Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Permissions disappear from SharePoint admin center after approval #10041

Open
1 of 9 tasks
thomaskjaerulff opened this issue Dec 3, 2024 · 32 comments
Open
1 of 9 tasks
Labels
area:spfx Category: SharePoint Framework (not extensions related) status:rolling in production The fix has been created and it's currently rolling across all production tenants type:bug-confirmed Confirmed bug, not working as designed / expected.

Comments

@thomaskjaerulff
Copy link

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

  • 💥 Internet Explorer
  • 💥 Microsoft Edge
  • 💥 Google Chrome
  • 💥 FireFox
  • 💥 Safari
  • mobile (iOS/iPadOS)
  • mobile (Android)
  • not applicable
  • other (enter in the "Additional environment details" area below)

Additional environment details

  • browser version
  • SPFx version
  • Node.js version
  • etc

Describe the bug / error

I have a SPFx web part installed on a sharepoint enviroment with two Microsoft Graph webApiPermissionRequests in the package-solution.json file.

Once the SPFx web part is deployed, I go to the Sharepoint Admin Site API Access Page to approve the Web Api Permission Requests. After approving them, it looks well, but when I refresh the page, or navigate away and back, I can`t see the approved items anymore.

After redeploying the SPFx package to the app catalog site, the previously approved Web Api Permission Requests are shown in the Pending Request section again.

We are seeing this issue on multiple tenants so we believe we are dealing with a general issue.

Steps to reproduce

  1. Navigate to the https://tenant-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement
  2. Click on a pending request and approve it
  3. Notice that the request has been visually approved and moved to the "Approved requests" group
  4. Refresh the page and can not see the approved apis anymore
  5. Upload the spfx package to the catalog site again
  6. Refresh the WebAPIPermissionManagement Page again
  7. The Approved API Items are shown in the Pending Request section

Expected behavior

I expect that after approving the Web Api Permission Requests, they will remain in the Approved section on the Sharepoint Admin Site API Access Page.

@thomaskjaerulff thomaskjaerulff added the type:bug-suspected Suspected bug (not working as designed/expected). See “type:bug-confirmed” for confirmed bugs. label Dec 3, 2024
@joelfmrodrigues
Copy link
Contributor

Same here!

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff could this be a duplicate from #9962 ?
I can also see the Deny endpoint being called as described on the other issue.

@thomaskjaerulff
Copy link
Author

Thank you for your comment @joelfmrodrigues. You are absolutely right that this is a duplicate of #9962.
Please keep me posted if you know anything about this issue. We currently have two Premier Microsoft Support cases open on this issue on two different tenants. We see this issue on every tenant we come across, so we are dealing with a general issue that has to be fixed.

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff I was able to grant permissions for platform APIs by granting them directly to the relevant Entra ID app registration that is used by SPFx. You can use this blog post from the awesome @michaelmaillot as an example: https://michaelmaillot.github.io/tips/20210302-spfx-api-permissions/
Unfortunately, for my own app this doesn't seem to work at the moment as I can't see it listed under "My APIs" tab, even though I can see the network request retriving it. Perhaps a separate bug on the Azure portal.

@thomaskjaerulff
Copy link
Author

Thank you for the information @joelfmrodrigues.
We did see this blog post and we have tried the suggested solution, however this was not working for us.
When approving the Microsoft Graph permissions using this method, our custom API was lost and vice versa.
If you have any other suggestions, kindly let me know.

@thomaskjaerulff
Copy link
Author

thomaskjaerulff commented Dec 5, 2024

To follow up on your previous comment @joelfmrodrigues. For further information, when trying to use the m365 CLI as suggested by @michaelmaillot in his great blog post, I receive the error message:

image

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff I had the exact same issue trying to approve my custom API, very frustrating.
I also tried via m365 CLI and PnP.PowerShell, but no luck. At this point, I decided to hold on until there is a reply from MS on the issue as I am not sure if there is something else I can try

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues - Keep in mind that this is happening for a standard Microsoft Graph permission also. I will let you know if something comes out of the two Premier Microsoft Support cases I have running.

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff there is an update on the duplicated issue :)
#9962

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues - Yes, I got a similar response on the two Premier Microsoft Support cases I have open on two different tenants. However they said the fix will be rolled out the 20th.
Having said the above, it is great that the issue will be resolved in the near future.

@VesaJuvonen VesaJuvonen added the Needs: Triage 🔍 Awaiting categorization and initial review. label Dec 13, 2024
@VesaJuvonen
Copy link
Contributor

As shared in the #9962, fix should be now out, but we would love to get this confirmed before closing this and the duplicate issue. Thanks for the confirmation advance 🙏

@VesaJuvonen VesaJuvonen added area:spfx Category: SharePoint Framework (not extensions related) type:bug-confirmed Confirmed bug, not working as designed / expected. status:rolling in production The fix has been created and it's currently rolling across all production tenants and removed type:bug-suspected Suspected bug (not working as designed/expected). See “type:bug-confirmed” for confirmed bugs. Needs: Triage 🔍 Awaiting categorization and initial review. labels Dec 17, 2024
@thomaskjaerulff
Copy link
Author

Thank you for joining the conversation @VesaJuvonen.
I just tested approving Microsoft Graph permissions, and unfortunately the issue still remains.
Immediately after approving the permissions, it looks correct, but when navigating away and back or refreshing the API access page, the permissions disappear.

