Azure AD b2b “Read all users' basic profiles” permission

Question

I have delegated user permission User.ReadBasic.All. In the documentation, it states this

\"Allows the app to read a basic set of profile pr

Answer 1

Here you are really getting a token from the cache (using AcquireTokenSilentAsync), whereas your token was really added in the cache when you have redeemed the authorization code produced by ASP.NET using the call to AcquireTokenByAuthorizationCodeAsync. you will find the explanation in ADAL.NET conceptual documentation : Acquiring a token by authorization code in Web Apps

Note that to call the graph you might rather want to use MSAL.NET. See for instance the following branch signInAndCallMicrosoftGraph of the sample named: aspnetcore-webapp-openidconnect-v2. This is expressed as a tutorial, explaining first the sign-in phase, and then calling an API (in this case the Microsoft Graph)

Finally the authority you have used is not for Azure AD B2C (and as I mentioned in the comment on your question, for Azure AD, it should be reduced to login.microsoftonline.com{tenantId}/common)

Answer 2

It is the same regardless of whether you use User.ReadBasic.All or User.Read.All: `

await graphServiceClient
    .Users
    .Request()
    .GetAsync();

The only difference between the two will be in the result set. Properties that are inaccessible using User.ReadBasic.All will simply not be returned in the results.

Answer 3

I got solution and get users basic profile of my organization. Solution: Get Access token using AcquireTokenSilentAsync method. More Details

options.Scope.Add("User.ReadBasic.All");

options.ResponseType = "code id_token";                

OnAuthorizationCodeReceived = async ctx =>
{
    var request = ctx.HttpContext.Request;
    var currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
    var credential = new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);

    var distributedCache = ctx.HttpContext.RequestServices.GetRequiredService<IDistributedCache>();
    string userId = ctx.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

    var cache = new DistributedTokenCache(distributedCache, userId);

    var authContext = new AuthenticationContext(ctx.Options.Authority, cache);

    var result = await authContext.AcquireTokenByAuthorizationCodeAsync(
        ctx.ProtocolMessage.Code,
        new Uri(currentUri),
        credential,
        ctx.Options.Resource);

    ctx.HandleCodeRedemption(result.AccessToken, result.IdToken);
}

services.AddDistributedMemoryCache();


private async Task<string> GetAccessTokenAsync()
        {
            string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token";
            string tenantId = User.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
            authority = String.Format(authority, tenantId);
            string userId = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
            var cache = new DistributedTokenCache(_memoryCache, userId);
            var authContext = new AuthenticationContext(authority, cache);
            string graphResourceId = "https://graph.microsoft.com";
            string clientId = "XXX-XXX-XXX-XXX";
            string secret = "XXXX";
            var credential = new ClientCredential(clientId, secret);
            var result = await authContext.AcquireTokenSilentAsync(graphResourceId, credential, new UserIdentifier(userId, UserIdentifierType.UniqueId));
            return result.AccessToken;
        }

Answer 4

You can hit the Graph API users/<email_id> endpoint (https://graph.microsoft.com/v1.0/users/<email_id_of_the_user>) with the proper Bearer token for getting the basic details of other users.

You can try that out in the Graph Explorer as well - https://developer.microsoft.com/en-us/graph/graph-explorer#