'Scope is not working with interactive user login azure ad b2c

I am trying to use the scripts in https://github.com/cljung/AzureAD-B2C-scripts and trying to do the below connecting device login with Scope to avoid client credentials.

Connect-AzADB2CDevicelogin -TenantName "yourtenant.onmicrosoft.com" -Scope "Application.Read.All Policy.ReadWrite.TrustFramework"

I am getting the below error:

AADSTS65002: Consent between first-party application '1950a258-227b-4e31-a9cf-717495945fc2' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.

Could you please help me with what can be the issue and how can I get the approval?

azure-ad-b2cazure-ad-graph-apiaad-b2c


Solution 1:[1]

The general idea here is that an application cannot randomly read information in/from another tenant without an administrator consenting to that. That's where the consent framework comes into play:

The Azure Active Directory (Azure AD) consent framework makes it easy to develop multi-tenant web and native client applications. These applications allow sign-in by user accounts from an Azure AD tenant that's different from the one where the application is registered. They may also need to access web APIs such as the Microsoft Graph API (to access Azure AD, Intune, and services in Microsoft 365) and other Microsoft services' APIs, in addition to your own web APIs.

The framework is based on a user or an administrator giving consent to an application that asks to be registered in their directory, which may involve accessing directory data. For example, if a web client application needs to read calendar information about the user from Microsoft 365, that user is required to consent to the client application first. After consent is given, the client application will be able to call the Microsoft Graph API on behalf of the user, and use the calendar information as needed.

Read up on the Azure Active Directory consent framework and find out how to implement it in the correct way for your scenario.

EDIT:
According to Azure AD Authentication and authorization error codes:

A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register in https://portal.azure.com.

Looks like there's some misconfiguration.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Pass parameters to Sign-up policy

Pass parameters to Sign-up policy

Azure AD B2C with React Native Expo

Is it possible to automatically update B2C user details by using claims from the Issuer, using Identity Experience Framework?

Can I use SVG within a customized the Azure AD B2C user interface?

Azure B2C password field text and placeholder

Looking up users in AAD B2C using extension attributes or unusual standard attributes

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

Single Sign Out Not working between OpenID & SAML (Azure AD B2C)

Argo Workflow SSO not working with Azure Active Directory B2C

How to query another Azure Active Directory tenant from Graph Explorer

Azure AD B2C Single Sign Out not signing out all applications when using multiple protocols

404 Not Found error via resource owner password credentials flow in Azure AD B2C

Azure B2C - REST API call Error "Message: The claims exchange <Id> specified in step <order> returned HTTP error response that could not be parsed"

Xamarin.Forms MSAL authentication java.exe exited with code 1