[HTTP]:400 - [CorrelationId] when attempting to Approval API permissions for SPFx package

[adambu]

Thank you for reporting an issue or suggesting an enhancement. We appreciate your feedback - to help the team to understand your needs, please complete the below template to ensure we have the necessary details to assist you.

Category

• [X ] Bug
  [HTTP]:400 - [CorrelationId] when trying to approve a MS Graph permission request in a SPFx package:

This is the straight tutorial from https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial,
so it's pretty bad.

My tenant is on "Targeted released for all users."

Here's the package-soution.json
{
"$schema": "https://dev.office.com/json-schemas/spfx-build/package-solution.schema.json",
"solution": {
"name": "spfx-api-scopes-tutorial-client-side-solution",
"id": "f8e40c26-d627-4e26-b0b7-8d6666166e77",
"version": "1.0.0.0",
"includeClientSideAssets": true,
"webApiPermissionRequests": [
{
"resource": "Microsoft Graph",
"scope": "User.ReadBasic.All"
}
]
},
"paths": {
"zippedPackage": "solution/spfx-api-scopes-tutorial.sppkg"
}
}

Expected or Desired Behavior

I should be able to approve the permission request when I log in as a Global Admin. If there is some legitimate reason why the above package should not be manageable, there should be some way more informative message than below.

Observed Behavior

[HTTP]:400 - [CorrelationId]:d50e4e9e-d039-5000-3eec-53fad9ca59d5 [Version]:16.0.0.7414

When I looked up the ULS logs the most relevant stack tracke I could find was this:

Exception occured in scope Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipalPermissionRequest.Approve. Exception=System.ArgumentException: A service principal with the name Microsoft Graph could not be found. Parameter name: resourceName
at Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipal.Consent(SPOWebAppServicePrincipalPermissionRequest permissionRequest)
at Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipalPermissionRequestCollection.Approve(SPOWebAppServicePrincipalPermissionRequest permissionRequest)
at Microsoft.Online.SharePoint.TenantAdministration.Internal.SPOWebAppServicePrincipalPermissionRequestServerStub.InvokeMethod(Object target, String methodName, ClientValueCollection xmlargs, ProxyContext proxyContext, Boolean& isVoid)
at Microsoft.SharePoint.Client.ServerStub.InvokeMethodWithMonitoredScope(Object target, String methodName, ClientValueCollection args, ProxyContext proxyContext, Boolean& isVoid)

...but the actually "unexpected" line had now exception message and was much more verbose with no obvious problem in the stack. It ends with:
aefae935-f2f6-44ef-9004-766519a1b86c Stack trace:
at Microsoft.SharePoint.SPListItemCollection.EnsureListItemsData()
at Microsoft.SharePoint.SPListItemCollection.get_Count()

Steps to Reproduce

Build the package exactly as described in https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial.

[aslanovsergey]

I suffer the same issue. CorrelationId in the error massage changes every time the page is refreshed

[aslanovsergey]

I have found a solution. As a workaround approve request through powershell https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient#manage-permissions-with-powershell

[aslanovsergey]

And it seems that you need Office 365 Global admin rights to be able to approve reuests

[adambu]

That doesn't work for me. Well, it doesn't work because when I run Get-SPOTenantServicePrincipalPermissionRequests I don't see any pending requests.

As mentioned in my stack trace, it looks like there was never any Service Principal for "Microsoft Graph" created in my tenant. Just a guess, but that's what is suggested stack I get just before the 400 is returned. @VesaJuvonen does this seem reasonable? Any suggestions to resolve, as I can't really progress troubleshooting until this is resolved.

[adambu]

Correction. I ran SPOTenantServicePrincipalPermissionGrants instead of SPOTenantServicePrincipalPermissionRequests. But the result was the same after getting the request ID and trying to approve it with Approve-SPOTenantServicePrincipalPermissionRequest -RequestId .

@aslanovsergey did you get the EXACT same error message "[HTTP]:400 - [CorrelationId]: [Version]:16.0.0.7414" ??.

[aslanovsergey]

Seems that no. Mine was [HTTP]:500 - [CorrelationId]:fafb4c9e-f086-5000-cf6c-825482f885d6 [Version]:16.0.0.7414

[VesaJuvonen]

This issue is really unfortunate and related to the resolution logic of the Azure application, which is currently based on the DisplayName of the application principal. When you try to approve the the permission request, code in SharePoint Online side cannot resolve the right Principal in the Azure AD if you are using "Microsoft Graph" in the package-solution.json like instructed in the tutorial.

Technically this is since the application principal DisplayName was "", until it was updated to the latest value.

The workaround is to use the following configuration in the package-solution.json for those tenants where the Principal Name for Microsoft Graph is using old value. Basically use the "Microsoft.Azure.AgregatorService" as the value for the resource entry.

    "webApiPermissionRequests": [
      {
        "resource": "Microsoft.Azure.AgregatorService",
        "scope": "User.ReadBasic.All"
      }
    ]

We are looking into fixing this for the GA release of the MSGraphClient and AadHttpClient. Right now the only solution is to use the alternative Resource entry in package-solution.json file.

You can use Azure PowerShell or Azure CLIs to check the principal name.

[adambu]

Thanks Vesa. Your description provides some insight into what is going on behind the scenes.

[lucaband]

Thanks everybody for the feedbacks. we are working with the Graph team and a solution will be available by the time we move to feature to General Availability