Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[HTTP]:400 - [CorrelationId] when attempting to Approval API permissions for SPFx package #1401
Thank you for reporting an issue or suggesting an enhancement. We appreciate your feedback - to help the team to understand your needs, please complete the below template to ensure we have the necessary details to assist you.
This is the straight tutorial from https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial,
My tenant is on "Targeted released for all users."
Here's the package-soution.json
Expected or Desired Behavior
I should be able to approve the permission request when I log in as a Global Admin. If there is some legitimate reason why the above package should not be manageable, there should be some way more informative message than below.
[HTTP]:400 - [CorrelationId]:d50e4e9e-d039-5000-3eec-53fad9ca59d5 [Version]:220.127.116.1114
When I looked up the ULS logs the most relevant stack tracke I could find was this:
Exception occured in scope Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipalPermissionRequest.Approve. Exception=System.ArgumentException: A service principal with the name Microsoft Graph could not be found. Parameter name: resourceName
...but the actually "unexpected" line had now exception message and was much more verbose with no obvious problem in the stack. It ends with:
Steps to Reproduce
Build the package exactly as described in https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial.
I have found a solution. As a workaround approve request through powershell https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient#manage-permissions-with-powershell
That doesn't work for me. Well, it doesn't work because when I run Get-SPOTenantServicePrincipalPermissionRequests I don't see any pending requests.
As mentioned in my stack trace, it looks like there was never any Service Principal for "Microsoft Graph" created in my tenant. Just a guess, but that's what is suggested stack I get just before the 400 is returned. @VesaJuvonen does this seem reasonable? Any suggestions to resolve, as I can't really progress troubleshooting until this is resolved.
Correction. I ran SPOTenantServicePrincipalPermissionGrants instead of SPOTenantServicePrincipalPermissionRequests. But the result was the same after getting the request ID and trying to approve it with Approve-SPOTenantServicePrincipalPermissionRequest -RequestId .
@aslanovsergey did you get the EXACT same error message "[HTTP]:400 - [CorrelationId]: [Version]:18.104.22.16814" ??.
referenced this issue
Mar 1, 2018
This issue is really unfortunate and related to the resolution logic of the Azure application, which is currently based on the DisplayName of the application principal. When you try to approve the the permission request, code in SharePoint Online side cannot resolve the right Principal in the Azure AD if you are using "Microsoft Graph" in the package-solution.json like instructed in the tutorial.
Technically this is since the application principal DisplayName was "", until it was updated to the latest value.
The workaround is to use the following configuration in the package-solution.json for those tenants where the Principal Name for Microsoft Graph is using old value. Basically use the "Microsoft.Azure.AgregatorService" as the value for the resource entry.
We are looking into fixing this for the GA release of the MSGraphClient and AadHttpClient. Right now the only solution is to use the alternative Resource entry in package-solution.json file.
You can use Azure PowerShell or Azure CLIs to check the principal name.
The same behavior on my tenant. The workaround @VesaJuvonen mentioned has worked.
Does anyone have experience if its possible to create the right "Microsoft Graph" principal with "Create a service principal" azure CLI?
Is there an info when the bug will be fixed? Otherwise we have to provide several packages for our customers.
@seriewe I have tried but nothing works for me,
'22.214.171.12403 - A service principal with the name Microsoft.Azure.AgregatorService could not be found.
I tried PnP PowerShell as well
Connect-PnPOnline –Url -UserWebLogin
and that give me: 'Grant-PnPTenantServicePrincipalPermission : The remote server returned an error: (401) Unauthorized.'
I am SharePoint Administrator on the tenancy. Do I need to be Global Administrator as well. Does anyone know?