New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HTTP]:400 - [CorrelationId] when attempting to Approval API permissions for SPFx package #1401

Closed
adambu opened this Issue Feb 25, 2018 · 17 comments

Comments

Projects
None yet
10 participants
@adambu
Contributor

adambu commented Feb 25, 2018

Thank you for reporting an issue or suggesting an enhancement. We appreciate your feedback - to help the team to understand your needs, please complete the below template to ensure we have the necessary details to assist you.

Category

  • [X ] Bug
    [HTTP]:400 - [CorrelationId] when trying to approve a MS Graph permission request in a SPFx package:

This is the straight tutorial from https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial,
so it's pretty bad.

My tenant is on "Targeted released for all users."

Here's the package-soution.json
{
"$schema": "https://dev.office.com/json-schemas/spfx-build/package-solution.schema.json",
"solution": {
"name": "spfx-api-scopes-tutorial-client-side-solution",
"id": "f8e40c26-d627-4e26-b0b7-8d6666166e77",
"version": "1.0.0.0",
"includeClientSideAssets": true,
"webApiPermissionRequests": [
{
"resource": "Microsoft Graph",
"scope": "User.ReadBasic.All"
}
]
},
"paths": {
"zippedPackage": "solution/spfx-api-scopes-tutorial.sppkg"
}
}

Expected or Desired Behavior

I should be able to approve the permission request when I log in as a Global Admin. If there is some legitimate reason why the above package should not be manageable, there should be some way more informative message than below.

Observed Behavior

image

[HTTP]:400 - [CorrelationId]:d50e4e9e-d039-5000-3eec-53fad9ca59d5 [Version]:16.0.0.7414

When I looked up the ULS logs the most relevant stack tracke I could find was this:

Exception occured in scope Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipalPermissionRequest.Approve. Exception=System.ArgumentException: A service principal with the name Microsoft Graph could not be found. Parameter name: resourceName
at Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipal.Consent(SPOWebAppServicePrincipalPermissionRequest permissionRequest)
at Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipalPermissionRequestCollection.Approve(SPOWebAppServicePrincipalPermissionRequest permissionRequest)
at Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipalPermissionRequestServerStub.InvokeMethod(Object target, String methodName, ClientValueCollection xmlargs, ProxyContext proxyContext, Boolean& isVoid)
at Microsoft.SharePoint.Client.ServerStub.InvokeMethodWithMonitoredScope(Object target, String methodName, ClientValueCollection args, ProxyContext proxyContext, Boolean& isVoid)

...but the actually "unexpected" line had now exception message and was much more verbose with no obvious problem in the stack. It ends with:
aefae935-f2f6-44ef-9004-766519a1b86c Stack trace:
at Microsoft.SharePoint.SPListItemCollection.EnsureListItemsData()
at Microsoft.SharePoint.SPListItemCollection.get_Count()

Steps to Reproduce

Build the package exactly as described in https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial.

@aslanovsergey

This comment has been minimized.

aslanovsergey commented Feb 26, 2018

I suffer the same issue. CorrelationId in the error massage changes every time the page is refreshed

@aslanovsergey

This comment has been minimized.

aslanovsergey commented Feb 26, 2018

I have found a solution. As a workaround approve request through powershell https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient#manage-permissions-with-powershell

@aslanovsergey

This comment has been minimized.

aslanovsergey commented Feb 26, 2018

And it seems that you need Office 365 Global admin rights to be able to approve reuests

@adambu

This comment has been minimized.

Contributor

adambu commented Feb 27, 2018

That doesn't work for me. Well, it doesn't work because when I run Get-SPOTenantServicePrincipalPermissionRequests I don't see any pending requests.

As mentioned in my stack trace, it looks like there was never any Service Principal for "Microsoft Graph" created in my tenant. Just a guess, but that's what is suggested stack I get just before the 400 is returned. @VesaJuvonen does this seem reasonable? Any suggestions to resolve, as I can't really progress troubleshooting until this is resolved.

@adambu

This comment has been minimized.

Contributor

adambu commented Feb 27, 2018

Correction. I ran SPOTenantServicePrincipalPermissionGrants instead of SPOTenantServicePrincipalPermissionRequests. But the result was the same after getting the request ID and trying to approve it with Approve-SPOTenantServicePrincipalPermissionRequest -RequestId .

@aslanovsergey did you get the EXACT same error message "[HTTP]:400 - [CorrelationId]: [Version]:16.0.0.7414" ??.

