This question is very similar to a question which has been asked previously on StackOverflow. However, the error I'm getting is different.
AadHttpClient fails when loading SP page with SPFx webpart in MSTeams Desktop Client
I also have a Sharepoint Online site in which I have an SPFx web part which makes use of AadHttpClient.
This webpart works if I navigate to the Sharepoint site from a browser or open MS Teams web client.
A glimpse of my setup:
Here is a "steps to repro" overview of the issue I am facing.
Deploy the web part to SharePoint
View the web part in SharePoint – web part displays and loads OK
Add a SharePoint Tab in Teams and bind it to the page with the web part
View the tab in Teams Desktop client – data fails to load in web part (refer below)
View the tab in Teams Web client – web part displays and loads OK
When I debugged the MS Teams desktop client, I have this call in in the Network requests tab:
https://{mytenant}.sharepoint.com/sites/{mysite}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={GUID of my AAD app registration}&clientId={GUID of SharePoint Online Client Extensibility AAD app registration}
With the response:
Error 403:
{"odata.error":{"code":"-2147024891,
System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access
denied. You do not have permission to perform this action or access
this resource."}}}
One interesting observation was that this web request only happens in Microsoft Teams desktop client.
I am interested in knowing why this only happens in MS Teams desktop client and not on either the MS Teams web client or Sharepoint Online.
Update: 10/02/2020
Another observation: We tried the same setup on a different tenant (personal tenant instead of our corporate tenant). We noticed that the same behaviour could be reproduced when MFA is turned-on on the Azure Active Directory.
The request that's failing is:
https://{personal tenant}.sharepoint.com/sites/{site name}/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource={GUID of the AD app registration}&clientId={GUID of the SPO Client Extensibility app registration}
However, now the error returned is a 500 with the response:
{"odata.error":{"code":"-1,
System.AggregateException","message":{"lang":"en-US","value":"One or
more errors occurred."}}}
Similar issue found, (but a different error) out on Github: https://github.com/SharePoint/sp-dev-docs/issues/4915
I faced similar issue recently for a webpart that was calling graphAPI. On Desktop teams the call never use to happen and it use to get stuck. I was able to fix it by following these steps: -
Step 1. Visit the new API Permission Management Page on the Tenant Admin Site. This creates a client secret behind the scenes.
Step 2. Go to -> https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
Step 3. Click on SharePoint Online Client Extensibility Web Application Principal
Step 4. Click Manifest on the left menu Step 5. Copy the id from the oAuth2Permission array
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.",
"adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
"id": "2143704b-186b-4210-b555-d03aa61823cf",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.",
"userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
"value": "user_impersonation"
}
],
Step 6. Replace “preAuthorizedApplications” entry with the following json. Keep the appId as it is written below.
"preAuthorizedApplications": [
{
"appId": "00000003-0000-0ff1-ce00-000000000000",
"permissionIds": [
"YOUR COPIED ID FROM STEP 5"
]
}
],
Step 7. Hit Save.
Let me know if this works for you. I referred the above steps from https://github.com/SharePoint/sp-dev-docs/issues/3923#issuecomment-514726341
Finally I have a solution that:
Delete the app SharePoint Online Client Extensibility Web Application Principal and SharePoint Online Client Extensibility Web Application Principal Helper
Wait few mins let the AAD create them again.
After that request permission from custom app.
Go to API access page to grand again the permission will automatically sync to "SharePoint Online Client Extensibility Web Application Principal".
Test again the app. Also deactivate the Limited-access user permission lockdown mode could be help.
Now all my app work as expected.
Why?
Limited-access user permission lockdown mode could block your permission to request api.
Delete App in AAD to get the the token and all the configuration sync again.
The way to grand permission from API Access it correct not grant from AAD App.
Related
I've built a .net core 7 web application.
It implements windows authentication, and works nicely on premise.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();
I've deployed to an azure app service, and I get got this error when I browse to the application:
InvalidOperationException: The Negotiate Authentication handler cannot
be used on a server that directly supports Windows Authentication.
Enable Windows Authentication for the server and the Negotiate
Authentication handler will defer to it.
So I added a Microsoft Azure AD identity provider, which created for me a new app registration. Now I can browse to the application, enter my credentials, but it once I do, I get another dialog saying "Approval required, enter justification". After I submit my request approval, I get an email saying my request was received. I don't know who gets the approval request, or why a request is being generated. We could have hundreds of employees using the application, and will eventually have dozens of applications, so an approval request might not be manageable. Can it be turned off, or am I implementing the authentication wrong in the first place?
Approval Request:
Email:
If you have the right premissions, you might be able to grant consent on behalf of all users yourself. This ensures that end users will not be required to consent when using the application. To do this, navigate to your App Registration Overview and click on 'Go to Enterprise applications'. From there, click on the Permissions in the left menu. At this page you can grant admin consent to all users.
These global settings can be changed, but only by an administrator. How you can do that is described in this article: https://intercom.help/eventtemple/en/articles/5152672-need-admin-approval-approval-required-when-connecting-outlook-office365
If I create some SharePoint Online web parts, are they run under the credentials of the user that is using the web part?
(this is what I would assume)
Say I need to make a query to the Graph API, would a SharePoint Administrator have more access that a standard cloud user?
Is there a way to run as a different user (one that has more privilege's)?
Thanks
P
var client = await this.context.msGraphClientFactory.getClient('3');
var result;
result = await client.api('groups/' + this.properties.groupGUID + '/members').get();
SPFX Webparts run in the context of the current logged in user. They will have all permissions the user is having. So if you are an admin, you will be able to do more stuff (if your webpart can do it) than as an user with "read" permissions.
If you want to do something with higher privileges you will have to use a backend like a custom API, Azure Functions or even Power Automate.
SPFx web parts runs in the context of the current user and connection in the browser.
Source: Key features of the SharePoint Framework
If you want to use MS graph in SPFx web part with specific permissions, you can request them from your web part.
when deploying the solution package to the app catalog, SharePoint creates permission requests and prompts the administrator to manage the requested permissions. For each requested permission, a global or SharePoint administrator can decide whether they want to grant or deny the specific permission. This will work for all users - SharePoint admin as well as normal users.
You can also use Application permissions and delegated permissions with Azure AD app registration.
Check below documentations for more understanding:
Use Microsoft Graph in your solution
Connect to Azure AD-secured APIs in SharePoint Framework solutions
Register an application with the Microsoft identity platform
Microsoft Graph permissions reference
I added a Personal Tab in MS Teams which references a SharePoint Webart with on it an SPFx webpart using #microsoft/microsoft-graph-client.
In the MS Teams Web Client on TEST and PROD the page loads as expected, and the #microsoft/microsoft-graph-client calls work.
In the MS Teams Desktop client on TEST environment also work perfect.
However, in the MS Teams Desktop Client (on windows) on PROD environment the #microsoft/microsoft-graph-client does not work.
Looking in Fiddler, I can see the following happening (only on the dekstop client):
A call is made to https://o2fitcom.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%2758066c29-7a47-418b-9cb8-69adf68633b3%27&clientId=%2708e18876-6177-487e-b8b5-cf950c1e598c%27
with error result Failed to load resource: the server responded with a status of 403 ()
The call returns an HTTP 500 with message:
<m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<m:code>-2147024891, System.UnauthorizedAccessException</m:code>
<m:message xml:lang="en-US">Attempted to perform an unauthorized operation.</m:message>
</m:error>
I already success make solution work on TEST but not in PROD, checked all the configuration and manifest are the same. All the configuration of permission in the SharePoint Online Client Extensibility Web Application Principal are granted.
Finally I have a solution that:
Delete the app SharePoint Online Client Extensibility Web Application Principal and SharePoint Online Client Extensibility Web Application Principal Helper
Wait few mins let the AAD create them again.
After that request permission from custom app.
Go to API access page to grand again the permission will automatically sync to "SharePoint Online Client Extensibility Web Application Principal".
Test again the app. Also deactivate the Limited-access user permission lockdown mode could be help. Now all my app work as expected.
Why?
Limited-access user permission lockdown mode could block your permission to request api.
Delete App in AAD to get the the token and all the configuration sync again.
The way to grand permission from API Access it correct not grant from AAD App.
I want to create a Microsoft Teams messenger bot. To do this:
(1) I've created a separate Azure (AAP) app through portal.azure.com to create a flow to get an access token from the Teams admin, to access information about the tenant we install the app in, to proactively install my app.
(2) I've also created a separate Microsoft Teams app through the Teams Developer Portal (dev.teams.microsoft.com) and included the ID from the Azure app in its settings:
screenshot
However when I try to proactively install the Teams bot from (2) using the Graph API with access token from (1), I get this error message:
{
"error": {
"code": "Forbidden",
"message": "AAD App Id '5f18a460-4e3b-4833-acac-9a6281e964d7' is not allowed to manage the Teams App '8782dd91-2afe-45e9-8906-858553f7675c'.",
"innerError": {
"date": "2021-09-12T21:19:56",
"request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1",
"client-request-id": "b50af1b2-b697-403f-b0be-4f66486f4ac1"
}
}
}
What am I doing wrong? Did I need to create the Teams app through the Azure portal instead of through the Teams developer portal for my Azure app to have access to install the Teams app for a user? If so how can I do that?
thanks!
• The procedure that you have followed to create a team’s messenger bot is not recommended and way round about rather than creating the bot using the Microsoft Team developer portal and then deploying it to the Azure portal for availability to all.
• Since, the procedure that you are following requires a token to be retrieved from the Azure AD for authentication to the team’s bot app and then pass it to the teams app for logging in with the AAD credentials, the token flow happens over the public internet where a tunnel is not provided between Teams and the bot app due to which the token information might not be redirected to the teams app.
• Also, when you are using the second method where in you are using the Microsoft teams developer portal for developing a bot app in teams and referring the ID of the application creating in azure in the code, there might be a conflict where in an Azure AD application regarding the bot app created by you is already created in M365 tenant for provisioning and deploying purpose at the time when you are signing up for Microsoft teams developer portal due to which the app created and hosted by you may not be able to establish a connection to the azure app created or the one already created/linked in azure.
• When you create an app in Microsoft Teams, the app manifest is submitted to the developer center for teams for publishing and code integrity violation check purposes after which a communication tunnel based on public urls is created between the Teams and the bot app code which in your case doesn’t seem to happen. Thus, the issue.
Please find the below links for more information: -
https://learn.microsoft.com/en-us/microsoftteams/platform/get-started/first-app-bot?tabs=vscode
https://learn.microsoft.com/en-us/microsoftteams/admin-settings
I have an Azure AD account managed by my organization. A 3rd-party organization has invited my account to view their SharePoint Online content, which is hosted on their Office365 SharePoint system. When I visit the SharePoint site in a browser, I am able to use it without issue.
However, when I go to the Microsoft Graph API Explorer app with the same user and make a request to the SharePoint endpoint at https://graph.microsoft.com/beta/sharepoint/site I get the following response:
Status Code: 500
{
"error": {
"code": "InternalServerError",
"message": "Unable to resolve template token",
"innerError": {
"request-id": "0b354b5d-ceaf-48d9-adb8-b97a7dcf07ad",
"date": "2017-01-12T23:02:25"
}
}
}
This issue occurs on the Graph API Explorer app, see screenshot:
To be clear about my objectives: I expect that if a 3rd party partner invite me to view their Office 365 SharePoint content (and I am able to successfully browse it on the SharePoint online site itself), then I should be able navigate the same content via the Microsoft Graph API.
One question that has come up is what link is being used to get my authentication token in this workflow. The request, which I captured from the browser's developer tools, is below. Note the appropriate use of the Sites.ReadWrite.All scope, which should grant the necessary permissions: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token+token&scope=openid%20User.Read%20User.ReadWrite%20User.ReadBasic.All%20Mail.ReadWrite%20Mail.ReadWrite.Shared%20Mail.Send%20Mail.Send.Shared%20Calendars.ReadWrite%20Calendars.ReadWrite.Shared%20Contacts.ReadWrite%20Contacts.ReadWrite.Shared%20MailboxSettings.ReadWrite%20Files.ReadWrite%20Files.ReadWrite.All%20Files.ReadWrite.Selected%20Files.ReadWrite.AppFolder%20Notes.ReadWrite%20Notes.ReadWrite.All%20Notes.ReadWrite.CreatedByApp%20Notes.Create%20Tasks.ReadWrite%20Tasks.ReadWrite.Shared%20Sites.ReadWrite.All&client_id=de8bc8b5-d9f9-48b1-a8ad-b748da725064&redirect_uri=https%3A%2F%2Fgraph.microsoft.io%2Fen-us%2Fgraph-explorer&state=e3777b0b-5be3-442a-bb78-a82422baf709&client-request-id=df0a7be7-de18-4881-873d-717a5783cde9&x-client-SKU=Js&x-client-Ver=2.0.0-experimental&nonce=bff18134-8121-424f-a1ce-0c6ad87b177c