New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SPFx suddenly stopped working; experimental feature error #2472

Closed
justdevelopment opened this Issue Sep 6, 2018 · 39 comments

Comments

Projects
None yet
@justdevelopment

justdevelopment commented Sep 6, 2018

Category

  • Question
  • Typo
  • Bug
  • Additional article idea

Expected or Desired Behavior

When running in Targeted release, experimental features should work so we can try them out.

Observed Behavior

Starting this morning, tenants return the error "Uncaught (in promise) Error: The requested operation is part of an experimental feature that is not supported in the current environment." when trying to view SPFx webparts using the MSGraphClient

Steps to Reproduce

Add a webpart which uses the MSGraphClient, see that it returns the above error.

We first thought it was our tenants settings, however we're seeing it across all our tenants (at least 5 checked now) with code that was working yesterday evening.

@RobinBreman

This comment has been minimized.

Show comment
Hide comment
@RobinBreman

RobinBreman Sep 6, 2018

This might be related: When I tried reinstalling a webpart that is using the MSGraphClient the API management page is in error.

  • Downloaded previously working package from appcatalog
  • Deleted package from appcatalog
  • (Re)uploaded package to appcatalog
  • Deployed the app
  • Api management portal is not showing permission request but 2 error messages

2018-09-06_1052

RobinBreman commented Sep 6, 2018

This might be related: When I tried reinstalling a webpart that is using the MSGraphClient the API management page is in error.

  • Downloaded previously working package from appcatalog
  • Deleted package from appcatalog
  • (Re)uploaded package to appcatalog
  • Deployed the app
  • Api management portal is not showing permission request but 2 error messages

2018-09-06_1052

@TheMiao

This comment has been minimized.

Show comment
Hide comment
@TheMiao

TheMiao Sep 6, 2018

Thanks @RobinBreman

Hi @justdevelopment
There was internal error for MS Graph API early today. Please check it again and for free to reply new updates.

TheMiao commented Sep 6, 2018

Thanks @RobinBreman

Hi @justdevelopment
There was internal error for MS Graph API early today. Please check it again and for free to reply new updates.

@justdevelopment

This comment has been minimized.

Show comment
Hide comment
@justdevelopment

justdevelopment Sep 6, 2018

To add to this; I've created a brand new SPFx 1.6 project, added a call to the MSGraphClient and it returns the same error.

image

Additionally, because of the errors @RobinBreman posted, I also can't approve permissions for this new project. This also happens in PowerShell.
image
[Edit] To be clear, these are two separate tenants with the same errors.

@TheMiao the issue still persists at this point on all our tenants.

justdevelopment commented Sep 6, 2018

To add to this; I've created a brand new SPFx 1.6 project, added a call to the MSGraphClient and it returns the same error.

image

Additionally, because of the errors @RobinBreman posted, I also can't approve permissions for this new project. This also happens in PowerShell.
image
[Edit] To be clear, these are two separate tenants with the same errors.

@TheMiao the issue still persists at this point on all our tenants.

@RobinBreman

This comment has been minimized.

Show comment
Hide comment
@RobinBreman

RobinBreman Sep 6, 2018

@TheMiao Has the error been resolved? I still get errors using the graphclient.

RobinBreman commented Sep 6, 2018

@TheMiao Has the error been resolved? I still get errors using the graphclient.

@justdevelopment

This comment has been minimized.

Show comment
Hide comment
@justdevelopment

justdevelopment Sep 6, 2018

It appears the App registration for 'SharePoint Online Client Extensibility', which used to be visible in my azure portal, is now missing. This might be why I'm getting the null value errors? Is there any way to get this back, or is this the app registration that was replaced by the 1.6 update? There is no new prinicpal listed, even after redeploying / deploying the 1.6 project.

(as listed in https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient#considerations)

justdevelopment commented Sep 6, 2018

It appears the App registration for 'SharePoint Online Client Extensibility', which used to be visible in my azure portal, is now missing. This might be why I'm getting the null value errors? Is there any way to get this back, or is this the app registration that was replaced by the 1.6 update? There is no new prinicpal listed, even after redeploying / deploying the 1.6 project.