@aslanovsergey

This comment has been minimized.

aslanovsergey commented Feb 27, 2018

Seems that no. Mine was [HTTP]:500 - [CorrelationId]:fafb4c9e-f086-5000-cf6c-825482f885d6 [Version]:16.0.0.7414

@VesaJuvonen

This comment has been minimized.

Contributor

VesaJuvonen commented Mar 2, 2018

This issue is really unfortunate and related to the resolution logic of the Azure application, which is currently based on the DisplayName of the application principal. When you try to approve the the permission request, code in SharePoint Online side cannot resolve the right Principal in the Azure AD if you are using "Microsoft Graph" in the package-solution.json like instructed in the tutorial.

Technically this is since the application principal DisplayName was "", until it was updated to the latest value.

The workaround is to use the following configuration in the package-solution.json for those tenants where the Principal Name for Microsoft Graph is using old value. Basically use the "Microsoft.Azure.AgregatorService" as the value for the resource entry.

    "webApiPermissionRequests": [
      {
        "resource": "Microsoft.Azure.AgregatorService",
        "scope": "User.ReadBasic.All"
      }
    ]

We are looking into fixing this for the GA release of the MSGraphClient and AadHttpClient. Right now the only solution is to use the alternative Resource entry in package-solution.json file.

You can use Azure PowerShell or Azure CLIs to check the principal name.

@adambu

This comment has been minimized.

Contributor

adambu commented Mar 2, 2018

Thanks Vesa. Your description provides some insight into what is going on behind the scenes.

@dgaeta dgaeta referenced this issue Mar 19, 2018

Closed

Approve api AadHttpClient #1382

1 of 4 tasks complete
@lucaband

This comment has been minimized.

Contributor

lucaband commented Mar 19, 2018

Thanks everybody for the feedbacks. we are working with the Graph team and a solution will be available by the time we move to feature to General Availability

@lucaband lucaband closed this Mar 19, 2018

@jayeshvg

This comment has been minimized.

jayeshvg commented Mar 20, 2018

Good to know what happens behind the scenes. When is the GA expected?

@VesaJuvonen

This comment has been minimized.

Contributor

VesaJuvonen commented Mar 20, 2018

We have not yet locked the GA schedule as it's dependent on the findings during preview. GA will certainly happen during spring.

@advdberg

This comment has been minimized.

advdberg commented Jun 22, 2018

@VesaJuvonen Any news on the GA dates? Or is it spring 2019? ;-) We have stunning solutions waiting to be published to our customers' environments!

@devinprejean

This comment has been minimized.

devinprejean commented Jun 26, 2018

I tried to use this Microsoft.Azure.AgregatorService in my package-solution json file and when i try to approve it tells me A service principal with the name Microsoft.Azure.AgregatorService could not be found

@grahampasmurf

This comment has been minimized.

grahampasmurf commented Aug 6, 2018

I have same error with Microsoft.Azure.AgregatorService. If I discover answer I will post here.

@AmolM27

This comment has been minimized.

AmolM27 commented Oct 8, 2018

Same problem.
'16.0.0.8126 - A service principal with the name Microsoft.Graph could not be found.
Parameter name: resourceName'

'16.0.0.8126 - A service principal with the name Microsoft.Graph could not be found.
Parameter name: resourceName'

@seriewe

This comment has been minimized.

seriewe commented Oct 12, 2018

The same behavior on my tenant. The workaround @VesaJuvonen mentioned has worked.
When I use the Azure Console to read the service principal and get an empty array but a valid json respond for Microsoft.Azure.AgregatorService

λ az ad sp sp list --spn "Microsoft Graph"
[]

Does anyone have experience if its possible to create the right "Microsoft Graph" principal with "Create a service principal" azure CLI?

Is there an info when the bug will be fixed? Otherwise we have to provide several packages for our customers.

@AmolM27

This comment has been minimized.

AmolM27 commented Oct 12, 2018

@seriewe I have tried but nothing works for me,

'16.0.0.8203 - A service principal with the name Microsoft.Azure.AgregatorService could not be found.
Parameter name: resourceName' if i use the workaround.

I tried PnP PowerShell as well

Connect-PnPOnline –Url -UserWebLogin
Grant-PnPTenantServicePrincipalPermission -Scope "Mail.Read" -Resource "Microsoft.Graph"

and that give me: 'Grant-PnPTenantServicePrincipalPermission : The remote server returned an error: (401) Unauthorized.'

I am SharePoint Administrator on the tenancy. Do I need to be Global Administrator as well. Does anyone know?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment