Azure AD B2C Token Issue

Question

As an enterprise, we would like to use Azure AD B2C and we have internal and external users.

Azure AD helps us manage our Azure users, corporate use

Answer 1

Error1 and Error3

There is no need to provide scope openid profile offline_access when we using MSAL library to interact with Azure AD B2C. The SDK will add there scope automatically. We only need to provider the custom scope we defined for the web API app register on Azure AD B2C blade.

Error2

The scope user_impersonation is an custom scope defined by the app by default. We should contain the app id URI(https://{myB2CTenant}.onmicrosoft.com/b2capp2) before it like below:

string[] SCOPES = { "https://{myB2CTenant}.onmicrosoft.com/b2capp2/note_read", "https://{myB2CTenant}.onmicrosoft.com/b2capp2/user_impersonation" };

And AFAIK, the Azure AD B2C doesn't support delegate the user to access the Azure ad Graph at present. We need to register an app via Azure Active Directory->App registrations(not in Azure AD B2C blade) and access the Microsoft or Azure AD Graph via the client credentials flow. Here is a helpful link calling the Graph API in Azure AD B2C:

Azure AD B2C: Use the Graph API

If you want the Azure AD B2C app also support delegating user to calling the Microsoft Graph, you may submit the feedback from here.

Answer 2

For me that error meaned, that I am trying to aquire a accesToken when not having a valid idToken.

So make sure you have a valid idToken before calling acquireTokenSilent().