providing existing tenants one (1) year to migrate to b2clogin.com. New tenants created after 04 December 2019 will not accept requests from login.microsoftonline.com. All functionality remains the same on the b2clogin.com endpoint.

The deprecation of login.microsoftonline.com does not impact Azure Active Directory tenants. Only Azure Active Directory B2C tenants are affected by this change.

Finally, there's the basic fact of my question, which is that my question asked about demos and guidance to do this from the docu page _referenced in this issue:_

Microsoft Graph API interaction modes

There are two modes of communication you can use when working with the Microsoft Graph API to manage resources in your Azure AD B2C tenant:

Interactive - Appropriate for run-once tasks, you use an administrator account in the B2C tenant to perform the management tasks. This mode requires an administrator to sign in using their credentials before calling the Microsoft Graph API.

I want to know how to do the thing that documentation says "you can use". A login.microsoftonline.com endpoint for an interactive or implicit flow takes you through the work-or-school workflow, which doesn't even do a lookup in a B2C directory.

So yes, @JasSuri , thank you for affirming the details of the _second_, "automated" mode of communication, but it wasn't my question or issue.

See this on deprecation. It is not relevant in getting tokens for MS Graph API, since that is hitting the AAD portion of your AAD B2C tenant. Two separate token issuers, Azure AD B2C token issuer is deprecating login.msonline endpoint, but the AAD token issuer inside your AAD B2C tenant is not deprecating it.

You cannot use an account signed up through an Azure AD B2C flow to get tokens for a Microsoft API.

You can create Azure AD accounts in an Azure AD B2C directory and get tokens via the Azure AD endpoint of your Azure AD B2C directory.

It will take you through work-or-school workflow which looks up Azure AD accounts within an Azure AD B2C directory.

This boils down to treat this scenario as a pure Azure AD scenario, just targeting the AAD B2C directory ID.

You can use the reference here to create a .Net Console app which prompts the user for credentials with a Popup
https://docs.microsoft.com/en-us/dotnet/api/microsoft.identity.client?view=azure-dotnet

The overall flow is here, purely Azure AD.
https://docs.microsoft.com/en-us/graph/auth-v2-user#authentication-and-authorization-steps

So... I need to

• locate the "Active Directory" blade for the ADB2C tenant in the Azure Portal (Microsoft_AAD_IAM, I guess?)
• create a $"{name}@{tenant}" user using the "Create User" selection, not the "Create Azure AD B2C User" or "Invite User" (at Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers?)
• assign that user the roles needed to access AD objects (from Microsoft_AAD_IAM/UserDetailsMenuBlade/AdministrativeRole, I presume)

...and at THAT point I'd be able to go over the MS Graph explorer and start poking around by logging in as ${name}@{tenant}". OR,

• create an app registration, (Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps?) and
• assign it an implicit grant flow and delegated roles appropriate for the graph operations I want (Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps?)

... and then set up Postman or a GraphServiceClient to test things out.

That's the demo and tutorial you don't have. Someone coming at all this with the need to orient around OAuth2, AAD, MSAL, and ADB2C already has a steep learning curve, not helped by the implications found when, for example, they go to Microsoft_AAD_IAM blade and the "endpoints" guidance still points to b2clogin. And the overt announcements are to use b2clogin. And so forth.

In short, the missing documentation is the description of the "interactive", "pure Azure AD scenario," given the way the Azure B2C UI in the portal and the documentation both mislead the user into thoughts that there's no way that could work and given the statement in the documentation page: "_you use an administrator account in the B2C tenant_"

That leaves aside the fact that that specific, narrow use case blows my mind... the B2C accounts are present and listed off of the /v1.0/users graph endpoint as though they, too, were AAD accounts, AND, 3 legged Oauth is a domain-crossing technology literally designed to award access tokens to resources found elsewhere! If there's a design reason to limit things this way, I don't see it!

Anyway... the interactive use case still needs docs and demo.

+1 everything @rrperkin said.
See also this.

Would the MS graph api docs work?
https://docs.microsoft.com/en-us/graph/auth-v2-user#1-register-your-app

The only thing missing would be the explicit use of the Azure AD Work account in the AAD B2C tenant.

Would the MS graph api docs work?
https://docs.microsoft.com/en-us/graph/auth-v2-user#1-register-your-app

The only thing missing would be the explicit use of the Azure AD Work account in the AAD B2C tenant.

Please be careful about assuming that the only thing missing is the thing you think is the only thing missing.

