-
Notifications
You must be signed in to change notification settings - Fork 1
Troubleshooting
Common issues for the first public release. If your problem isn't here, check the FAQ, search open issues, or file a bug report.
The SPA loaded but MSAL has no valid configuration. Most common causes:
- Self-hosted deployment with placeholders left in place. The deployment script's "verifying injection" step should have caught this. Re-run the deployment with the same parameters.
- Wrong tenant. You are signed in to a tenant where the app registration doesn't exist. Sign out, then sign in again and pick the right account.
-
Strict third-party-cookie settings or browser extensions blocking
login.microsoftonline.com. Disable extensions for the portal origin or try a different browser to confirm.
The redirect URI on your app registration doesn't match the deployed portal URL. Add the SWA URL (and your custom domain, if any) under Authentication → Single-page application in the app registration. The Bicep deployment outputs the exact URIs in redirectUris.
Your tenant requires admin consent. An administrator must grant tenant-wide consent — use the adminConsentUrl output from the self-hosted deployment, or visit https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<client-id> for the multi-tenant managed app.
A previous interactive flow didn't clean up — usually because a redirect was interrupted. Close the tab, reopen the portal, and sign in again. If it persists, clear the portal origin's sessionStorage from DevTools → Application.
- You may genuinely have no eligibilities in the current tenant. Switch tenants from the header.
- Some directories restrict
Policy.Read.AllorRoleManagement.ReadWrite.Directory. Ask an administrator to grant tenant-wide admin consent. - For Azure Resource roles, your account must be able to enumerate role assignments at the tenant root via
asTarget(). Most directories allow this for any signed-in user, but custom RBAC restrictions can block it.
- Check the Active Roles tab — it might already be active.
- Toggle Show already-active roles in eligible in Settings to confirm.
- Check the type filter pills at the top of each table; a plane may be filtered out.
The 30-minute policy cache may be stale. Click Refresh in the header to invalidate both the role and policy caches and re-fetch.
Almost always one of:
- The role policy requires an auth context that hasn't been satisfied. Open the role policy in Entra and check Activation requirements. The portal should detect this; if it doesn't, please file a bug.
- The role requires approval and the request was rejected by an approver.
- A Conditional Access policy unrelated to PIM (e.g. requiring a compliant device) is blocking the activation request itself. The browser DevTools Network tab will show the underlying claims challenge.
- The role likely requires approval and is in Pending state — check the activity drawer.
- Click Refresh in the header to force a fresh fetch.
This is normal — the portal handles it by stepping up authentication and threading the new claims into the rest of the operation. If it loops or fails, file a bug with the offending request URL and the decoded claims challenge.
The portal does not currently poll for approval state. Refresh manually after your approver acts.
Deployment script errors with "ERROR: portalSourceArchiveUrl downloaded successfully, but the ZIP does not contain Portal/index.html"
Your supplied archive doesn't contain a Portal/ folder at the expected depth. Verify the archive structure: find should locate Portal/index.html within four directory levels of the ZIP root.
GitHub returns 404 to unauthenticated downloads of private repositories. Either deploy from a public branch with portalSourceBranch, or build a ZIP and host it on a publicly reachable URL (e.g. a Blob with a short-lived SAS) and pass it as portalSourceArchiveUrl.
The deployment identity could not update the app registration. Add the redirectUris output manually under Authentication → Single-page application.
The fix is already built in — each run uses a fresh resource name driven by deploymentScriptRunId. Just rerun the template; the new run gets a new resource name automatically.
After binding the domain on the SWA, make sure the same domain is listed under your app registration's SPA redirect URIs. The deployment script attempted to add it; if the attempt failed, add it manually.
Browser favicon caches are sticky. Open in a private window or fully clear site data for the portal origin to validate.
Once you pick a theme explicitly in Settings, that overrides the OS preference. Choose System to restore auto-detect.
That's by design. Tokens live in sessionStorage, which survives reload but not tab close. If MSAL silent acquisition fails after a long break, you'll be redirected to sign in again.
Entra and Group calls render first; Azure Resource calls usually arrive shortly after. In tenants with many subscriptions and many resource roles, ARM enumeration can take several seconds. Subsequent visits are faster because of the per-tenant role cache.
The Graph batch engine handles 429 by honoring Retry-After and applying exponential backoff. Brief bursts are normal. If they persist or the operation fails, your tenant may be applying aggressive throttling — file a bug with the captured 429 response headers.