(as listed in https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient#considerations)

@BigEaseGueldi

This comment has been minimized.

Show comment
Hide comment
@BigEaseGueldi

BigEaseGueldi Sep 6, 2018

Just to clarify the impact:

Am I right that any solution based on webApiPermissionRequests is literally dead right now?

BigEaseGueldi commented Sep 6, 2018

Just to clarify the impact:

Am I right that any solution based on webApiPermissionRequests is literally dead right now?

@justdevelopment

This comment has been minimized.

Show comment
Hide comment
@justdevelopment

justdevelopment Sep 6, 2018

Basically... at least for our 5 tenants. I see there are people who do have it working but have other issues like #2473 and #2475
They do have the SPO Extensibility principal listed so that seems to be the main difference atm. This is aside from the "Experimental feature" error, not sure how that is related....

[Edit] No, not the missing prinicpal. I was looking in the wrong area, it's there. Sorry to put you on the wrong track .
I've had a colleague with a different tenant test. They had never deployed the old project, thus never used the preview AAD registration. They can add the project and add permissions correctly.

justdevelopment commented Sep 6, 2018

Basically... at least for our 5 tenants. I see there are people who do have it working but have other issues like #2473 and #2475
They do have the SPO Extensibility principal listed so that seems to be the main difference atm. This is aside from the "Experimental feature" error, not sure how that is related....

[Edit] No, not the missing prinicpal. I was looking in the wrong area, it's there. Sorry to put you on the wrong track .
I've had a colleague with a different tenant test. They had never deployed the old project, thus never used the preview AAD registration. They can add the project and add permissions correctly.

@AndreasNorefalk

This comment has been minimized.

Show comment
Hide comment
@AndreasNorefalk

AndreasNorefalk Sep 6, 2018

Have previously approved APIs from SPFx 1.4.1 but today they are not available. I see the following errors:

image

No 'SharePoint Online Client Extensibility Web Application Principal' app registration is available in Azure.

The following is displayed when opening API management:

image

AndreasNorefalk commented Sep 6, 2018

Have previously approved APIs from SPFx 1.4.1 but today they are not available. I see the following errors:

image

No 'SharePoint Online Client Extensibility Web Application Principal' app registration is available in Azure.

The following is displayed when opening API management:

image

@VesaJuvonen

This comment has been minimized.

Show comment
Hide comment
@VesaJuvonen

VesaJuvonen Sep 6, 2018

Contributor

Thanks for reporting. We are now actively looking into this and trying to get this resolved asap from the engineering side. We will be updating this thread as there are any updates on the progress.

Contributor

VesaJuvonen commented Sep 6, 2018

Thanks for reporting. We are now actively looking into this and trying to get this resolved asap from the engineering side. We will be updating this thread as there are any updates on the progress.

@mcmynn83

This comment has been minimized.

Show comment
Hide comment
@mcmynn83

mcmynn83 Sep 6, 2018

@AndreasNorefalk - Can you give the domain of your the tenant that you saw that error on (just so I can quickly grab error logs)?

mcmynn83 commented Sep 6, 2018

@AndreasNorefalk - Can you give the domain of your the tenant that you saw that error on (just so I can quickly grab error logs)?

@mcmynn83

This comment has been minimized.

Show comment
Hide comment
@mcmynn83

mcmynn83 Sep 6, 2018

@AndreasNorefalk - Just so you know the API management screen showing the message "Access to Azure Active Directory resources using the SharePoint Framework will be available soon" is expected for the first 20 minutes after creating the app catalog. The two http 500 errors are not expected. We are working to reduce the time that the error message will show up for to closer to 10 minutes, but that is a work in progress.

mcmynn83 commented Sep 6, 2018

@AndreasNorefalk - Just so you know the API management screen showing the message "Access to Azure Active Directory resources using the SharePoint Framework will be available soon" is expected for the first 20 minutes after creating the app catalog. The two http 500 errors are not expected. We are working to reduce the time that the error message will show up for to closer to 10 minutes, but that is a work in progress.

