Develop Reference

Registering an app permission in SharePoint

I am needing to connect from Azure (Azure data factory) to SharePoint sites
When I then create a linked service, I get the following error
Failed to get metadata of odata service, please check if service url and
credential is correct and your application has permission to the resource.
So, here is what I am doing - detailed:
I registered an app in Azure Active Directory and then went to Grant permission to that app ("add-in" in SharePoint language, if I get it right) with the SharePoint.
So, in the following, I am not understanding:
1.) What to put for domain ? and for redirect.
Is it something like "www.myCompanyDomain.com" and http://www.myCompanyDomain.com ?
or is it something to be taken from Azure Registered app configuration ?
) In the XML pasted, the "Scope" - Do I specify it literally as it is shown ? (Actually http://sharepoint/content/sitecollection) or is it to be replaced with my company's sharepoint Farm URL ?
Would appreciate any help ...

In domain you can use localhost and https://localhost in redirect url like following pic
In the XML, just specify it literally as it is shown and don't replace with your company's sharepoint Farm URL. You can refer to the document for the scope
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint

SharePoint Framework AadHttpClient - operation is part of experimental feature

I'm trying to use the AadHttpClient library that comes with SPFx to connect to a custom API secured by an app registration in Azure AD.
However when I run the web part in the workbench, SharePoint Online (in the tenant _layouts) I get an error in the console saying that the feature is experimental.
Error: The requested operation is part of an experimental feature that is not supported in the current environment.
As far as I can make out from this article, it should be in general release.
When connecting to Azure AD-secured APIs, we recommend that you use the MSGraphClient and AadHttpClient classes, which are now generally available. For more information about the recommended models, see Connect to Azure AD-secured APIs in SharePoint Framework solutions and Use the MSGraphClient to connect to Microsoft Graph.
When I go to the API management page in SP Admin site I get a popup stating
***Access to Azure Active Directory resources using the SharePoint Framework will be available soon.
So I'm a bit confused.
I also get an error on the API management page saying..
A null value was found with the expected type 'Edm.String[Nullable=False]'. The expected type 'Edm.String[Nullable=False]' does not allow null values.
I also get the same error when I try in PowerShell running
Get-SPOTenantServicePrincipalPermissionRequests
I'm not 100% sure I understand the relevance of the API management page - does an admin need to approve just once for the web part then all users are good to go?

I was having the same issue. The github thread can be found here. What fixed it for me was adding the account I was using as a site collection admin.
Connect-SPOService
Set-SPOUser -Site https://TENANT-admin.sharepoint.com -IsSiteCollectionAdmin $True -LoginName yourLoginName

Where to get the Redirect URI and/or ClientId of an existing Asp.Net Core App

I have an existing asp.net core 2.0 web app that uses a local database to store logins (individual user accounts). However, I now want to hide a page on the applications behind AD authentication.
I created another test app selecting 'work or school accounts' to see what that looks like, using the correct domain. That new app lets me log in with my work AD account right off the bat, and so I took all of the relevant code from that new test app and put it in my old application so that it routes to that microsoft sign in page when you click the correct page link. Everything seems to be working and hooked up correctly, except after logging in I get this message:
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '[the ClientId I put in appsettings]'
I copied over the appsettings section as well from the test project for the AzureAd configuration, but of course I need the ClientId for my already existing project, not from the test project. The relevant appsettings section looks like this:
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "XXXX.com",
"TenantId": "XXXXXXXXXXXXXXXXX", //this seems to be the same everywhere and is fine?
"ClientId": "XXXXXXXXXXXXXXXXX", //this is app specific and generated automatically when the app is created?
"CallbackPath": "/signin-oidc"
},
My question is, where can I find that ClientId for my existing application? Every answer to this I look says you have to get it or set it up in Azure, but we don't actually use Azure, instead that ClientId is generated automatically by Visual Studio when I create the application (it still works for logging in on the test app so I guess I don't need azure for this?). Where do I get the ClientId for an existing app? Or, how can I add it to an existing app? Or generate one that will be accepted?
Thanks
EDIT (added from comment below):
thanks for your response. I have logged into azure portal. The test application I made was in there, but not the new application that was first made with local accounts. So, I added the new application, took it's generated applicationid and put it in the appsettings as the client id. I also generated a key for the application inside azure portal, but I am unsure what to do with that key. It appears now though that I am able to successfully authenticate, in that after logging it it gives me the "would you like to stay logged in..." option, but then on redirect it just does Working...indefinitely.so I think the issue now is with redirect.
The reply url I have in azure portal is just
https://localhost:44320/signin-oidc
I just put that in there to imitate the working test application which has the same thing but a different number, (this number matches the local host number that the new app uses in developement in launch settings). In the c# in AccountController I have tried a lot of things including the default
var redirectUrl = Url.Action(nameof(HomeController.Index), "Home");
but the redirect always gets stuck on Working...
Also, strangely, now every link on the site redirects to the azure login, rather than only the one link I initially setup to redirect to the login action on the accountcontroller for azure, which is odd and not the behavior I need. How do I fix that?
thanks

The other answers here are correct. If you were able to successfully publish the app from Visual Studio, a Client ID would have already been generated. Use your Visual Studio account to log into the Azure portal. Then find the app by either searching the name from the resources list or checking under the App Services blade. When you click into the app, you will want to copy the Application ID and paste it into the Client ID section in the web.config. (Client ID and Application ID are synonymous even though they are named differently.)
With regard to the reply URL question, you just need to make sure that the Redirect URI and the reply URLs are matching. Normally you would just put the application homepage URL in both sections, unless you wanted to direct the users somewhere else. (So it would just be https://myapp.azurewebsites.net)

