sp-dev-docs icon indicating copy to clipboard operation
sp-dev-docs copied to clipboard
verified publisher icon SharePoint

Unable to approve a SPFx app permission request with PnP Powershell

Open mmohapatra-muhimbi opened this issue 1 year ago • 1 comments

What type of issue is this?

Question

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Target SharePoint environment

SharePoint Online

What browser(s) / client(s) have you tested

  • [ ] 💥 Internet Explorer
  • [ ] 💥 Microsoft Edge
  • [ ] 💥 Google Chrome
  • [ ] 💥 FireFox
  • [ ] 💥 Safari
  • [ ] mobile (iOS/iPadOS)
  • [ ] mobile (Android)
  • [ ] not applicable
  • [ ] other (enter in the "Additional environment details" area below)

Additional environment details

SPFx version 1.18.2 Node 18.9.0 Powershell: 7.4.1 PnP.PowerShell 2.4.33

Issue description

We have some webApiPermissionRequests defined in spfx package-solution json file

"webApiPermissionRequests": [
      {
        "resource": "Azure AD app name",
        "scope": "user_impersonation"
      },
      {
        "resource": "Microsoft Graph",
        "scope": "User.Read, AllSites.FullControl"
      }
    ]

In PowerShell I am trying to approve these permission requests using

$permissionRequests = Get-PnPTenantServicePrincipalPermissionRequests
    foreach ($req in $permissionRequests)
        {
            if ($req.PackageName -eq "$muhimbiPackageName")
            {
                Write-Host "Granting permissions $($req.Name) $($req.Scope)"

                Approve-PnPTenantServicePrincipalPermissionRequest -RequestId $req.Id -Force -ErrorAction SilentlyContinue -ErrorVariable approveRequestError -OutVariable approveRequestResult | Out-Null

                if (![String]::IsNullOrWhiteSpace($approveRequestError) -And -Not($approveRequestError -imatch "already exists"))
                {
                    Write-Host "approveRequestError: $approveRequestError"
                    $grantedAllPermissions = $false;
                    Write-Host "Failed" -ForegroundColor Red
                }
                else
                {
                    Write-Host "Success" -ForegroundColor Green
                }

                Write-Host ""
            }
        }

But I am getting below error: approveRequestError: The service principal for permssion request {SPFX_App_Name} could not be found.

Please note there is a typo in "permssion"

Script was working fine few days ago but started giving error recently

I tried the SP online powershell as well Get-SPOTenantServicePrincipalPermissionRequests and Approve-SPOTenantServicePrincipalPermissionRequest getting same error

Tried Enable-SPOTenantServicePrincipal it gives us "Unknown Error"

I checked below service principal exists:

  1. "SharePoint Online Client Extensibility Web Application Principal"
  2. "GraphAggregatorService" or "Microsoft Graph"
  3. Azure AD app created by us

Manually approving the permission works just fine

mmohapatra-muhimbi avatar Apr 11 '24 11:04 mmohapatra-muhimbi

Any updates on this issue? We are having the same problem recently.

tomaszoida avatar Jun 28 '24 08:06 tomaszoida

Just a +1 also having the same issue, which is a double pain as the web gui also doesn't work (with an MSAL iframe error)

marcus-atvero avatar Jul 12 '24 15:07 marcus-atvero

+1 Any updates for this issue?

approveRequestError: The service principal for permssion request {app-name} could not be found.
Failed

irinamirici avatar Feb 14 '25 08:02 irinamirici

+1 Any updates/due dates on this?

Approve-PnPTenantServicePrincipalPermissionRequest : The service principal for permssion request {app name} coul
d not be found.

Get-PnPTenantServicePrincipalPermissionRequests works fine

dohly avatar Feb 18 '25 11:02 dohly

Hello @mmohapatra-muhimbi, Thank you for bringing this issue to our attention. We will look into it and get back to you shortly. Could you please confirm if the issue still persists for you?

Amey-MSFT avatar Jun 23 '25 04:06 Amey-MSFT

@Amey-MSFT Yes the issue still exists

mmohapatra-muhimbi avatar Jun 23 '25 09:06 mmohapatra-muhimbi

Hello @mmohapatra-muhimbi, We were able to reproduce the issue, and we are investigating it. We have logged this as a bug, and our engineering team will look into it. Thank you!

Amey-MSFT avatar Jun 26 '25 10:06 Amey-MSFT

+1

Same behavior @dohly noted: Approve-PnPTenantServicePrincipalPermissionRequest : The service principal for permssion request {app name} coul d not be found.

Get-PnPTenantServicePrincipalPermissionRequests works fine

Also unable to approve via: /_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement with error: The requested permission isn't valid. Reject this request and contact the developer to fix the problem and redeploy the solution.

Luckily our existing staging environment approval that has been working for years mysteriously became unapproved. We are trying to add it back. Hope the same doesn't happen in prod :/

Interestingly, package name is "-" in existing approvals, but is the name of the sppkg file now.

This seems to be related to this change in March 2025: https://devblogs.microsoft.com/microsoft365dev/changes-on-sharepoint-framework-spfx-permission-grants-in-microsoft-entra-id/

However this is not rolled out in our tenant yet as we do not see an app registration named: "SharePoint Online Web Client Extensibility"

benjblack avatar Jun 27 '25 16:06 benjblack