@mcmynn83

This comment has been minimized.

Show comment
Hide comment
@mcmynn83

mcmynn83 Sep 6, 2018

@justdevelopment / @RobinBreman - could either of you include the correlation ID's and a domain? I just tried to repro this issue and I'm not seeing the error you are seeing. There is a definite issue because multiple people are seeing it, but my test tenant doesn't experience the same problems. Thanks! If you don't feel comfortable putting your domain on this thread please send it to me at my grahamc at microsoft.com email address

mcmynn83 commented Sep 6, 2018

@justdevelopment / @RobinBreman - could either of you include the correlation ID's and a domain? I just tried to repro this issue and I'm not seeing the error you are seeing. There is a definite issue because multiple people are seeing it, but my test tenant doesn't experience the same problems. Thanks! If you don't feel comfortable putting your domain on this thread please send it to me at my grahamc at microsoft.com email address

@justdevelopment

This comment has been minimized.

Show comment
Hide comment
@justdevelopment

justdevelopment Sep 6, 2018

I've send you an email @mcmynn83

As an aside, the dialog popup Andreas reports should disapear? It's been there the whole week now, on a tenant which has had an app catalog for 2+ years. Shall I report this to the central admin preview people? I thought it was meant to be there for their preview thing.

justdevelopment commented Sep 6, 2018

I've send you an email @mcmynn83

As an aside, the dialog popup Andreas reports should disapear? It's been there the whole week now, on a tenant which has had an app catalog for 2+ years. Shall I report this to the central admin preview people? I thought it was meant to be there for their preview thing.

@lucaband

This comment has been minimized.

Show comment
Hide comment
@lucaband

lucaband Sep 6, 2018

Contributor

While we are actively investigating the “500 internal server error issues” let me provide an update to another point that has been mentioned in this issue:
Am I right that any solution based on webApiPermissionRequests is literally dead right now?

Yes, unfortunately you are right. We briefly mentioned it in the 1.6 Release notes:

"On a related note, any permissions that were granted previous to the 1.6.0 release will need to be re-granted, as we have changed which AAD application is used."

But I agree we should have done a better job in communicating it; That's a great feedback and we sure have to put more attention on it in the future.

So technically, the permissions are still there in AAD but it’s correct that they are no longer used by SharePoint Framework. This is an important piece of information.. and I will explain why in just a second but, before that, why did we have to do that?

It has to do with the way we are using AAD behind the scenes: previously we were using an app principal that was defined once and every tenant was having a Service Principal created in their tenancy.
That led in some limitations that prevented tenant admins to be able to fully control such principal (because the original App Principal was a Microsoft one .. which is referred as “1st party app principal” in AAD lingo).

Instead, the new design is that we create App Principal on each tenant which now Admins can fully control.
The side effect of that decision is that all the previous approved permissions are not in the new app principal

but.. wait: there’s still HOPE!

As I mentioned before the two objects are still there. If you really need all the permission backs you can use AAD portal, look at the previous permissions (under “Home / Enterprise applications / All applications / SharePoint Online Client Extensibility Web Application Principal / Permissions”), and then use the new PowerShell commands we introduced in the GA version of Web APIs to re-add those permissions to the new App Principal.

Hope this helps,
Luca

Contributor

lucaband commented Sep 6, 2018

While we are actively investigating the “500 internal server error issues” let me provide an update to another point that has been mentioned in this issue:
Am I right that any solution based on webApiPermissionRequests is literally dead right now?

Yes, unfortunately you are right. We briefly mentioned it in the 1.6 Release notes:

"On a related note, any permissions that were granted previous to the 1.6.0 release will need to be re-granted, as we have changed which AAD application is used."

