Unable list UserFlow ID in Graph Explorer

Connie Chang 30

I am trying to disable External Tenant External Identities Signin User Flow's Create Account Field. I received AADB2C error code when i use Microsoft Graph Explorer to list User Flow ID. I had used an admin account with global admin, External ID User Flow admin, given consent to IdentityUserFlowReadWrite and EventListenerReadWrite.

The error message given was as follows. Please assist.

"Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'xxxxxxxxxxx'."

Bo Christian Skjøtt 5 Reputation points

2024-08-02T09:43:23.89+00:00
I have the same issue. When I make this request from C#
var result = await graphClient.Identity.AuthenticationEventsFlows.GetAsync();
I get the exception
"Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant"

I have given these permissions to my App registration as Application permissions

EventListener.ReadWrite.All

IdentityUserFlow.ReadWrite.All

What am I missing?

Danny Bollaert 20

Hi CarlZhao-MSFT,

I am experiencing the same issue.
I was wondering if you could help me out.

I already my issues in the following issue:
https://zcusa.951200.xyz/en-us/answers/questions/2141417/how-i-can-add-an-application-to-my-entra-external

I can execute:

GET https://graph.microsoft.com/beta/identity/b2xUserFlows/

And I see my flow, without any problems.
But when I try to read

GET https://graph.microsoft.com/beta/identity/authenticationEventsFlows

or add

POST https://graph.microsoft.com/beta/identity/authenticationEventsFlows
Authorization: Bearer {{$auth.token("auth9")}}
Host: graph.microsoft.com
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.authenticationConditionApplication",
  "appId": "xxxx"
}

I keep receiving the same error.

{
    "error": {
        "code": "AADB2C",
        "message": "Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'xxxx'.",
        "innerError": {
            "correlationId": "a8dbb3ba-289f-448f-98f0-7ce49d1482d3",
            "date": "2025-01-09T13:53:50",
            "request-id": "4f3cf448-fe57-463a-a7bb-02550f6e17b0",
            "client-request-id": "f16d8614-ec8e-3c54-d00b-273ac32399c2"
        }
    }
}

I tried delegated authentication and application authentication.
Same error.

Thank you for having a look.
sorry for duplicate post. I did not see my answer when I posted first.
So I thought something went wrong.

Accepted answer

Navya 14,300 Reputation points Microsoft Vendor

2024-07-30T06:14:58.4933333+00:00
Hi @Connie Chang

Thank you for posting this in Microsoft Q&A.

1.The authenticationEventsFlows API is supported only in the global service national cloud and is not supported in US Government L4, US Government L5 (DOD), or China operated by 21Vianet.

2.The permissions EventListener.Read.All and EventListener.ReadWrite.All are required but not supported in personal Microsoft accounts.

3.The least privileged role required to execute an API.

External ID User Flow Administrator

External Identity Provider Administrator

Based on the information provided, it appears you have the necessary permissions, such as EventListener.Read.All and EventListener.ReadWrite.All, and possess a global admin account. Could you please confirm which type of national cloud you are using and whether it is a work or personal account?

I have replicated the issue in my environment, and it has run successfully as below.

List all user flows

List user flow associated with specific application ID

If you are still experiencing issues after following the steps mentioned above, please send us an email on azcommunity [at] microsoft [dot] com with Sub - "ATTN: Navya" and following details in the email body: Link to this thread/post. We can connect offline and discuss further on this.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.
Connie Chang 30 Reputation points

2024-07-30T06:33:42.0866667+00:00

Hi @Navya,In response to your query, our company is using work account and hosted in global Asia Pacific cloud (Singapore).

I had tried the route with the privilege you had demonstrated also and end up with the same error.

We are launching this customer web app for our customer to access in August and we setup the External Tenant and created external user account as per the link given:

URL -https://zcusa.951200.xyz/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers#disable-sign-up-in-a-sign-up-and-sign-in-user-flow

URL - https://zcusa.951200.xyz/en-us/graph/api/identitycontainer-list-authenticationeventsflows?view=graph-rest-1.0&tabs=http#example-4-list-user-flow-associated-with-specific-application-id, under Example 4.

Do we need to upgrade our Microsoft Entra ID license to P1 or P2 subscription to resolve this error?

Connie Chang 30 Reputation points

2024-07-30T06:57:22.6266667+00:00

Hi @Navya, I am also able to get the b2c userflow results using this

GET https://graph.microsoft.com/v1.0/identity/b2xUserFlowsSo my account privilege and permission is set correctly. Now I am wondering whether there is any setting Microsoft Entra ID recent changes for the External Tenant and external guests deployment that has affected this listing.

Look forward to any advise on this from you or the Entra ID team. Thank you.

