Fix admin consent for SharePoint token retrieval flows in your SPFx solution

post

There have been a couple of changes in SharePoint recently related to retrieving access tokens for your SharePoint Framework solutions. One of the changes is that MSAL V3 now uses the /_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken API to retrieve the access token. Typically, this API was only used when loading your solution from Microsoft Teams, but it will now also be used when loading your solution from SharePoint.

Due to this change, one customer started to experience issues with their SPFx solution. The solution used the @pnp/graph library to retrieve the access token and call the Microsoft Graph API. They noticed the solution was no longer working and were redirected to the /_forms/spfxsinglesignon.aspx page.

The /_forms/spfxsinglesignon.aspx page is used to overcome an issue with third-party cookies or when something goes wrong with token retrieval.

info

You can read more about it in the Help my browser keeps refreshing my SharePoint page article.

The issue

When looking into the issue, I saw failing calls to /_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource="https://graph.microsoft.com"&clientId="72b90cbc-8519-4213-8c4a-1f3527b9f5f8".

The error message that was returned was the following:

Token retrieval error
{
  "odata.error": {
    "code": "10001",
    "message": {
      "lang": "en-US",
      "value": "AADSTS65001: The user or administrator has not consented to use the application with ID '00000003-0000-0ff1-ce00-000000000000' named 'Office 365 SharePoint Online'. Send an interactive authorization request for this user and resource. Trace ID: 322f4528-fb10-4407-89e4-9de76da38900 Correlation ID: 827721a1-4047-8000-9395-cd41d1d50a48 Timestamp: 2024-04-22 10:12:52Z"
    }
  }
}
info

The 72b90cbc-8519-4213-8c4a-1f3527b9f5f8 client ID, is the SharePoint Online Client Extensibility Web Application Principal Entra app in my tenant, and this app is used by SharePoint Framework solutions to retrieve the access token.

What was weird is that the error message mentioned the 00000003-0000-0ff1-ce00-000000000000 or Office 365 SharePoint Online application ID, as this trust should be automatically set.

When the page got redirected to the /_forms/spfxsinglesignon.aspx page, the following message was returned in the query string:

Token retrieval error
AADSTS650057 Invalid resource. The client has requested access to a resource that is not listed in the requested permissions in the client's application registration. Client app ID 08e18876-6177-487e-b8b5-cf950c1e598c (SharePoint Online Web Client Extensibility). Resource value from request 72b90cbc-8519-4213-8c4a-1f3527b9f5f8.

The solution

The issue was that the SharePoint Online Client Extensibility Web Application Principal Entra app was missing the Authorized client applications for the SharePoint Online Web Client Extensibility app and Office 365 SharePoint Online.

Show image Missing authorized client apps
Missing authorized client apps

To fix this issue, you need to add the following client IDs to the Authorized client applications of the SharePoint Online Client Extensibility Web Application Principal app:

  • 08e18876-6177-487e-b8b5-cf950c1e598c (SharePoint Online Web Client Extensibility)
  • 00000003-0000-0ff1-ce00-000000000000 (Office 365 SharePoint Online)
  • 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Microsoft Teams)
  • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Microsoft Teams Web Client)
Show image Authorized client apps
Authorized client apps

I do not know why those apps were missing from the configuration. They should normally be automatically added when accessing the SharePoint admin API access page. The solution started to work again once the first two client IDs were added.

Show image Successful token retrieval
Successful token retrieval

Comments

Back to top