azure-ad-b2c - List all users of AD B2C
问题描述
I'm very new to AD B2C and I'm having trouble with the AD Graph API.
My goal is to list all the users registered to my AD. I would like to perform this only by HTTP requests.
So far, I found that I have to use this endpoint :
https://graph.windows.net/my_tenant.onmicrosoft.com/users?api-version=1.6
My issue is that I cannot find where I can obtain the token used in the Authorization
Header.
For now, i'm authentificating via this URL :
https://my_tenant.b2clogin.com/my_tenant.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=27fb84fe-4baf-4b6b-bfe7-f2d0638f2790
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost
&response_mode=query
&scope=27fb84fe-4baf-4b6b-bfe7-f2d0638f2790%20offline_access
&state=data
&p=B2C_1_SignUporSignIn
I obtain a code through my redirect_uri, and I send back this code to this endpoint to get a token :
https://my_tenant.b2clogin.com/my_tenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_signuporsignin
Following the docs here : https://docs.microsoft.com/fr-fr/azure/active-directory-b2c/active-directory-b2c-access-tokens, I send these parameters :
grant_type:authorization_code
client_secret:my_secret
client_id:27fb84fe-4baf-4b6b-bfe7-f2d0638f2790
scope:openid
code:code
The problem is that I don't get a response like the one shown in the docs. I only get an id_token
, token_type
, not_before
, id_token_expires_in
, profile_info
. However, the id_token
seems to correspond to the access_token
in the docs.
So the question is, is it this token which must be used in the Authorization header to send requests to the AD Graph API ?
Because if I use this token, I get the following error : Authentication_ExpiredToken
- Your access token has expired. Please renew it before submitting the request.
Thanks in advance for your help
解决方案
Is it this token which must be used in the Authorization header to send requests to the AD Graph API ?
Yeah for every resource access request either from Azure Ad Graph
Or Microsoft Graph API
you need to pass token that you received.
Reason of your error: Authentication_ExpiredToken - Your access token has expired. Please renew it before submitting the request:
I have tested and successfully reproduce error you encountered. See the screen shot:
Possible Cause:
Your token request endpoint may be wrong or you have received token for one tenant and trying to access other tenant resource. Make sure your token endpoint is
https://login.microsoftonline.com/YourB2CTenant.onmicrosoft.com/oauth2/token
Check your resource: it should be
https://graph.windows.net/
Token Request Format:
Request Endpoint URL:
https://login.microsoftonline.com/YourTenantName.onmicrosoft.com/oauth2/token
Request Body
grant_type:client_credentials
client_id:AppId
client_secret:AppSecret
resource:https://graph.windows.net/
See the Screen Shot below:
B2C User Access Format:
User List Request URL:
https://graph.windows.net/YourTenantName.onmicrosoft.com/users?api-version=1.6
See the screen shot:
Point To Remember:
You might encounter Insufficient privilege error 401
in that case just assign following permission.
Permission From: Windows Azure Active Directory
Permission Name: Read all users' full profiles
Permission Type: DELEGATED PERMISSIONS
See the screen shot:
This how you can get your azure B2C token and with that token access your user list.
推荐阅读
- python - 将列表转换为数据框时如何使用“换行”命令?
- azure - AzureML RunDetails 小部件输出
- javascript - 清除带有消息内容的命令
- node.js - 使用 NodeJs 将 CSV 文件中的记录插入 Oracle
- windows - bash:emacs:找不到命令(在 Windows 10 上)
- regex - URL 编码文本与 htaccess QUERY_STRING 不匹配
- java - 如何从另一个活动(按钮)JAVA更新recyclerview
- promise - Promise 调用在 Angular 11 中被调用两次
- c++ - 是否有 C++ 习语通过模板魔术将所谓的速率组(实时计算)编码为函数?
- gitlab - 在发布合并请求之前运行 gitlab 管道