AADB2C90205: Application does not have sufficient permissions against this web resource to perform the operation

Question

AADB2C90205: Application does not have sufficient permissions against this web resource to perform the operation

232 views Asked by Shanthi B At 09 November 2023 at 17:31

I have created the azure App registration(AD B2C) Programmatically using the Graph API. App is successfully created and i have added necessary scope and service principals. Once App created i have used the clientID to get the code using this

https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/<scope>/oauth2/v2.0/authorize?response_type=code&scope=<scopeID>%20offline_access&redirect_uri=https%3A%2F%2Fjwt.ms&client_id=<clientID>

and i have redirect to the signin page once signed i got the code as well. I have used the generated Code to get the refresh token using this API

https://<tenent>.b2clogin.com/<tenent>.onmicrosoft.com/<scope>/oauth2/v2.0/token

But i got this Error

{ "error": "invalid_grant", "error_description": "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation.\r\nCorrelation ID: \r\nTimestamp: 2023-11-09 17:20:12Z\r\n" }

I don't know how to give the access for read and write like user.read and user.writeAll programmatically using rest API.

Thank you for any guidance or insights on this matter.

Few Additional info

To update the scope i used

PATCH https://graph.microsoft.com/beta/applications/appObjId/
{
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                }
            ]
        }
    ]
}

To post the service princepal

POST https://graph.microsoft.com/beta/servicePrincipals
{
    "appId"A
}

Original Q&A

There are 1 answers

**Rukmini** · Answer 1 · 2023-11-10 12:11:02

The error "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation" usually occurs if the Azure AD B2C application doesn't have permissions granted to perform the action.

Granted API permissions:

enter image description here

Generated auth-code:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/authorize?response_type=code&scope=offline_access openid&redirect_uri=https://jwt.ms&client_id=ClientID

enter image description here

I generated tokens using below parameters:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token

client_id:ClientID
scope:offline_access openid
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

enter image description here

If you want to scope as API then grant API permissions like below:

enter image description here

Generated auth-code by using below endpoint:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/authorize?response_type=code&scope=https://b2caadtenant.onmicrosoft.com/APIID/user.readapi offline_access &redirect_uri=https://jwt.ms&client_id=ClientID

enter image description here

Generated tokens via Postman using below parameters:

https://b2caadtenant.b2clogin.com/b2caadtenant.onmicrosoft.com/B2C_1_SUSI/oauth2/v2.0/token

client_id:ClientID
scope:https://b2caadtenant.onmicrosoft.com/APIID/user.readapi offline_access openid
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

enter image description here

Make sure to add API permissions based on your requirement and grant admin consent as I can see you are passing scope as https://<tenant>.onmicrosoft.com/node-api/<tenant>.Read offline_access openid while generating tokens but granted only openid and offline_access scopes to the Application.

UPDATE: To grant API permissions openid and offline access check below:

PATCH https://graph.microsoft.com/beta/applications/appObjId/
{
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                }
            ]
        }
    ]
}

To grant Admin consent use https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID and run in browser, sign-in as admin and accept consent

Reference:

reactjs - Application does not have sufficient permissions against this web resource to perform the operation in Azure AD B2C - Stack Overflow by Carl Zhao

TechQA.

AADB2C90205: Application does not have sufficient permissions against this web resource to perform the operation

There are 1 answers

Related Questions in AZURE

Related Questions in AZURE-AD-B2C

Related Questions in AZURE-APP-REGISTRATION

Popular Questions

Popular Tags

Trending Questions