How to configure & call an Azure AD protected API with downstream calls

[mgrosperrin]

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

• 💥 Internet Explorer
• 💥 Microsoft Edge
• 💥 Google Chrome
• 💥 FireFox
• 💥 Safari
• mobile (iOS/iPadOS)
• mobile (Android)
• not applicable
• other (enter in the "Additional environment details" area below)

Additional environment details

• SPFx version: 1.17.1
• Node.js version: 16.20.0
• etc

Issue description

Hello team,

We are an ISV and create WebParts (& application customizers) and need to call our own Azure AD protected APIs (which calls other APIs).
We try to follow the document on how to configure it (https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient) but all articles refers to calling APIs backed by Azure AD apps defined in the same tenant (which is not our case).

We try to add our scope in the webApiPermissionRequests section of the package-solution.json file but we always have the following error message in the admin center when trying to approve it:

As you can see, we try to use both the name and the App Id of the Azure AD application (defined in another tenant to behave like our clients).

How can we securely call "externals" API secured by Azure AD (except MS Graph which is the only other example) ?

Thanks in advance.

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[lucabandMSFT]

@mgrosperrin , thanks for reporting the behavior.
The issue seems to be related by the fact that you are making a request to your API but such API is not registered in the consuming tenant (meaning: there's no equivalent service principal associated).

We recently introduced the capability to create 3rd party API registrations (aka: Service Principals) API approval process. We are unfortunately a little bit behind on our documentation refresh process but that's how you accomplish that:

• in Package-solution.json add a new replyURL entry inder webAPIPremissions requests section:
• "webApiPermissionRequests": [{
  "resource": "API name as it's registered in AAD",
  "scope": "required permission scope",
  "replyUrl": "Url used by AAD during consent / registration experience",,
  "appId": "the application principal ID for which a service principal will get created in the tenant."
  }]

documentation for replyURL can be found here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-admin-consent. we map our reply_URL value to the "redirect_uri parameter.

Let me know if that helps.

[mgrosperrin]

Hi @lucabandMSFT,

I try with the new properties for the WebAPI permission and it works!

Thanks for the information.

If you need any help to write/review the documentation, please let me know.

Matthias

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues