SharePoint Framework AadHttpClient - operation is part of experimental feature - azure

I'm trying to use the AadHttpClient library that comes with SPFx to connect to a custom API secured by an app registration in Azure AD.
However when I run the web part in the workbench, SharePoint Online (in the tenant _layouts) I get an error in the console saying that the feature is experimental.
Error: The requested operation is part of an experimental feature that is not supported in the current environment.
As far as I can make out from this article, it should be in general release.
When connecting to Azure AD-secured APIs, we recommend that you use the MSGraphClient and AadHttpClient classes, which are now generally available. For more information about the recommended models, see Connect to Azure AD-secured APIs in SharePoint Framework solutions and Use the MSGraphClient to connect to Microsoft Graph.
When I go to the API management page in SP Admin site I get a popup stating
***Access to Azure Active Directory resources using the SharePoint Framework will be available soon.
So I'm a bit confused.
I also get an error on the API management page saying..
A null value was found with the expected type 'Edm.String[Nullable=False]'. The expected type 'Edm.String[Nullable=False]' does not allow null values.
I also get the same error when I try in PowerShell running
Get-SPOTenantServicePrincipalPermissionRequests
I'm not 100% sure I understand the relevance of the API management page - does an admin need to approve just once for the web part then all users are good to go?

I was having the same issue. The github thread can be found here. What fixed it for me was adding the account I was using as a site collection admin.
Connect-SPOService
Set-SPOUser -Site https://TENANT-admin.sharepoint.com -IsSiteCollectionAdmin $True -LoginName yourLoginName

Related

Using Microsoft Graph Search API in SPFx Web-Part?

I am trying to prototype the use of Microsoft's new MS Graph Search APIs in a SharePoint Framework (SPFx) Web-Part in SharePoint.
While configuring the web-part, I've updated the package-solution.json file to include the needed webApiPermissionRequests (see below screenshot):
However, after deploying the app to the SharePoint app catalog and attempting to authorize the web-part's permissions via SPO Admin Center > Advanced > API access, I am getting the following error:
Is this not yet supported?
Here's the error I see when performing the same approval via PowerShell:
FYI — I tried to use the microsoft-search tag as recommended by MS here at stack overflow, but it does not yet exist and I don't have the reputation here to add it.

MS Graph Search Custom Connector is not synchronized

Recently Microsoft published the Microsoft Search API (beta) which provides the possibility to index external systems by creating a MS Graph search custom connector.
To achieve this I created 2 Search Custom Connectors:
one according to Microsoft Graph Search Connector Sample from GitHub
and one on my own, step by step according to the official MS instructions
Create the Connector app in Azure
Add app registration (Single tenant)
Add required API permissions and give admin consent
Add a client secret
Get access token (via Postman)
Get the required parameters from app registration
Submit a login request to get the (bearer) token
Create a new connection (via Postman)
Registering a schema (via Postman)
Add items to the search index (via Postman)
Both variants worked well so far but if I now try a search (for example via Bing (activated for our O365 tenant, or in the Microsoft Search Center, logged in as the appropriate account) no results from the custom connectors are shown.
Via Graph Explorer, logged in as the appropriate account and using the query https://graph.microsoft.com/beta/search/query, I get an http status 500 ("InternalServerError", "The call failed, please try again."): Screenshot from Graph Explorer
Under > Microsoft 365 admin center > Microsoft Search > Connectors both connectors are displayed but there is displayed neither any status nor any successful synchronisation: screenshot from MS 365 Search admin center
I know the Microsoft Search API in still in preview but I wonder if it works at all?
Is there any possibility to trigger the synchronisation manually?
Or at least find out what's going wrong here?
Did you create a new Result Type and Vertical as well in the Search center?
I followed the steps mentioned in the sample and the search works for me in Office 365.
Regarding the synchronization, I don't think that is available in the Search center as of now because there is no option to edit the connection or set any synchronization schedule. However, I'm still exploring other options to synchronize as its quite new to me.

What is the Azure "api.cds.appsplatform.us" service?

