Properly adding permissions to MS Graph API to enable an app to delete users after logging in with admin account

Question

I am writing a .Net Core 2.0 MVC-like app where users log in and then do such operations on an AAD B2C tenant such as add new user, edit user, delete user etc.

Listing and adding users was pretty easy to do, but now when I try to remove certain users, I get a 403 Forbidden error. I'm assuming it's because I missed permissions somewhere, but I don't really know where.

I have enabled literally ALL possible App permissions in my AAD B2C Tenant b2c-extensions-app and most of the ones that sound right (30 app+30 delegated) in apps.dev.microsoft.com. I added the account I log in to test to owner list, too. Any clues on why I keep getting those errors would be much appreciated. What are the things I could have missed?

// I found out that to delete users, Directory.AccessAsUser.All is required. I already have it in delegated permissions but I keep getting the same error.

// Yes, I did add myself as owner to b2c-extensions-app and I also added literally every possible permission to it. Windows Azure Active Directory has 7+9, Microsoft Graph has 37+78.

// Okay it seems that the same error occurs when I try to edit a user's password (or any contents, really), too.

Answer 1

Did you setup your permissions through Azure portal or PowerShell?

Delete permissions for a B2C application must be created using PowerShell.

You can find instructions on this page of Microsoft Docs, under the section 'Configure delete permissions for your application'.

Let me know if it helped!