Unable list UserFlow ID in Graph Explorer

Question

Unable list UserFlow ID in Graph Explorer

Connie Chang 30

I am trying to disable External Tenant External Identities Signin User Flow's Create Account Field. I received AADB2C error code when i use Microsoft Graph Explorer to list User Flow ID. I had used an admin account with global admin, External ID User Flow admin, given consent to IdentityUserFlowReadWrite and EventListenerReadWrite.

The error message given was as follows. Please assist.

"Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'xxxxxxxxxxx'."

Bo Christian Skjøtt 5 Reputation points

2024-08-02T09:43:23.89+00:00
I have the same issue. When I make this request from C#
var result = await graphClient.Identity.AuthenticationEventsFlows.GetAsync();
I get the exception
"Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant"

I have given these permissions to my App registration as Application permissions

EventListener.ReadWrite.All

IdentityUserFlow.ReadWrite.All

What am I missing?

Danny Bollaert 25

Hi CarlZhao-MSFT,

I am experiencing the same issue.
I was wondering if you could help me out.

I already my issues in the following issue:
https://learn.microsoft.com/en-us/answers/questions/2141417/how-i-can-add-an-application-to-my-entra-external

I can execute:

GET https://graph.microsoft.com/beta/identity/b2xUserFlows/

And I see my flow, without any problems.
But when I try to read

GET https://graph.microsoft.com/beta/identity/authenticationEventsFlows

or add

POST https://graph.microsoft.com/beta/identity/authenticationEventsFlows
Authorization: Bearer {{$auth.token("auth9")}}
Host: graph.microsoft.com
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.authenticationConditionApplication",
  "appId": "xxxx"
}

I keep receiving the same error.

{
    "error": {
        "code": "AADB2C",
        "message": "Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'xxxx'.",
        "innerError": {
            "correlationId": "a8dbb3ba-289f-448f-98f0-7ce49d1482d3",
            "date": "2025-01-09T13:53:50",
            "request-id": "4f3cf448-fe57-463a-a7bb-02550f6e17b0",
            "client-request-id": "f16d8614-ec8e-3c54-d00b-273ac32399c2"
        }
    }
}

I tried delegated authentication and application authentication.
Same error.

Thank you for having a look.
sorry for duplicate post. I did not see my answer when I posted first.
So I thought something went wrong.

Michael Ward 0 Reputation points

2026-06-16T19:41:56.4033333+00:00

I had this error when I was using my Global Admin account from the corporate tenant as the sign-in on Graph Explorer. Create a local Global Admin account in the External Entra tenant and sign in to Graph Explorer with that account and make sure you redo the consent in the permissions tab with that account and then it will work.

Answer accepted by question author

Gudivada Adi Navya Sri 21,095 Moderator

Hi @Connie Chang

Thank you for posting this in Microsoft Q&A.

1.The authenticationEventsFlows API is supported only in the global service national cloud and is not supported in US Government L4, US Government L5 (DOD), or China operated by 21Vianet.

2.The permissions EventListener.Read.All and EventListener.ReadWrite.All are required but not supported in personal Microsoft accounts.

3.The least privileged role required to execute an API.

External ID User Flow Administrator
External Identity Provider Administrator

Based on the information provided, it appears you have the necessary permissions, such as EventListener.Read.All and EventListener.ReadWrite.All, and possess a global admin account. Could you please confirm which type of national cloud you are using and whether it is a work or personal account?

I have replicated the issue in my environment, and it has run successfully as below.

List all user flows

User's image

List user flow associated with specific application ID

User's image

If you are still experiencing issues after following the steps mentioned above, please send us an email on azcommunity [at] microsoft [dot] com with Sub - "ATTN: Navya" and following details in the email body: Link to this thread/post. We can connect offline and discuss further on this.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Connie Chang 30 Reputation points

2024-07-30T06:33:42.0866667+00:00
Hi @Navya,In response to your query, our company is using work account and hosted in global Asia Pacific cloud (Singapore).