To do the thing @leaderanalytics is calling for, absolutely not. He (and I) are looking for the architecture meta-document that maps out Microsoft's Authentication/Authorization model. .NET Core. If it's nothing more than a link to those docs, then _no, they won't work._ If that document were reworked to include the B2C details, it might.

Very, very simple demos also go a long way. Requiring someone to install an entirely different stack (NodeJS) in order to run a demo of a desktop application...? Not cool.

Leaving aside for now the mind-blowing notion that you can have a "user" object in B2C that is not an AAD account, but looks entirely like an AAD account... because it's in the list as an "Azure Active Directory" "Source" with attributes that appear to map onto AAD account properties but are not actually mapped...

An interactive session document would need to include:

• The fact that accounts created with B2C user flows cannot participate (and a discussion why!) unless they are OIDC work-or-school-accounts? Federated AAD accounts? External AAD Accounts?
• The use cases intended for this feature, and perhaps a list of use cases explicitly excluded
• Guidance on what kind of AAD B2C account can access MS Graph
• The way the different accounts appear when listed in the Azure Portal (
• _How to create that user account (Azure Portal and Powershell instructions both)_, and
• a list or table of which MS Graph endpoints work (can't really use /me, for example; what would be the point?),
• which search and filter features work, and which do not. (MS Graph docs for the SharePoint endpoints, kind of, sort of, maybe model that, though the OData filtering and searching there is also not completely clear.)
• What to expect when (if you get a null access token, this is why. If you get an AADB2Cnnnnnn exception, this is why, if you get an AADnnnnnn exception, that's why)

A discussion document (a document, _not_ a chain of commentary in a GitHub ticket, _not_ a high-entropy blog posting) that describes and justifies design choices would also not go amiss. A very clear document that explains what is and is not possible is with MS Graph for AAD B2C tenants is necessary, because MS has so strongly deprecated Azure AD Graph, to the point where searching for that documentation is redirect-linked back to MS Graph. (Which is itself a nasty manipulation; doesn't AD Graph still work for the thing it does? Put the docs and guidance demos back!)

Thanks for the feedback, it is not going unheard and we are working on it.

Thanks for the feedback, it is not going unheard and we are working on it.

Thanks, @JasSuri; I appreciate learning this.

I'm the same. All I want to do is query my ADB2C tenant as the user logged in and query for the list of connected issuers that I have.

So far, this seems nearly impossible. This thread helped me realise that while it looks like AAD account, it smells like an AAD account, and it quacks like an AAD account, it isn't actually an AAD account.

Desperately need simple walkthroughs.

Thanks again, your feedback and the reference to the related issue is much appreciated. The need for simpler walkthroughs is understood; we're tracking this feedback internally and doc revisions are in the works. #please-close

Please don't close.

There are people tracking this, so that we know if/when/how we can make changes to the workarounds we put in place.

As an alternative, if you feel you must close it to hit your metrics, please provide a link to something we can follow along with to make our updates.

MSFT's mission is to empower people to achieve more. Closing a request for help without helping isn't empowering anybody. It's just making it go away.

Either

1. Fix it. (preferred)
2. Provide an alternative tracking URL we can track along with a link back to this.

I have automation and tags in place so that when issues that I've worked around are fixed / closed, the dependent issue tracker floats it back up as a refactor/clean-up exercise.

Thanks

From: PRMerger15 notifications@github.com
Sent: Wednesday, 16 December 2020 9:36 AM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Autodomme pete992018@outlook.com; Comment comment@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Missing instructions for Interactive (#56756)

Closed #56756https://github.com/MicrosoftDocs/azure-docs/issues/56756.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/56756#event-4116963881, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AOSEH5LGAXV3K5VYN7KK7E3SU7QGPANCNFSM4NZ3X7NA.

@JasSuri Simple walkthroughs are nice and greatly appreciated. But this issue is also about misleading, overlapping, ambiguous, circular referencing documentation that is nothing short of maddening. See this post on Reddit for a step-by-step documented example.

@JasSuri adding my call not to close this or to receive a tracking URL along with backlinks.

For me, it wasn't 2 days with nothing to show. It was three solid months, after an expectation of one week, and like @sam-wheat I've been at this coding thing for a long, long time and seem to be able to go back and forth between the seven computer languages I know and the four I regularly use, moving between architecture, coding, testing, and CI/CD roles with ease.

Except when I'm researching an Azure function. The only two worse experiences with Microsoft were that time I needed a Team Foundation Server set up, and _not even the Tier 2 support people could follow the manual for the product they support._ Ohyeah, and that time I found a massive memory leak in Direct3D 5 and they replied, "That's not an interesting problem."

Please keep us in the loop.