Azure new users: You do not have permission to view this directory or page

I have a web app in Azure. The access to that web app is controlled by Azure Active Directory. The app is up and running since September of last year. I didn't make any changes to the app for a while and have 33 users in that app.
So, a week ago I tried to add a user, using the same methods and paths I used before.
The new user can log in to microsoft (portal.office.com). After the initial log in and changing of the password the user goes to the web app in Azure and get the following error: You do not have permission to view this directory or page.
Error tracing gives me this:
HTTP Error 401.73 - Unauthorized You do not have permission to view
this directory or page.
Most likely causes: The authenticated user does not have access to a
resource needed to process the request.
Things you can try: Create a tracing rule to track failed requests for
this HTTP status code. For more information about creating a tracing
rule for failed requests, click here.
Detailed Error Information: Module EasyAuthModule_32bit
Notification BeginRequest Handler
ExtensionlessUrlHandler-Integrated-4.0 Error Code 0x80004005
Requested URL https://*******:80/.auth/login/aad/callback Physical
Path D:\home\site\wwwroot.auth\login\aad\callback Logon Method
Not yet determined Logon User Not yet determined
More Information: This is the generic Access Denied error returned by
IIS. Typically, there is a substatus code associated with this error
that describes why the server denied the request. Check the IIS Log
file to determine whether a substatus code is associated with this
failure. View more information »
Microsoft Knowledge Base Articles:
Another observed behavior: usually when new users are logging in the web app asks for permissions for the AD to access their account information. Ever since this problem came up this is not the case any more.
Other users do not have any problems logging in. This problem only happens with new users who never logged in before.
EDIT: When I go to Active Directory and look at sign ins, I see failures to log into the web app with sign-in error code 90092. Failure Reason: Other.
Microsoft help desk could not give me details on that error code.

Checkout the related question and answer here. All new users have to first consent the application (agree and give your application permissions to access their profile / or you indicated as required permissions).
In short, you have to design "sign-up" button for your application, which uses the "login_url" and appends "&prompt=consent" to the query string.
Read all related resources here to better understand the consent framework.
And please read the documentation about Azure App Service Authentication/Authorization here, as well as the Azure AD specific documentation here.

OMG, I just found an answer. I created a test app and set it up to mirror the settings of my live app.
In Required Permissions the new app had nothing for Microsoft Graph, the live app had 5 permissions. I deleted Microsoft Graph and it works now!
I wish Microsoft communicated better about discontinued API's. I did get an alert, but it was mostly talking about MS Office 365.

Azure Easy API on Node.js 'No route registered for '/api/xxx'?

I'm having problems even running a simple Easy API method. I keep getting the response that says "No route registered for '/api/userInfo'".
I know that this location is correct because the I'm opening the App Service editor at https://XXXX/dev/wwwroot/api/userInfo.js
The file also has anonymous access, so there shouldn't be an authorization issue. I'm simply trying to hit the api method from a browser.
The code of this very simple method has been reduced to the following for debugging purposes
module.exports = {
"get":function(){
console.log('whooohooo');
}
};
Is there a setting I'm missing to enable the ability to call Easy API's? I've not been able to find any documentation that states that Easy APIs method must be explicitly enabled, nor can I find any settings related to enabling them.
Please note that I did not set up a Node.js project and deploy it to Azure. I am using an "out of the box" app service.
My end goal is to use an Easy API method go get an authenticated user's email and name, but my efforts have been reduced to confirming that I can call a method. Thanks in advance.
UPDATE:
I've created 3 different mobile App services with no luck and varying advantages.
App Service 1:
This Mobile Apps project is 10 months old and was created in the Azure portal. It has a routing line in the app.js file that suggest that the api route should be present, but doesn't work. I don't remember if i authorized the easy apis when i created it, but the fact that it has the following line suggests that I did
mobile.api.import('./api');
AppService 2:
This project was created in the MobileCenter using the Tables menu option for a Xamarin project. I then navigated to the Azure Portal and hooked up a SQL db to the table. I don't think I had the opt in to use Easy APIs, but the I was allowed to create an Easy API script, then edit it. Upon editing it, I realized that the project had no app.js file. Apparently web apps created via MobileCenter are created differently.
I picked this option because it allows you to use the "per-user" flag when setting up tables and doesn't require you to manually filter out data with a modification to the table's script. Apparently this is not an option if you don't set up an App Service via the MobileCenter??
App Service 3:
I created a brand new project within the portal and followed the the steps Aaron Chen laid out. I opted in, hooked up the table and modified the js file (I created a new one called 'testing'). I browsed to https://zzzzapitestzzzz1.scm.azurewebsites.net/api/testing
and got the dreaded no routes found error. Of course, the API method was created with anon access rights.

Basically, we can easily create an Easy API in the Azure portal.
Select your app service and click on Easy APIs in the MOBILE menu.
Enable Mobile extension for your app by clicking Need to configure Easy Tables/Easy APIs ...
Connect a database and then click Initialize App button.
After app initialized, you can add an API from Easy APIs blade.
Change the userInfo.js file to something like this:
Now, we can access the API with the endpoint http://<yourappname>.azurewebsites.net/api/userInfo.
For more info, please refer to this blog post.