I am developing a multi-tenant application to use Microsoft's Business Central API. At first I want to check if I can simply log in myself.
However, every time I try to grant admin consent inside the app's API permissions, I get this error:
This app requires access to a service (\"https://*.api.cds.appsplatform.us/\") that your organization is not subscribed to or has not enabled.
I cannot find anything online about "api.cds.appsplatform.us". I have a subscription (trial) set up, I also have a trial subscription with Business Central (although removing all the API permissions to just the default Microsoft Graph permission, still gives me the same error).
The error message is sort of unhelpful, so what do I need to enable to access my own app?
I believe that the CDS here is Common Data Service. Common Data Service for Apps is a service built on the Common Data model that you can use to store, build, and manage apps and app data. It's used most by PowerApps and Microsoft Flow.
https://learn.microsoft.com/en-us/powerapps/maker/common-data-service/data-platform-intro
https://powerapps.microsoft.com/en-us/common-data-service/
https://learn.microsoft.com/en-us/business-applications-release-notes/april19/dynamics365-business-central/
The only API permissions I needed for a Microsoft Dynamics 365 Business Central app was "Dynamics 365 Business Central" and its subpermissions.
I had included "Dynamics CRM" as an API permission, which requires CDS (Common Data Service), hence the error above.
However, when I wrote above that I had attempted to remove the above permissions and tried the 'grant admin consent' button again, and I got the error again, the problem was that I had forgotten to refresh the page after I had removed the "Dynamics CRM" permission.
Indeed, the takeaway from the error is that one has added a permission too many. But every time one removes a permission, it is paramount that one refreshes the page before attempting the 'grant admin consent' button again.

Azure AD application preconsent not working

(Related to this question)
I have an application that should be automatically usable for all customer tenants, and therefore tried this tutorial to enable preconsent.
After doing the Powershell commands and getting again the application, I can see that it is enabled:
PS C:\Windows\system32> $graphResponse.value.recordConsentConditions
SilentConsentForPartnerManagedApp
However, when creating a new tenant(or using an existing one) and trying to access Microsoft Graph's /users call, I get a 500 error until I navigate to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&prompt=admin_consent (with {0} being the cliendId of the app), sign in as an admin and accept the delegation.
Am I missing a step here?
After a contact with Microsoft support, this is a bug on their side. They told me yesterday that the engineer team acknowledged it. It will be fixed.
In order to query the MS Graph, your app will need to be granted the appropriate permissions by an end user or by an administrator of the tenant. Usually the best way to acquire consent from an administrator is by using the prompt=admin_consent parameter, as you've done above.
If for some reason you must do so via powershell, you can create an oAuth2PermissionGrant object using a consentType of AllPrincipals.
Personally I wouldn't recommend using the recordConsentConditions property. It's only there for legacy reasons - I don't even know what it does.

SPAppToken (context token) is null

I have a Sharepoint 2013 on premise environment for which I am developing an provider hosted app using Visual Studio.
The Visual Studio project has an app project which contains a custom ribbon button that goes to the web project. The web project is hosted on Windows Azure and here I get the error that the context token is null or an empty string.
Getting the token is done using the following code:
var contextTokenString = TokenHelper.GetContextTokenFromRequest(Request);
SharePointContextToken contextToken =
TokenHelper.ReadAndValidateContextToken
(contextTokenString, Request.Url.Authority);
When I see what is passed to the site hosted on Azure I notice that the SPAppToken is null. When using ULS viewer I get the error "The Azure Access Control service is unavailable"
I have already checked if the app is registered (using appregnew.aspx) and that the id is the same for this and in the appManifest.xml and web.config files.
How do I get the context token? Do I need to do something else in Azure in order to make it work?
The link from the comments helped me. I'm posting the answer here so we don't need to rely on a url sticking around.
You get the "EndpointAuthorityDoesNotMatch" message when your app's launch url doesn't match the "app domain" registered for your app's client_id.
For mine this meant that I needed to re-register the app for our test server separately from our develoment server via the _layouts/15/appregnew.aspx page on the O365 site. Here's a link with more info on registering client ids: http://msdn.microsoft.com/en-us/library/jj687469.aspx
Message 'The Azure Access Control service is unavailable' says that SharePoint can’t construct the SPAppToken because it can’t talk to ACS (Azure Access Control) in order to do that. This could be for a variety of reasons (e.g. network connectivity problems).
You can also check this blog: CJG: The Azure Access Control service is unavailable.

Resources