Issue with Azure AD B2C Custom Policy: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid

Question

Issue with Azure AD B2C Custom Policy: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid

Ray Garg 20

Description

I am working on an Azure AD B2C custom policy for the Global Identity Framework, designed to support traveling user sign-ins across multiple regions. This setup involves two major components Right now im only working on region tenant artifact, but this traveling user sign in case applies and has the same logic to both meaning the technical profiles used for both artifacts would be the same:

Funnel Tenant: Handles the initial user sign-in and routes the request based on the user's region.

Regional Tenant: Processes sign-ins for users registered in specific regions.

For users in the EMEA tenant, the sign-in process works as expected. However, when users registered in the APAC tenant attempt to sign in, the policy correctly identifies their region and routes the request to the REST-login-NonInteractive-APAC and REST-fetchUserProfile-APAC technical profiles. Unfortunately, it fails with the error: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."

Custom Policy - Self-Asserted Local Account Sign-In Profile The first step in the user journey always begins with the SelfAsserted-LocalAccountSignin-Email profile, which includes the following configuration:

Below are the two key technical profiles for APAC users. Microsoft has provided these 2 profiles in their proof of concept documentations and i am following them exactly how they are listed. https://learn.microsoft.com/en-us/azure/active-directory-b2c/b2c-global-identity-proof-of-concept-funnel:

REST-login-NonInteractive-APAC: Responsible for authenticating the user in the APAC tenant via ROPC.

REST-fetchUserProfile-APAC: Fetches user profile details using a Graph API call.

Issue Details When an APAC user attempts to sign in:

The policy correctly identifies the user's region as "APAC" using the REST-regionLookup technical profile. The REST-login-NonInteractive-APAC profile successfully generates an access token (graph_bearerToken) using the ROPC flow. However, when the REST-fetchUserProfile-APAC technical profile attempts to use the graph_bearerToken to call the Graph API, it fails with the error: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."

one thing additionally (not sure if this helps) is that i ran a curl command to obtain the access token so i can decode it in jwt.io. this is the test user in my apac tenant that i am attempting to login with in the emea tenant. here is the curl command:

curl -X POST "https://login.microsoftonline.com/zappsecincAdB2Capac.onmicrosoft.com/oauth2/v2.0/token"-H "Content-Type: application/x-www-form-urlencoded"-d "client_id=

Ray Garg 20 Reputation points

2025-01-13T14:14:55.18+00:00

@Support | Elite Support
Sanoop M 4,320 Reputation points Moderator

2025-01-13T23:47:48.5633333+00:00
Hello @Ray Garg ,

Thank you for posting your query on Microsoft Q&A.

When I was reviewing your issue description, I understand that you were getting this error AADB2C90027 "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."

Based on the above mentioned error, please make sure whether you have completed the configuration of an API Connector with HTTP basic authentication by following these below mentioned steps:

Sign in to the Azure portal.

Under Azure services, select Azure AD B2C or search for and select Azure AD B2C.

Select API connectors, and then select the API Connector you want to configure.

For the Authentication type, select Basic.

Provide the Username, and Password of your REST API endpoint.

Select Save.

Please refer to the below documents which explains about the same error(AADB2C90027) which you are getting and the above mentioned steps.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/error-codes

https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-user-flow#http-basic-authentication

Please refer to the below document to follow the steps of configuring a REST API technical profile with HTTP basic authentication.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy#add-rest-api-username-and-password-policy-keys

I hope the above information provided is helpful. Please do let us know the outcome after performing the above mentioned steps.

Thanks and Regards,

Sanoop Mohan
Ray Garg 20 Reputation points

2025-01-14T08:58:34.9966667+00:00

hi @Sanoop M

you can see the profiles ive pasted there for rest-login-noninteractive-apac, and rest-fetchuserprofile-apac. the rest-loginnoninteractive-apac profile outputs a bearer token while the rest-fetchuserprofile-apac uses that bearer token. While the idea was suggested using api connectors, i was a bit confused on where would i use the api connector? in the rest-fetchuserprofile-apac profile. cna u please give me the exact line change? but then wouldnt the authentication type have to change to basic? that doesnt make sense becuase right now its using the bearer as authentication type. everything is detailed where i already posted the question. b2c app registration in my apac tenant is having the correct client id is already pasted in inputclaim section of rest-loginnoninteractive-apac profile. also, the app registration in portal has user.readwrite.all and dreictory.readwrite.all, and has allow pubic client flows under authnetication checkmarked to yes in case i need that in case of ropc. please give me the right answer for this !!!!
Sanoop M 4,320 Reputation points Moderator

2025-01-22T19:17:15.72+00:00

Hello @Ray Garg ,

Thank you for your response.