But I agree we should have done a better job in communicating it; That's a great feedback and we sure have to put more attention on it in the future.

So technically, the permissions are still there in AAD but it’s correct that they are no longer used by SharePoint Framework. This is an important piece of information.. and I will explain why in just a second but, before that, why did we have to do that?

It has to do with the way we are using AAD behind the scenes: previously we were using an app principal that was defined once and every tenant was having a Service Principal created in their tenancy.
That led in some limitations that prevented tenant admins to be able to fully control such principal (because the original App Principal was a Microsoft one .. which is referred as “1st party app principal” in AAD lingo).

Instead, the new design is that we create App Principal on each tenant which now Admins can fully control.
The side effect of that decision is that all the previous approved permissions are not in the new app principal

but.. wait: there’s still HOPE!

As I mentioned before the two objects are still there. If you really need all the permission backs you can use AAD portal, look at the previous permissions (under “Home / Enterprise applications / All applications / SharePoint Online Client Extensibility Web Application Principal / Permissions”), and then use the new PowerShell commands we introduced in the GA version of Web APIs to re-add those permissions to the new App Principal.

Hope this helps,
Luca

@VesaJuvonen

This comment has been minimized.

Show comment
Hide comment
@VesaJuvonen

VesaJuvonen Sep 6, 2018

Contributor

@justdevelopment - We are currently analyzing the logs with @mcmynn83. No need to report this forward using other routes. You are interacting already with the right people.

Contributor

VesaJuvonen commented Sep 6, 2018

@justdevelopment - We are currently analyzing the logs with @mcmynn83. No need to report this forward using other routes. You are interacting already with the right people.

@eoverfield

This comment has been minimized.

Show comment
Hide comment
@eoverfield

eoverfield Sep 6, 2018

There is an active twitter conversation happening, a short term concept is being investigated related to access to your SharePoint tenant admin. You can view the thread here: https://twitter.com/PatMill_MSFT/status/1037774074833862657.

eoverfield commented Sep 6, 2018

There is an active twitter conversation happening, a short term concept is being investigated related to access to your SharePoint tenant admin. You can view the thread here: https://twitter.com/PatMill_MSFT/status/1037774074833862657.

@VesaJuvonen

This comment has been minimized.

Show comment
Hide comment
@VesaJuvonen

VesaJuvonen Sep 6, 2018

Contributor

Adding the information to this thread as well, as we are now starting to solve the details and Twitter lenght limitations are no good.

The issue is caused by a situation where the tenant administrator which is being used, is not a site collection administrator of the tenant admin. This seems like a unique situation, but apparently, it's not. You can test the theory by trying to access the following URL as the account having issues - https://YourTenantHere-admin.sharepoint.com/_layouts/15/settings.aspx. If that works, you should be good to go, if that does not work, this is the root cause of your issue.

We are working on a documented workaround and a solution for this. Luckily it seems that the situation is not that common, but clearly, some of you have been experiencing this and we will be looking for a solution until the situation is fully resolved.

Contributor

VesaJuvonen commented Sep 6, 2018

Adding the information to this thread as well, as we are now starting to solve the details and Twitter lenght limitations are no good.

The issue is caused by a situation where the tenant administrator which is being used, is not a site collection administrator of the tenant admin. This seems like a unique situation, but apparently, it's not. You can test the theory by trying to access the following URL as the account having issues - https://YourTenantHere-admin.sharepoint.com/_layouts/15/settings.aspx. If that works, you should be good to go, if that does not work, this is the root cause of your issue.

We are working on a documented workaround and a solution for this. Luckily it seems that the situation is not that common, but clearly, some of you have been experiencing this and we will be looking for a solution until the situation is fully resolved.

@RobinBreman

This comment has been minimized.

Show comment
Hide comment
@RobinBreman

RobinBreman Sep 6, 2018

@VesaJuvonen How is this possible? I only have 1 user in my dev tenant. So i'am sure the tenant admin is also the site collection admin...