I had tried the route with the privilege you had demonstrated also and end up with the same error.

We are launching this customer web app for our customer to access in August and we setup the External Tenant and created external user account as per the link given:

URL -https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers#disable-sign-up-in-a-sign-up-and-sign-in-user-flow

URL - https://learn.microsoft.com/en-us/graph/api/identitycontainer-list-authenticationeventsflows?view=graph-rest-1.0&tabs=http#example-4-list-user-flow-associated-with-specific-application-id, under Example 4.

Do we need to upgrade our Microsoft Entra ID license to P1 or P2 subscription to resolve this error?
Connie Chang 30 Reputation points

2024-07-30T06:57:22.6266667+00:00

Hi @Navya, I am also able to get the b2c userflow results using this

GET https://graph.microsoft.com/v1.0/identity/b2xUserFlowsSo my account privilege and permission is set correctly. Now I am wondering whether there is any setting Microsoft Entra ID recent changes for the External Tenant and external guests deployment that has affected this listing.

Look forward to any advise on this from you or the Entra ID team. Thank you.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-07-30T07:51:08.75+00:00

Hi @Connie Chang

Thank you for providing the details of your external tenant configurations. There is no need to upgrade your Microsoft Entra ID license to P1 or P2.

Please verify the user identity type you are using for the API, and if possible, share the API and the error message screenshot you are receiving.
Connie Chang 30 Reputation points

2024-07-30T09:12:07.91+00:00

Hi @Navya, the following is the screen capture of the error message i gotten. the user identity type is guest (external user).
Connie Chang 30 Reputation points

2024-07-30T09:35:34.15+00:00

Hi @Navya, I had also tried using another user identity type "member" to execute the same LIST query and ended up with the same error message.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-07-30T10:00:10.1366667+00:00

Hi Connie Chang

To authenticate the API, do you use external tenant users?

Would it be possible for you to create a new internal user in the external tenant and assign them the necessary role? After that, attempt to execute the API and observe what occurs: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#create-a-new-user

For more details about default permissions in external tenant: user permissions
Connie Chang 30 Reputation points

2024-07-31T07:41:58.33+00:00

Thank you @Navya! I tried your advise to create an internal user with the necessary admin roles and i can list the External Tenant External User Flow ID! Blessings to you! :))
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-07-31T08:52:46.2633333+00:00

Hi Connie Chang

I'm glad that your issue is resolved and thank you for your feedback.
Danny Bollaert 25 Reputation points

2025-01-09T14:34:02.95+00:00
Hi CarlZhao-MSFT and Navya,

I am using B2xUserFlows, because it's b2b/workflow tenant.

I am able to get a list of my workflows using:

GET https://graph.microsoft.com/beta/identity/b2xUserFlows/

But when I try to get a list of authenticationEventsFlows.

I keep receiving the same error.

{ "error": { "code": "AADB2C", "message": "Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'a5fdc94d-72a2-4c52-b269-70770a3ddb6f'.", "innerError": { "correlationId": "a8dbb3ba-289f-448f-98f0-7ce49d1482d3", "date": "2025-01-09T13:53:50", "request-id": "4f3cf448-fe57-463a-a7bb-02550f6e17b0", "client-request-id": "f16d8614-ec8e-3c54-d00b-273ac32399c2" } } }

I am using client credentials with required permissions and I also have tried delegated permissions. Same error.

The reason I want to do this, is explained here. https://learn.microsoft.com/en-us/answers/questions/2141417/how-i-can-add-an-application-to-my-entra-external

Thank you in advance for having a look.

1 additional answer

Your answer

Bo Christian Skjøtt 5 Reputation points

2024-08-02T09:43:23.89+00:00

I have the same issue. When I make this request from C#
var result = await graphClient.Identity.AuthenticationEventsFlows.GetAsync();
I get the exception
"Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant"

I have given these permissions to my App registration as Application permissions

EventListener.ReadWrite.All

IdentityUserFlow.ReadWrite.All

What am I missing?
Danny Bollaert 25 Reputation points

2025-01-09T14:12:30.87+00:00

Hi CarlZhao-MSFT,

I am experiencing the same issue.
I was wondering if you could help me out.

I already my issues in the following issue:
https://learn.microsoft.com/en-us/answers/questions/2141417/how-i-can-add-an-application-to-my-entra-external

I can execute:

GET https://graph.microsoft.com/beta/identity/b2xUserFlows/

And I see my flow, without any problems.
But when I try to read

GET https://graph.microsoft.com/beta/identity/authenticationEventsFlows

or add

POST https://graph.microsoft.com/beta/identity/authenticationEventsFlows Authorization: Bearer {{$auth.token("auth9")}} Host: graph.microsoft.com Content-Type: application/json { "@odata.type": "#microsoft.graph.authenticationConditionApplication", "appId": "xxxx" }

I keep receiving the same error.

{ "error": { "code": "AADB2C", "message": "Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'xxxx'.", "innerError": { "correlationId": "a8dbb3ba-289f-448f-98f0-7ce49d1482d3", "date": "2025-01-09T13:53:50", "request-id": "4f3cf448-fe57-463a-a7bb-02550f6e17b0", "client-request-id": "f16d8614-ec8e-3c54-d00b-273ac32399c2" } } }

I tried delegated authentication and application authentication.
Same error.

Thank you for having a look.
sorry for duplicate post. I did not see my answer when I posted first.
So I thought something went wrong.
Michael Ward 0 Reputation points

2026-06-16T19:41:56.4033333+00:00

I had this error when I was using my Global Admin account from the corporate tenant as the sign-in on Graph Explorer. Create a local Global Admin account in the External Entra tenant and sign in to Graph Explorer with that account and make sure you redo the consent in the permissions tab with that account and then it will work.
Connie Chang 30 Reputation points

2024-07-30T06:33:42.0866667+00:00

Hi @Navya,In response to your query, our company is using work account and hosted in global Asia Pacific cloud (Singapore).

I had tried the route with the privilege you had demonstrated also and end up with the same error.

We are launching this customer web app for our customer to access in August and we setup the External Tenant and created external user account as per the link given:

URL -https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers#disable-sign-up-in-a-sign-up-and-sign-in-user-flow

URL - https://learn.microsoft.com/en-us/graph/api/identitycontainer-list-authenticationeventsflows?view=graph-rest-1.0&tabs=http#example-4-list-user-flow-associated-with-specific-application-id, under Example 4.

Do we need to upgrade our Microsoft Entra ID license to P1 or P2 subscription to resolve this error?
Connie Chang 30 Reputation points

2024-07-30T06:57:22.6266667+00:00

Hi @Navya, I am also able to get the b2c userflow results using this

GET https://graph.microsoft.com/v1.0/identity/b2xUserFlowsSo my account privilege and permission is set correctly. Now I am wondering whether there is any setting Microsoft Entra ID recent changes for the External Tenant and external guests deployment that has affected this listing.

Look forward to any advise on this from you or the Entra ID team. Thank you.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-07-30T07:51:08.75+00:00

Hi @Connie Chang

Thank you for providing the details of your external tenant configurations. There is no need to upgrade your Microsoft Entra ID license to P1 or P2.

Please verify the user identity type you are using for the API, and if possible, share the API and the error message screenshot you are receiving.
Connie Chang 30 Reputation points

2024-07-30T09:12:07.91+00:00

Hi @Navya, the following is the screen capture of the error message i gotten. the user identity type is guest (external user).
Connie Chang 30 Reputation points

2024-07-30T09:35:34.15+00:00

Hi @Navya, I had also tried using another user identity type "member" to execute the same LIST query and ended up with the same error message.
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-07-30T10:00:10.1366667+00:00

Hi Connie Chang

To authenticate the API, do you use external tenant users?

Would it be possible for you to create a new internal user in the external tenant and assign them the necessary role? After that, attempt to execute the API and observe what occurs: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-delete-users#create-a-new-user

For more details about default permissions in external tenant: user permissions
Connie Chang 30 Reputation points

2024-07-31T07:41:58.33+00:00

Thank you @Navya! I tried your advise to create an internal user with the necessary admin roles and i can list the External Tenant External User Flow ID! Blessings to you! :))
Gudivada Adi Navya Sri 21,095 Reputation points Moderator

2024-07-31T08:52:46.2633333+00:00

Hi Connie Chang

I'm glad that your issue is resolved and thank you for your feedback.
Danny Bollaert 25 Reputation points

2025-01-09T14:34:02.95+00:00

Hi CarlZhao-MSFT and Navya,

I am using B2xUserFlows, because it's b2b/workflow tenant.

I am able to get a list of my workflows using:

GET https://graph.microsoft.com/beta/identity/b2xUserFlows/

But when I try to get a list of authenticationEventsFlows.

I keep receiving the same error.

{ "error": { "code": "AADB2C", "message": "Unauthorized. Access to this Api requires feature: 'EnableMsGraphAuthenticationEventListener' for the tenant: 'a5fdc94d-72a2-4c52-b269-70770a3ddb6f'.", "innerError": { "correlationId": "a8dbb3ba-289f-448f-98f0-7ce49d1482d3", "date": "2025-01-09T13:53:50", "request-id": "4f3cf448-fe57-463a-a7bb-02550f6e17b0", "client-request-id": "f16d8614-ec8e-3c54-d00b-273ac32399c2" } } }

I am using client credentials with required permissions and I also have tried delegated permissions. Same error.

The reason I want to do this, is explained here. https://learn.microsoft.com/en-us/answers/questions/2141417/how-i-can-add-an-application-to-my-entra-external

Thank you in advance for having a look.

Answer 1

CarlZhao-MSFT 46,456

Hi @Connie Chang

If your AADB2C user has "Global Administrator" and "IdentityUserFlow.ReadWrite.All" delegated permissions, then you should be able to list the user flows in the B2C tenant.

Please try calling the API endpoint below. Based on my tests, it works well.

User's image

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Connie Chang 30 Reputation points

2024-07-29T07:33:24.16+00:00

Dear Carl,

Thanks for your reply.

Unfortunately, I am not listing the AAD B2C user flow. I am listing the External Identity Sign Up / Sign In User Flow in External Tenant (or formerly named Customer Tenant) in my organization. This is different from the AADB2C flow.

I was following the instructions provided in Microsoft knowledge base in this URL - https://learn.microsoft.com/en-us/graph/api/identitycontainer-list-authenticationeventsflows?view=graph-rest-1.0&tabs=http#example-4-list-user-flow-associated-with-specific-application-id; under Example 4. Because I want to disable the sign-up in a sign-up and sign-in External Identity user flow.
Connie Chang 30 Reputation points

2024-07-29T07:39:39.7166667+00:00

Dear Carl,

Thank you for your suggestion.

Unfortunately, I was not listing the AADB2C user flow. I am listing the External Identity Sign Up / Sign In User Flow within the External Tenant (or formerly named as Customer Tenant) in my organization. I was following this instructions from Microsoft Entra ID Knowledge base, URL - https://learn.microsoft.com/en-us/graph/api/identitycontainer-list-authenticationeventsflows?view=graph-rest-1.0&tabs=http#example-4-list-user-flow-associated-with-specific-application-id, under Example 4. But i encountered the error described above.

What I intended to do is to Disable the Sign Up link in the External Identity Sign Up/Sign In user flow. (Reference to URL -https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers#disable-sign-up-in-a-sign-up-and-sign-in-user-flow).

Share via

Unable list UserFlow ID in Graph Explorer

1 additional answer

Your answer