Azure AD b2b "Read all users' basic profiles" permission

Question

I have delegated user permission User.ReadBasic.All. In the documentation, it states this

"Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user."

How can I get all users with basic profiles?

var accessToken = authContext
    .AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret))
    .Result
    .AccessToken;

var graphserviceClient = new GraphServiceClient(
    new DelegateAuthenticationProvider(requestMessage => {
        requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
        return Task.FromResult(0);
    }));

Can you please confirm my "Authority" URL is correct or not?

string authority = "https://login.microsoftonline.com/{tenantId}/common/oauth2/v2.0/token?&response_type=code&scope=openid%20profile%20User.Read%20User.ReadWrite%20User.ReadBasic.All";
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext
    .AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secret))
    .Result
    .AccessToken;

Answer 1

Here you are really getting a token from the cache (using AcquireTokenSilentAsync), whereas your token was really added in the cache when you have redeemed the authorization code produced by ASP.NET using the call to AcquireTokenByAuthorizationCodeAsync. you will find the explanation in ADAL.NET conceptual documentation : Acquiring a token by authorization code in Web Apps

Note that to call the graph you might rather want to use MSAL.NET. See for instance the following branch signInAndCallMicrosoftGraph of the sample named: aspnetcore-webapp-openidconnect-v2. This is expressed as a tutorial, explaining first the sign-in phase, and then calling an API (in this case the Microsoft Graph)

Finally the authority you have used is not for Azure AD B2C (and as I mentioned in the comment on your question, for Azure AD, it should be reduced to login.microsoftonline.com{tenantId}/common)

Answer 2

I got solution and get users basic profile of my organization. Solution: Get Access token using AcquireTokenSilentAsync method. More Details

options.Scope.Add("User.ReadBasic.All");

options.ResponseType = "code id_token";                

OnAuthorizationCodeReceived = async ctx =>
{
    var request = ctx.HttpContext.Request;
    var currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
    var credential = new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);

    var distributedCache = ctx.HttpContext.RequestServices.GetRequiredService<IDistributedCache>();
    string userId = ctx.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

    var cache = new DistributedTokenCache(distributedCache, userId);

    var authContext = new AuthenticationContext(ctx.Options.Authority, cache);

    var result = await authContext.AcquireTokenByAuthorizationCodeAsync(
        ctx.ProtocolMessage.Code,
        new Uri(currentUri),
        credential,
        ctx.Options.Resource);

    ctx.HandleCodeRedemption(result.AccessToken, result.IdToken);
}

services.AddDistributedMemoryCache();


private async Task<string> GetAccessTokenAsync()
        {
            string authority = "https://login.microsoftonline.com/{0}/common/oauth2/v2.0/token";
            string tenantId = User.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
            authority = String.Format(authority, tenantId);
            string userId = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
            var cache = new DistributedTokenCache(_memoryCache, userId);
            var authContext = new AuthenticationContext(authority, cache);
            string graphResourceId = "https://graph.microsoft.com";
            string clientId = "XXX-XXX-XXX-XXX";
            string secret = "XXXX";
            var credential = new ClientCredential(clientId, secret);
            var result = await authContext.AcquireTokenSilentAsync(graphResourceId, credential, new UserIdentifier(userId, UserIdentifierType.UniqueId));
            return result.AccessToken;
        }

Answer 3

It is the same regardless of whether you use User.ReadBasic.All or User.Read.All: `

await graphServiceClient
    .Users
    .Request()
    .GetAsync();

The only difference between the two will be in the result set. Properties that are inaccessible using User.ReadBasic.All will simply not be returned in the results.

Answer 4

You can hit the Graph API users/<email_id> endpoint (https://graph.microsoft.com/v1.0/users/<email_id_of_the_user>) with the proper Bearer token for getting the basic details of other users.

You can try that out in the Graph Explorer as well - https://developer.microsoft.com/en-us/graph/graph-explorer#