RobinBreman commented Sep 6, 2018

@VesaJuvonen How is this possible? I only have 1 user in my dev tenant. So i'am sure the tenant admin is also the site collection admin...

@VesaJuvonen

This comment has been minimized.

Show comment
Hide comment
@VesaJuvonen

VesaJuvonen Sep 6, 2018

Contributor

@RobinBreman - You might think, but apparently no. There are certain scenarios where this could happen as part of the provisioning. If you try to access the /settings.aspx. you can confirm the situation for you. I'm assuming that you cannot access that based on your message.

We are working on a solution for this and will be updating the situation status to this issue immediately when we have progress.

Contributor

VesaJuvonen commented Sep 6, 2018

@RobinBreman - You might think, but apparently no. There are certain scenarios where this could happen as part of the provisioning. If you try to access the /settings.aspx. you can confirm the situation for you. I'm assuming that you cannot access that based on your message.

We are working on a solution for this and will be updating the situation status to this issue immediately when we have progress.

@patmill

This comment has been minimized.

Show comment
Hide comment
@patmill

patmill Sep 6, 2018

Contributor

OK, latest updates on this. We've tracked down the root cause, and it's a bit strange.

Some tenants have the Site Collection Admin for the tenant admin site (mytenant-admin.sharepoint.com) set incorrectly. It should be "Company Administrator", but it winds up with a weird account like YLO001_frm123... When you go to the admin API page, we try and update a property on the web of the admin site collection, but the user doesn't have permissions, and so it fails.

We need to figure out why some of these sites are incorrectly set up, but in the meantime, here is a workaround.

1 - Go to the user page in the Microsoft 365 admin center (https://admin.microsoft.com/adminportal, then select Users->Active Users)
2 - Click Add A User
3 - complete the information, and make sure that you set the License to be "SharePoint Online For Developer" and set the Role to be "Customized Administrator" with "SharePoint Administrator" selected.
4 - Click "Add".
5 - This might take a while....
6 - Log in to the SP admin center as this new users (tenant-admin.sharepoint.com)
7 - Go to _layouts/15/settings.aspx and select "Site Collection Administrators" under Users and Permissions
8 - delete the incorrect user (hit the X, even if the UX is spinning)
9 - In the little text box, enter "Company Administrator", select the Company Administrator when it resolves, then click "OK". Note - at this point you may get an access denied. Ignore it.
10 - Now log back on with the tenant admin, and hit the API page.
11 - If this is all working, you can delete the user you added.

Contributor

patmill commented Sep 6, 2018

OK, latest updates on this. We've tracked down the root cause, and it's a bit strange.

Some tenants have the Site Collection Admin for the tenant admin site (mytenant-admin.sharepoint.com) set incorrectly. It should be "Company Administrator", but it winds up with a weird account like YLO001_frm123... When you go to the admin API page, we try and update a property on the web of the admin site collection, but the user doesn't have permissions, and so it fails.

We need to figure out why some of these sites are incorrectly set up, but in the meantime, here is a workaround.

1 - Go to the user page in the Microsoft 365 admin center (https://admin.microsoft.com/adminportal, then select Users->Active Users)
2 - Click Add A User
3 - complete the information, and make sure that you set the License to be "SharePoint Online For Developer" and set the Role to be "Customized Administrator" with "SharePoint Administrator" selected.
4 - Click "Add".
5 - This might take a while....
6 - Log in to the SP admin center as this new users (tenant-admin.sharepoint.com)
7 - Go to _layouts/15/settings.aspx and select "Site Collection Administrators" under Users and Permissions
8 - delete the incorrect user (hit the X, even if the UX is spinning)
9 - In the little text box, enter "Company Administrator", select the Company Administrator when it resolves, then click "OK". Note - at this point you may get an access denied. Ignore it.
10 - Now log back on with the tenant admin, and hit the API page.
11 - If this is all working, you can delete the user you added.

@RobinBreman

This comment has been minimized.

