Adventures with Azure AD B2C: Postman, Bearer Tokens and Scope

I am trying to get a Bearer token from Azure AD B2C using Postman.

I setup my Azure AD B2C tenant as described in Authentication in web APIs with Azure Active Directory B2C in ASP.NET Core.

I opened up Postman to test getting a Bearer Token.

After I logged in, I would get an invalid_request error, with the following error message:

This application does not have sufficient permissions against this web resource to perform the operation.

The issue was with scope and I was declaring it.

According to the documentation, the syntax for your scope declaration was https://{tenant domain name}/{api}/user_impersonation openid offline_access.

Needless to say, I completely interpreted that INCORRECTLY, which was the underlying issue with my call.

Couple of things helped me finally resolve this issue.

One, I reread the documentation.

In the Notes section for Scope it reads:

Replace {tenant domain name} with the tenant’s domain name. Replace {api} with the App ID URI you gave the web API when you first registered it (in this case, api). The pattern for the URL is: https://{tenant}.onmicrosoft.com/{api-id-uri}/{scope name}.

Two, I navigated to the the Published Scopes for the application, and saw the Full Scope Value.

I tweaked my Scope to reflect the Full Scope Value, and what do you know, everything worked!

Valuable lesson learned, READ, I MEAN REALLY READ, THE DOCUMENTATION.

3 Replies to “Adventures with Azure AD B2C: Postman, Bearer Tokens and Scope”

      1. Unfortunately, this approach didn’t help me. Still have the same error.

        “This application does not have sufficient permissions against this web resource to perform the operation”

        Valuable lesson learned during working with Azure AD on several project — if you have some issues with Azure AD — it’s better to be creator of Azure AD to solve your issue.

Leave a Reply

Your email address will not be published.