We can connect offline and discuss further on this issue.

Thanks and Regards,

Sanoop Mohan
Sanoop M 4,320 Reputation points Moderator

2025-01-23T20:59:14.8666667+00:00

Hello @Ray Garg ,

We haven’t heard from you on the last response and was just checking back to see if you have any further queries. In case if you have any further queries, please let us know.

We can connect offline and discuss further on this issue.

Thanks and Regards,

Sanoop Mohan
Sanoop M 4,320 Reputation points Moderator

2025-01-24T20:07:49.07+00:00

Hello @Ray Garg ,

We haven’t heard from you on the last response and was just checking back to see if you have any further queries. In case if you have any further queries, please let us know.

We can connect offline and discuss further on this issue.

Thanks and Regards,

Sanoop Mohan

1 answer

Your answer

Ray Garg 20 Reputation points

2025-01-13T14:14:55.18+00:00

@Support | Elite Support
Sanoop M 4,320 Reputation points Moderator

2025-01-13T23:47:48.5633333+00:00

Hello @Ray Garg ,

Thank you for posting your query on Microsoft Q&A.

When I was reviewing your issue description, I understand that you were getting this error AADB2C90027 "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid. Check that the credentials are correct and that access has been granted by the resource."

Based on the above mentioned error, please make sure whether you have completed the configuration of an API Connector with HTTP basic authentication by following these below mentioned steps:

Sign in to the Azure portal.

Under Azure services, select Azure AD B2C or search for and select Azure AD B2C.

Select API connectors, and then select the API Connector you want to configure.

For the Authentication type, select Basic.

Provide the Username, and Password of your REST API endpoint.

Select Save.

Please refer to the below documents which explains about the same error(AADB2C90027) which you are getting and the above mentioned steps.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/error-codes

https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-user-flow#http-basic-authentication

Please refer to the below document to follow the steps of configuring a REST API technical profile with HTTP basic authentication.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy#add-rest-api-username-and-password-policy-keys

I hope the above information provided is helpful. Please do let us know the outcome after performing the above mentioned steps.

Thanks and Regards,

Sanoop Mohan
Ray Garg 20 Reputation points

2025-01-14T08:58:34.9966667+00:00

hi @Sanoop M

you can see the profiles ive pasted there for rest-login-noninteractive-apac, and rest-fetchuserprofile-apac. the rest-loginnoninteractive-apac profile outputs a bearer token while the rest-fetchuserprofile-apac uses that bearer token. While the idea was suggested using api connectors, i was a bit confused on where would i use the api connector? in the rest-fetchuserprofile-apac profile. cna u please give me the exact line change? but then wouldnt the authentication type have to change to basic? that doesnt make sense becuase right now its using the bearer as authentication type. everything is detailed where i already posted the question. b2c app registration in my apac tenant is having the correct client id is already pasted in inputclaim section of rest-loginnoninteractive-apac profile. also, the app registration in portal has user.readwrite.all and dreictory.readwrite.all, and has allow pubic client flows under authnetication checkmarked to yes in case i need that in case of ropc. please give me the right answer for this !!!!
Sanoop M 4,320 Reputation points Moderator

2025-01-22T19:17:15.72+00:00

Hello @Ray Garg ,

Thank you for your response.

We can connect offline and discuss further on this issue.

Thanks and Regards,

Sanoop Mohan
Sanoop M 4,320 Reputation points Moderator

2025-01-23T20:59:14.8666667+00:00

Hello @Ray Garg ,

We haven’t heard from you on the last response and was just checking back to see if you have any further queries. In case if you have any further queries, please let us know.

We can connect offline and discuss further on this issue.

Thanks and Regards,

Sanoop Mohan
Sanoop M 4,320 Reputation points Moderator

2025-01-24T20:07:49.07+00:00

Hello @Ray Garg ,

We haven’t heard from you on the last response and was just checking back to see if you have any further queries. In case if you have any further queries, please let us know.

We can connect offline and discuss further on this issue.

Thanks and Regards,

Sanoop Mohan

Answer 1

Hi @Ray Garg ,

Thanks for the additional details and for clarifying your setup with the REST-login-NonInteractive-APAC and REST-fetchUserProfile-APAC technical profiles. I understand you're using the bearer token output from REST-login-NonInteractive-APAC to authenticate the REST-fetchUserProfile-APAC profile, which fetches user profile details via the Microsoft Graph API. Your question about integrating an API connector and whether to change the AuthenticationType to Basic is a great point to address. Let’s resolve this step-by-step.

Solution

Using an API Connector in REST-fetchUserProfile-APAC
- Currently, your REST-fetchUserProfile-APAC profile is set up to use a bearer token (graph_bearerToken) to call the Microsoft Graph API (https://graph.microsoft.com/beta/me). This doesn’t require an API connector unless you intend to replace the Graph API call with a custom REST API endpoint.
- If you want to continue using the Graph API, no API connector is needed—your existing bearer token configuration with UseClaimAsBearerToken is sufficient.
- If you meant to use an API connector to call a custom REST service (e.g., to fetch additional user data), you can modify the REST-fetchUserProfile-APAC profile as follows:

<TechnicalProfile Id="REST-fetchUserProfile-APAC">
  <DisplayName>Fetch user profile cross tenant</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ServiceUrl">https://your-custom-api-endpoint.com/userprofile</Item> <!-- Replace with your API URL -->
    <Item Key="AuthenticationType">Bearer</Item>
    <Item Key="UseClaimAsBearerToken">graph_bearerToken</Item>
    <Item Key="SendClaimsIn">Body</Item> <!-- Adjust based on your API's requirements -->
    <Item Key="DebugMode">true</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="graph_bearerToken" />
    <!-- Add other input claims if your API requires them, e.g., user ID -->
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="id" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
    <!-- Add other output claims based on your API response -->
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

Replace https://your-custom-api-endpoint.com/userprofile with the URL of your custom REST API.
Ensure your API is configured to accept a bearer token in the Authorization header and returns the expected claims.

Do You Need to Change AuthenticationType to Basic?
- No, you should not change the AuthenticationType to Basic. The error "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid" suggests the policy might have been misconfigured to use Basic authentication (e.g., username/password) at some point. Since REST-login-NonInteractive-APAC provides a bearer token via the ROPC flow, and you’ve confirmed the app registration is set up correctly in the APAC tenant, keep AuthenticationType="Bearer" and UseClaimAsBearerToken="graph_bearerToken".
- Switching to Basic would require adding a client ID and secret in the metadata, which isn’t applicable here given your token-based approach.
Verification of Current Setup
- You mentioned the app registration in your APAC tenant has the necessary permissions and public client flows enabled. Ensure the REST-login-NonInteractive-APAC profile requests the correct scope (e.g., https://graph.microsoft.com/.default) to include the required Graph API permissions.
- Check the bearer token’s scp and aud claims (using a tool like jwt.io) to confirm they include the expected permissions (e.g., User.Read.All) and audience (e.g., https://graph.microsoft.com).
- If the call fails, test the stable Graph API endpoint (https://graph.microsoft.com/v1.0/me) instead of the beta endpoint to rule out API-specific issues.
Final Configuration
- If you’re sticking with the Graph API (no custom API connector), your REST-fetchUserProfile-APAC profile should remain as is, with verification of the token:

<TechnicalProfile Id="REST-fetchUserProfile-APAC">
  <DisplayName>Fetch user profile cross tenant</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="ServiceUrl">https://graph.microsoft.com/beta/me</Item>
    <Item Key="AuthenticationType">Bearer</Item>
    <Item Key="UseClaimAsBearerToken">graph_bearerToken</Item>
    <Item Key="SendClaimsIn">Url</Item>
    <Item Key="DebugMode">true</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="graph_bearerToken" />
  </InputClaims>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="id" />
    <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />
  </OutputClaims>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>

Hope this helps! If you agree with my suggestion, feel free to interact with the system accordingly!

Share via

Issue with Azure AD B2C Custom Policy: "Basic credentials specified for 'REST-fetchUserProfile-APAC' are invalid

1 answer

Solution

Your answer