Show comment
Hide comment
@RobinBreman

RobinBreman Sep 6, 2018

@VesaJuvonen just did a access to -admin.sharepoint.com/_layouts/15/settings.aspx is denied in my single user dev tenant.

RobinBreman commented Sep 6, 2018

@VesaJuvonen just did a access to -admin.sharepoint.com/_layouts/15/settings.aspx is denied in my single user dev tenant.

@SteveClements

This comment has been minimized.

Show comment
Hide comment
@SteveClements

SteveClements Sep 6, 2018

@patmill @VesaJuvonen The API management page is now working, although I didn't add a new user, I simple used PowerShell Set-SPOUser to make myself a site collection admin and then followed your steps.

My app still isn't working though! Says I need to approve it, but nothing to approve in the API Management page. Must I deploy to the app catalog, I can't simply run it locally and use _layouts/15/workbench in my tenant?

Error: AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource.

Guess that's a different issue!

SteveClements commented Sep 6, 2018

@patmill @VesaJuvonen The API management page is now working, although I didn't add a new user, I simple used PowerShell Set-SPOUser to make myself a site collection admin and then followed your steps.

My app still isn't working though! Says I need to approve it, but nothing to approve in the API Management page. Must I deploy to the app catalog, I can't simply run it locally and use _layouts/15/workbench in my tenant?

Error: AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource.

Guess that's a different issue!

@Nasicus

This comment has been minimized.

Show comment
Hide comment
@Nasicus

Nasicus Sep 6, 2018

@SteveClements
Try doing the steps for the "App Registrations" page mentioned in my post here: #2473 (comment) . Especially the ones for adding the permission & granting it to all users.

Nasicus commented Sep 6, 2018

@SteveClements
Try doing the steps for the "App Registrations" page mentioned in my post here: #2473 (comment) . Especially the ones for adding the permission & granting it to all users.

@SteveClements

This comment has been minimized.

Show comment
Hide comment
@SteveClements

SteveClements Sep 6, 2018

@Nasicus wow - thanks. Although it still didn't quite do it as I haven't deployed my app to the catalog, it's just local, using the tenant workbench. I added my custom api to the 'SharePoint Online ...' app then 'grant permissions'
I do see a little alert pop up on the page...i can't quite get it hang around long enough before it vanishes...but it says something along the lines of "...other credentials are required..."

I haven't seen anything anywhere about fiddling with the app registration like you suggested, is there are gap in the docs? am i blind? or is it a potential side effect of the issue this item is actually about?

SteveClements commented Sep 6, 2018

@Nasicus wow - thanks. Although it still didn't quite do it as I haven't deployed my app to the catalog, it's just local, using the tenant workbench. I added my custom api to the 'SharePoint Online ...' app then 'grant permissions'
I do see a little alert pop up on the page...i can't quite get it hang around long enough before it vanishes...but it says something along the lines of "...other credentials are required..."

I haven't seen anything anywhere about fiddling with the app registration like you suggested, is there are gap in the docs? am i blind? or is it a potential side effect of the issue this item is actually about?

@eoverfield

This comment has been minimized.

Show comment
Hide comment
@eoverfield

eoverfield Sep 6, 2018

@SteveClements, I just ran into the same error you ran into, and followed #2473 (comment) as @Nasicus suggested. Worked like a charm, note, I did have to wait a few minutes.

This is a new issue that we have not had to do before. It seems to be to still be a bug that should get fixed but for now, #2473 (comment) does seem to work well.

eoverfield commented Sep 6, 2018

@SteveClements, I just ran into the same error you ran into, and followed #2473 (comment) as @Nasicus suggested. Worked like a charm, note, I did have to wait a few minutes.

This is a new issue that we have not had to do before. It seems to be to still be a bug that should get fixed but for now, #2473 (comment) does seem to work well.

@CloudDesignBox

This comment has been minimized.

Show comment
Hide comment
@CloudDesignBox

CloudDesignBox Sep 6, 2018

Contributor

The workaround worked for me. Thank you @patmill and team!

Contributor

CloudDesignBox commented Sep 6, 2018

The workaround worked for me. Thank you @patmill and team!

@patmill patmill referenced this issue Sep 6, 2018

Closed

SPFx 1.6 MSGraphClient consent doesn't work #2475

2 of 4 tasks complete
@AndreasNorefalk

This comment has been minimized.

Show comment
Hide comment
@AndreasNorefalk

AndreasNorefalk Sep 7, 2018

Thank you, the workaround fixed it for me.

AndreasNorefalk commented Sep 7, 2018

Thank you, the workaround fixed it for me.

@RobinBreman

This comment has been minimized.

Show comment
Hide comment
@RobinBreman

RobinBreman Sep 7, 2018

Combining #2472 (comment) and #2473 (comment) resolved our issues.
On some tenants we also needed to delete and reupload solutions to the appcatalog to get api permission requests to show up in the api management page.

Big thanks to the team!

RobinBreman commented Sep 7, 2018

Combining #2472 (comment) and #2473 (comment) resolved our issues.
On some tenants we also needed to delete and reupload solutions to the appcatalog to get api permission requests to show up in the api management page.

Big thanks to the team!

@aflyen

This comment has been minimized.

Show comment
Hide comment
@aflyen

aflyen Sep 10, 2018

@patmill In step 9 of the workaround, I believe we need to add both “Company Administrator” and “SharePoint Service Administrator”. If not users with the customized “SharePoint Administrator” role will as you suggest get an access denied to SPO admin center, and only users with the global admin role get in.

aflyen commented Sep 10, 2018

@patmill In step 9 of the workaround, I believe we need to add both “Company Administrator” and “SharePoint Service Administrator”. If not users with the customized “SharePoint Administrator” role will as you suggest get an access denied to SPO admin center, and only users with the global admin role get in.

@Nasicus

This comment has been minimized.

Show comment
Hide comment
@Nasicus

Nasicus Sep 10, 2018

@aflyen

An easier workaround is this:

You have to execute two Powershell commands (you need the SharePoint Online Management Shell) to make yourself an admin on this site:

Connect-SPOService
Set-SPOUser -Site https://TENANT-admin.sharepoint.com -IsSiteCollectionAdmin $True -LoginName yourLoginName

Nasicus commented Sep 10, 2018

@aflyen

An easier workaround is this:

You have to execute two Powershell commands (you need the SharePoint Online Management Shell) to make yourself an admin on this site:

Connect-SPOService
Set-SPOUser -Site https://TENANT-admin.sharepoint.com -IsSiteCollectionAdmin $True -LoginName yourLoginName
@HenryatSolu

This comment has been minimized.

Show comment
Hide comment
@HenryatSolu

HenryatSolu Sep 10, 2018

@patmill we have opened a premium ticket on this on Friday but I would try the 11 step workaround. However there is no "SharePoint Online For Developer" license option available. Can we we use E3 instead? @VesaJuvonen should we just archive the premium ticket anyhow?

HenryatSolu commented Sep 10, 2018

@patmill we have opened a premium ticket on this on Friday but I would try the 11 step workaround. However there is no "SharePoint Online For Developer" license option available. Can we we use E3 instead? @VesaJuvonen should we just archive the premium ticket anyhow?

@BigEaseGueldi

This comment has been minimized.

Show comment
Hide comment
@BigEaseGueldi

BigEaseGueldi Sep 10, 2018

@HenryatSolu worked for me without assigning a license.

BigEaseGueldi commented Sep 10, 2018

@HenryatSolu worked for me without assigning a license.

@HenryatSolu

This comment has been minimized.

Show comment
Hide comment
@HenryatSolu

HenryatSolu Sep 11, 2018

@BigEaseGueldi you are right. Now license was required and It's working now.

HenryatSolu commented Sep 11, 2018

@BigEaseGueldi you are right. Now license was required and It's working now.