@joelfmrodrigues
Copy link
Contributor

The same behaviour here. Approving seems to work and I see no errors on the console network requests, but then refresh the page and the approved permission is gone. Trying to approve via M365 CLI or PnP.PowerShell also still doesn't work.

@thomaskjaerulff
Copy link
Author

@VesaJuvonen & @joelfmrodrigues - I've made a video recording of my experience on an new demo tenant which has been created today:
https://fellowminddk-my.sharepoint.com/:v:/g/personal/thomas_kjaerulff_fellowmind_dk/Eccby2gWhaFLqi7_X9GcQXMBPT4VhGxxoOE6iRPJWg1VIw?e=TfD0H6

@thomaskjaerulff
Copy link
Author

@VesaJuvonen & @joelfmrodrigues - My assumption is, that there is something wrong with the app registration "SharePoint Online Client Extensibility Web Application Principal"

image

@thomaskjaerulff
Copy link
Author

@VesaJuvonen - I've received e-mails from the two Microsoft Premier Support cases (created on separate tenants), that the issue has been fixed. However after checking, the issue unfortunately still remains. Do you have any update?

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues - Is the issue the same on your tenant(s)?

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff yes exactly the same error, and I confirm that it is still not fixed

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues and @VesaJuvonen - I tried on the existing environments again this morning. Here the issue still remains.
I then created a brand new demo environment, and here I was able to approve the Microsoft Graph permissions without any issues. Please see screenshot below:

image

I'm worried about the existing environments. Do I need to do something actively to get it to work on these environments?

@joelfmrodrigues
Copy link
Contributor

Quick update to this. I tried to get the SharePoint Online Client Extensibility Web Application Principal app registration recreated in hope of having the issue resolved, but still no luck.

  1. Deleted the app registration and waited a moment for the associated enterprise application to also be automatically deleted.
  2. Visited the API access page within the M365 admin portal as I knew from past issues that this would trigger the creation of a new SharePoint Online Client Extensibility Web Application Principal app
  3. Checked the network tab in dev tools and could see all requests going on to provision the new app without issues
  4. Confirmed that the new app was created and expected default app configurations seemed to be in place
  5. Tried to approve permissions again, but same issue 😫

@thomaskjaerulff
Copy link
Author

The issue still remains and we are desparate to get this working, as we are unable to install/configure our product. Would you be able to follow up on this @VesaJuvonen? Your help will be highly appreciated.
@joelfmrodrigues if you have any news regarding this, please let me know.

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff Unfortunately I am in the same place as before :( Deploying our solution to a separate client tenant and crossing my fingers I don't find the same issues there as it would be a huge problem

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues I found that it was working fine on newly created demo tenants. But not on existing tenants. This is a big problem for us.

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff I just noticed that on my tenant I have the app SharePoint Online Client Extensibility Web Application Principal, but the app SharePoint Online Client Extensibility Web Application Principal Helper is missing. Can you please confirm if the "Helper" app is also missing on your side?

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues I have both app registrations. The SharePoint Online Client Extensibility Web Application Principal and the SharePoint Online Client Extensibility Web Application Principal Helper.
Found this interesting post: https://ericschrader.wordpress.com/2020/06/23/sharepoint-online-bad-service-principal-breaks-sharepoint-admin-api-access-global-service-principal-id-error-resolved/

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff that doesn't seem to apply to me as I only have one app registration 😇 and the ID matches the ID in the page source code

@joelfmrodrigues
Copy link
Contributor

And now I found this also on the client's prod tenant 😟

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff it just started working on the two tenants I found the issue!

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues good to hear. I'm glad you got it working. I just tested on one of our customer tenants, and here the issue is still the same unfortunenately. Maybe it just takes time to roll out the fix. At least, that is what I hope. Maybe you can confirm this @VesaJuvonen ?

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues
Copy link
Contributor

@thomaskjaerulff looks like the same experience I had.

@thomaskjaerulff
Copy link
Author

@joelfmrodrigues & @VesaJuvonen
Running a network trace when approving the permissions shows me that the approval flow is looking for an application id that does not exist on the tenant. The app registration exists, but with a different ID. This is the case for both tenants where we are running Microsoft Premier Support cases.
Also, we see a "Deny" call which does not have any response data available.

image

We are really desparate to find a solution here :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:spfx Category: SharePoint Framework (not extensions related) status:rolling in production The fix has been created and it's currently rolling across all production tenants type:bug-confirmed Confirmed bug, not working as designed / expected.
Projects
None yet
Development

No branches or pull requests

3 participants