Microsoft-authentication-library-for-dotnet: Calling Graph API using B2C and MSAL

I think that the 7 following B2C samples all use MSAL.Net
https://github.com/Azure-Samples?utf8=%E2%9C%93&q=b2C++dotnet&type=&language=

I think that if you use a Graph scope (for instance "User.Read") instead of a scope for the Web API, this should work.

The Graph API cannot be called by B2C at the moment.
Adding @parakhj for elaborating.

The graph API does not accept B2C tokens (B2C tokens are different than AAD tokens since they are two different services).

Then how to get more information about the B2C-signed in user, clientside ? For instance what groups the user is member of ? Or any of the other things you can do with https://graph.microsoft.com and https://graph.windows.net ?
@parakhj

PS. I see that microsoft-authentication-library-for-js is the proper place for my question ...

@valuesoft-dk
@parakhj or @SaeedAkhter-MSFT will confirm, but my impression is that with B2C you use social identities, whereas the notion of groups is something that's in Azure AD (not social identities), therefore I'd think that if you want to use your you'd want to use Azure AD directly?
There are many samples for this: https://aka.ms/aaddevsamplesv2

yes I agree, B2C is primarily intended for social identities. But it does also support local accounts / identities. Which is typically something you want to offer when users sign up for your web service.
So this is what I want, users can sign up creating a local account or use their existing social account.

In addition to that I need to access user information from my application.
In particular I want to know how to authorize the user.
What application features should the user have access to, A, B or C ?
This is typically achieved through group membership, roles or claims.
And it must be accessible from the application.

I know that the two Graph APIs provide this type of access to AAD local accounts.
Example: Azure AD B2C: Use the Azure AD Graph API

At first its sounds nice, but reading further then:

Important: To use the Graph API with your B2C tenant, you need to register an application using the App Registrations service in the Azure portal, NOT Azure AD B2C's Applications menu. The following instructions lead you to the appropriate menu. You can't reuse existing B2C applications that you registered in the Azure AD B2C's Applications menu.

... so wrong path.

But I assume there must be some way to get more user information to achieve what I've mentioned above.

Having put a B2C product into production - would I touch it again? Never.. it’s a complete white elephant with almost no support and zero resource being put into it by Microsoft.. my advice would be to avoid like the plague

Thank you for sharing your experience. I will keep that in mind and make my observations accordingly :-)

@NikolaosWakem We are investing resources towards Azure AD B2C and would love to understand the issues you faced. If possible, we can setup a phone conversation to discuss this.

@valuesoft-dk - You are correct Azure AD B2C is for local accounts as well. I wanted to clarify your statement.

At first its sounds nice, but reading further then:
Important: To use the Graph API with your B2C tenant, you need to register an application using the App Registrations service in the Azure portal, NOT Azure AD B2C's Applications menu. The following instructions lead you to the appropriate menu. You can't reuse existing B2C applications that you registered in the Azure AD B2C's Applications menu.
... so wrong path.

The example: Azure AD B2C: Use the Azure AD Graph API you mentioned will get the user info and claims for your scenario. Even though you are registering the application under the App Registrations in the Azure Portal - it is still in the context of the B2C Tenant. We are working towards combining the two app registrations into one, which would remove the confusion. Please let me know if you are still facing issues.

Can you point me to a working sample that demonstrates just that ? It's Angular (not AngularJS), so TypeScript or JavaScript is fine.

@valuesoft-dk You can take a look at this sample b2c-webapp-webapi. it gives you an idea on how to do this.

@valnav

I have exactly the same issue as @valuesoft-dk although I am implementing a Xamarin forms app using MSAL. The appeal of doing this was so I could allow users to sign up via email and then use the resulting token to call a secured API in the active directory

It's utterly bizarre to me that you allow a user to be created and a token returned which is of absolutely no use to the software if you wish to utilise claims, which almost everyone will want to do, without registering a second app and - in my case - embedding a client secret within the app itself. This used to be part of ADAL but was deprecated for what I think was obvious reason!

Is there an example please of the flow for a native app wishing to access an API but also make use of claims for the users who sign up as in my case?

Hi All,
I have created two applications one is for ASP.Net WEB API and WEB APP under Azure AD B2C applications (Home -> Azure AD B2C - Applications)
I gave read wright access for Web API and I am able to call API from WEB APP using azure B2C OpenIdConnectAuthentication. Now I would like to call AAD Graph API from WEB API to read and modify user data. Please provide a samples for this scenario. I have followed sample provided in this URL "https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi"

@GNMurthy1982 which social identity are you using?

Hi @jmprieur,
We are using local account.

cc: @valnav

Is there now a sample for SPA + MSAL + Graph for retrieving properties of B2C users? I can see folks have managed to get it working inside this Vue extension https://github.com/mvertopoulos/vue-msal/blob/master/lib/src/main.ts#L156 but I could do with a non-typescript standalone js code sample to crib from.