Navya 14,300 Reputation points Microsoft Vendor

2024-07-30T07:51:08.75+00:00

Hi @Connie Chang

Thank you for providing the details of your external tenant configurations. There is no need to upgrade your Microsoft Entra ID license to P1 or P2.

Please verify the user identity type you are using for the API, and if possible, share the API and the error message screenshot you are receiving.

Connie Chang 30 Reputation points

2024-07-30T09:12:07.91+00:00

Hi @Navya, the following is the screen capture of the error message i gotten. the user identity type is guest (external user).

Connie Chang 30 Reputation points

2024-07-30T09:35:34.15+00:00

Hi @Navya, I had also tried using another user identity type "member" to execute the same LIST query and ended up with the same error message.

Navya 14,300 Reputation points Microsoft Vendor

2024-07-30T10:00:10.1366667+00:00

Hi Connie Chang

To authenticate the API, do you use external tenant users?

Would it be possible for you to create a new internal user in the external tenant and assign them the necessary role? After that, attempt to execute the API and observe what occurs: https://zcusa.951200.xyz/en-us/entra/fundamentals/how-to-create-delete-users#create-a-new-user

For more details about default permissions in external tenant: user permissions

Connie Chang 30 Reputation points

2024-07-31T07:41:58.33+00:00

Thank you @Navya! I tried your advise to create an internal user with the necessary admin roles and i can list the External Tenant External User Flow ID! Blessings to you! :))

Navya 14,300 Reputation points Microsoft Vendor

2024-07-31T08:52:46.2633333+00:00

Hi Connie Chang

I'm glad that your issue is resolved and thank you for your feedback.

Danny Bollaert 20 Reputation points

2025-01-09T14:34:02.95+00:00

Hi CarlZhao-MSFT and Navya,

I am using B2xUserFlows, because it's b2b/workflow tenant.

I am able to get a list of my workflows using:

GET https://graph.microsoft.com/beta/identity/b2xUserFlows/

But when I try to get a list of authenticationEventsFlows.

I keep receiving the same error.

{ "error": { "code": "AADB2C", "message": "Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'a5fdc94d-72a2-4c52-b269-70770a3ddb6f'.", "innerError": { "correlationId": "a8dbb3ba-289f-448f-98f0-7ce49d1482d3", "date": "2025-01-09T13:53:50", "request-id": "4f3cf448-fe57-463a-a7bb-02550f6e17b0", "client-request-id": "f16d8614-ec8e-3c54-d00b-273ac32399c2" } } }

I am using client credentials with required permissions and I also have tried delegated permissions. Same error.

The reason I want to do this, is explained here. https://zcusa.951200.xyz/en-us/answers/questions/2141417/how-i-can-add-an-application-to-my-entra-external

Thank you in advance for having a look.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

CarlZhao-MSFT 44,671 Reputation points

2024-07-29T07:02:29.78+00:00

Hi @Connie Chang

If your AADB2C user has "Global Administrator" and "IdentityUserFlow.ReadWrite.All" delegated permissions, then you should be able to list the user flows in the B2C tenant.

Please try calling the API endpoint below. Based on my tests, it works well.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Please sign in to rate this answer.
Connie Chang 30 Reputation points

2024-07-29T07:33:24.16+00:00

Dear Carl,

Thanks for your reply.

Unfortunately, I am not listing the AAD B2C user flow. I am listing the External Identity Sign Up / Sign In User Flow in External Tenant (or formerly named Customer Tenant) in my organization. This is different from the AADB2C flow.

I was following the instructions provided in Microsoft knowledge base in this URL - https://zcusa.951200.xyz/en-us/graph/api/identitycontainer-list-authenticationeventsflows?view=graph-rest-1.0&tabs=http#example-4-list-user-flow-associated-with-specific-application-id; under Example 4. Because I want to disable the sign-up in a sign-up and sign-in External Identity user flow.

Connie Chang 30 Reputation points

2024-07-29T07:39:39.7166667+00:00

Dear Carl,

Thank you for your suggestion.

Unfortunately, I was not listing the AADB2C user flow. I am listing the External Identity Sign Up / Sign In User Flow within the External Tenant (or formerly named as Customer Tenant) in my organization. I was following this instructions from Microsoft Entra ID Knowledge base, URL - https://zcusa.951200.xyz/en-us/graph/api/identitycontainer-list-authenticationeventsflows?view=graph-rest-1.0&tabs=http#example-4-list-user-flow-associated-with-specific-application-id, under Example 4. But i encountered the error described above.

What I intended to do is to Disable the Sign Up link in the External Identity Sign Up/Sign In user flow. (Reference to URL -https://zcusa.951200.xyz/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers#disable-sign-up-in-a-sign-up-and-sign-in-user-flow).
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Unable list UserFlow ID in Graph Explorer

1 additional answer

Your answer