@DnsSrinath

This comment has been minimized.

Show comment
Hide comment
@DnsSrinath

DnsSrinath Sep 12, 2018

My SPX was working fine for a long time and suddenly it stopped communication with the MSGrpah.

image

when Iclicking on the Link it expand with this error
image

I thought its problem with the permission, but I notice the "API Management" itself is failing.
"API Management" I am getting an Unknown error for approve or reject

image

In further investigation "SharePoint Online Client Extensibility web application principal" is missing.

Both Enable and disable (SPOTenantServicePrincipal) give me the same error: Unknown Error
image

Is it possible to Enable the "SharePoint Online Client Extensibility web application principal" back?

DnsSrinath commented Sep 12, 2018

My SPX was working fine for a long time and suddenly it stopped communication with the MSGrpah.

image

when Iclicking on the Link it expand with this error
image

I thought its problem with the permission, but I notice the "API Management" itself is failing.
"API Management" I am getting an Unknown error for approve or reject

image

In further investigation "SharePoint Online Client Extensibility web application principal" is missing.

Both Enable and disable (SPOTenantServicePrincipal) give me the same error: Unknown Error
image

Is it possible to Enable the "SharePoint Online Client Extensibility web application principal" back?

@justdevelopment

This comment has been minimized.

Show comment
Hide comment
@justdevelopment

justdevelopment Sep 13, 2018

@DnsSrinath try re-deploying your package file so you can approve them again. Mine was missing too (well, not missing, I deleted it :) ) and after I removed, reuploaded + deployed and re-approved the permissions it was recreated in my tenant.

justdevelopment commented Sep 13, 2018

@DnsSrinath try re-deploying your package file so you can approve them again. Mine was missing too (well, not missing, I deleted it :) ) and after I removed, reuploaded + deployed and re-approved the permissions it was recreated in my tenant.

@DnsSrinath

This comment has been minimized.

Show comment
Hide comment
@DnsSrinath

DnsSrinath Sep 13, 2018

@justdevelopment thank you so much, I tried re-uploading the solution package, and permission list in the API Management in SharePoint online, but when I try to approve it - i get "Unknow Error".

DnsSrinath commented Sep 13, 2018

@justdevelopment thank you so much, I tried re-uploading the solution package, and permission list in the API Management in SharePoint online, but when I try to approve it - i get "Unknow Error".

@justdevelopment

This comment has been minimized.

Show comment
Hide comment
@justdevelopment

justdevelopment Sep 13, 2018

Seems like the same issue as #2522 shall we redirect the discussion to there?

justdevelopment commented Sep 13, 2018

Seems like the same issue as #2522 shall we redirect the discussion to there?

@DnsSrinath

This comment has been minimized.

Show comment
Hide comment
@DnsSrinath

DnsSrinath Sep 13, 2018

Seems like the same issue as #2522 shall we redirect the discussion to there?

Yes that is exactly my issue. Thanks for pointing to that issue.

DnsSrinath commented Sep 13, 2018

Seems like the same issue as #2522 shall we redirect the discussion to there?

Yes that is exactly my issue. Thanks for pointing to that issue.

@VesaJuvonen

This comment has been minimized.

Show comment
Hide comment
@VesaJuvonen

VesaJuvonen Sep 13, 2018

Contributor

We are closing this as a fix has been 100% rolled out for the original issue reported by @justdevelopment. If you are experiencing other issues with the Graph integration, please open a new issue rather than adding comments on this existing one with different symptoms, as we cannot track individual comments. See for example the #2522 case, which is clearly a separate topic and has its own issue opened.

Contributor

VesaJuvonen commented Sep 13, 2018

We are closing this as a fix has been 100% rolled out for the original issue reported by @justdevelopment. If you are experiencing other issues with the Graph integration, please open a new issue rather than adding comments on this existing one with different symptoms, as we cannot track individual comments. See for example the #2522 case, which is clearly a separate topic and has its own issue opened.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment