SPFx solution as Teams Tab (in native client) with Graph : Cannot read property 'indexOf' of undefined

[ypcode]

Category

• [x] Question
• [ ] Typo
• [x] Bug
• [ ] Additional article idea

Expected or Desired Behavior

I deployed an SPFx WebPart using Microsoft Graph that is suppose to be used in both SharePoint and Microsoft Teams tab. It simply get e-mails and files from OneDrive of the current user.

Observed Behavior

In SharePoint and Teams web client, it works just fine. In the Teams desktop application on Windows, I get the following error: Cannot read property 'indexOf' of undefined

Teams Web:

Teams Desktop:

Using fiddler, I only see these errors : 3ed {"odata.error":{"code":"10001","message":{"lang":"en-US","value":"AADSTS65001: The user or administrator has not consented to use the application with ID '00000003-0000-0ff1-ce00-000000000000' named 'Office 365 SharePoint Online'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 2a8135d9-4523-4d74-8e02-61c23aef9600\r\nCorrelation ID: 9103db9e-b005-0000-69f2-481dc3f57c4f\r\nTimestamp: 2019-05-09 19:22:42Z"},"error.redirectUrl":"https://pvxlab.sharepoint.com/sites/MyTeam/_layouts/15/teamshostedapp.aspx?

Steps to Reproduce

Create an SPFx application and configure to be usable as Teams tab as detailed in the official documentation

Test the tab from the Teams desktop application

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[lucabandMSFT]

Hey @ypcode can you please check the steps provided in issue #2521 to see if those apply to you as well here?

[ypcode]

Hi @lucabandMSFT,

I just performed these steps. It still doesn't work but, as it is highlighted by some folks, there might be a quite long delay before it is actually taken into account. I'll retry later today and keep you informed. I'm sorry I opened this new thread, I did not find that other one with the keywords I thought about.

If you want, we can close this one in keep tracking in #2521 :)

Thanks for your help !

[ypcode]

Hi @lucabandMSFT,

I Retried this just now and still have the same issue.

Regards, Yannick

[lucabandMSFT]

@ypcode , do you mind sharing here the updated manifest? also, to be 100% sure, you did visit the "manage API" page in SP Tenant admin after you modified the manifest in AAD, right?

thanks!

[ypcode]

Hi @lucabandMSFT

Here is the manifest

{
    "id": "f7f1a3b0-f7e8-44d3-8fd5-6ac25ffaded2",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": null,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "ef1fe865-9873-4464-8f77-cbf4b2034506",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2019-05-07T20:03:23Z",
    "groupMembershipClaims": null,
    "identifierUris": [
        "https://microsoft.spfx3rdparty.com"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "SharePoint Online Client Extensibility Web Application Principal",
    "oauth2AllowIdTokenImplicitFlow": true,
    "oauth2AllowImplicitFlow": true,
    "oauth2Permissions": [
        {
            "adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "id": "f9bbf4ce-9c5d-4b55-80c2-41ab58bcd2b3",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "User",
            "userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.",
            "userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "value": "user_impersonation"
        }
    ],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [
        {
            "appId": "00000003-0000-0ff1-ce00-000000000000",
            "permissionIds": [
                "f9bbf4ce-9c5d-4b55-80c2-41ab58bcd2b3"
            ]
        }
    ],
    "publisherDomain": "pvxlab.onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "https://pvxlab.sharepoint.com/",
            "type": "Web"
        },
        {
            "url": "https://pvxlab.sharepoint.com/_forms/spfxsinglesignon.aspx",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42",
                    "type": "Scope"
                },
                {
                    "id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
                    "type": "Scope"
                },
                {
                    "id": "570282fd-fa5c-430d-a7fd-fc8dc98a9dca",
                    "type": "Scope"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADMyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null
}

And yes I visited the "API Management" page and clicked "approve" on all the duplicate pending permissions requests (and got the error saying the permission already exists)

[AJIXuMuK]

Hey @lucabandMSFT - I see the same on one of tenants

[AJIXuMuK]

Under the hood here is the error I'm getting:

https://tenant.sharepoint.com/sites/site/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=%27cedaab2d-4888-401c-ac89-ff40ae75e31a%27

---

{"odata.error":{"code":"-1, System.AggregateException","message":{"lang":"en-US","value":"One or more errors occurred."}}}

[AJIXuMuK]

And another tenant doesn't have SharePoint Online Client Extensibility Web Application Principal app at all in Azure AD.

[Barba76]

This issue happened to me, also. I just can't get anything from Graph on Teams Desktop environment (web app works fine). I also get "Cannot read property 'indexOf' of undefined". As far I could go, it seems to be something related with getting an access token.

[lucabandMSFT]

@AJIXuMuK : for the tenant that doens't have the app at all in AAD: can you please check this https://github.com/SharePoint/sp-dev-docs/issues/3891#issuecomment-494868401? @Barba76 , you confirm that everything works on the web, yes? if that's the case can you please tell me if you have a client secret in the "SPO Client Extensibility Web App Principal" (Dashboard App registrations SharePoint Online Client Extensibility Web Application Principal - Certificates & secrets)?

[Barba76]

@lucabandMSFT : Yes, everything works as expected on the web app. I've checked on Azure portal and I don't have any client secrets or certificates.

[lucabandMSFT]

@Barba76, thanks. Your tenant is an unfortuante but known issue that we are patching this week. @lahuey FYI. Hope we are able to release a fix during next week.

[joselarios]

Hi @lucabandMSFT

I am experiencing the same issue initially described by @ypcode:

I'm using an SPFx Solution as Teams Tab with MS Graph. The solution works in the web version of Teams, but the Desktop version returns the same: Cannot read property 'indexOf' of undefined. Additionally, using Fiddler, we receive the same error as @ypcode.

Has anyone been able to get this scenario to work?

Is it an issue that is affecting certain Tenants and not others?

I understand this is currently being worked on, with the hope of releasing a fix this week. Is the fix still aimed at releasing soon, or is it likely to require several more weeks?

Thanks in advance for your help with these questions.

[Barba76]

not working for me yet. This time I am getting another error: "Cannot read property 'match' of undefined"

[joselarios]

Hi,

This is also not working for me yet. The original error has been replaced with the following: "Unexpected token u in JSON at position 0".

Has anyone gotten this to work?

[Barba76]

@joselarios Now, I am getting exactly the same error as you

[AJIXuMuK]

Same for me, multiple tenants.

[juanmlarios]

Same for me....asked on Twitter too :)

[AJIXuMuK]

Few details. In Desktop client there is a GET request to https://tenant/sites/site/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=%27some-client-id%27 It returns:

{"odata.metadata":"https://tenant.sharepoint.com/sites/site/_api/$metadata#Edm.Null","odata.null":true}

Which is probably not expected. And actual request is not sent afterwards.

Client id from the request is the client id of SharePoint Online Client Extensibility Web Application Principal registered in the AD

[lucabandMSFT]

Thank you very much folks for all the updates: we are absolutely not ignoring you but we have been busy understanding the issue here.

We had to disable the capability temporarily as we found some issues on the underneath technology we use to do tokens exchange. We have fixed the issue and now we are testing it internally before release it broadly. We hope to be able to re-enable this capability soon.. expect an update from me soon.

Thanks again

[MagtheRag]

I have been having issues with authentication in the native app from before. We have an spfx extension that runs inside of a teams tab through an iframed sharepoint page. We had all the issues and set the right configuration through the step described here by @lucabandMSFT. And we got it working. Now suddenly last week we got the error "Unexpected token u in JSON at position 0" in both our dev and test enviroments and at the customers. We really really need to fix this as this is an important solution for our customer. Edit: Just saw the update from you guys. Keep my fingers crossed

[TheTedAdams]

@lucabandMSFT is there anywhere better than a few random Github issues where we can watch for updates, such as the team deciding to "disable the capability temporarily" which translates to a complete multi-day outage of something the v1.8 release notes called "Fully supported"?

Going off the release notes saying this was a fully supported solution we pushed this pretty hard at SharePoint Conference recently, so getting it shut off without any comms, and not hearing about the team completely disabling it until people brought it up here on Github is a bit of a bummer for us. As I'm sure you'd imagine, all the customer sees is that our teams tab is broken, so upstream outages like this really impact our relationship with our customers.

[lucabandMSFT]

The issue has been identified and now we have a fix that is currently rolling right now in production. As soon as it hits 100% of our production environments we will turn the capability back on. As things state right now, we are planning to re-enabling the capability by Friday this week.

I will provide an update by Friday no matter what.

To answer some of the communication questions that were rising: we unfortunately don't have (yet) a communication channel in the rich clients to inform that some capabilities have been disabled. We though about providing broad communication to all tenants but that would have reached the Tenant Administrators and not the end users.. and definitively not on the mobile devices.

For customers that open Incidents we have communicated directly with them through support channels.

Thanks, Luca

[lucabandMSFT]

Just to provide an update: the feature should be running 100% in production back by now.

[IgnasLabinas]

Hi, I see it really enabled again, as there are no indexOf errors anymore, but the initial error still ocurs on my DEV and PRD tenants, which is: AADSTS65001: The user or administrator has not consented to use the application with ID '00000003-0000-0ff1-ce00-000000000000' named 'Office 365 SharePoint Online'. Send an interactive authorization request for this user and resource. ↵Trace ID: 9a934094-192a-4988-b0aa-368789596800 ↵Correlation ID: 9247ec9e-f049-0000-b222-58ec391bf76f ↵Timestamp: 2019-07-02 10:47:53Z

Is it only to me? Or I missing something? All works on web client, but not in desktop client.

[IgnasLabinas]

An update: if I modify "SharePoint Online Client Extensibility Web Application Pricipal" application, and add "Office 365 SharePoint Online" as authorized application - it works. But I don't think this is correct sollution, is it?

[AJIXuMuK]

I'm getting

{"odata.error":{"code":"-1, System.AggregateException","message":{"lang":"en-US","value":"One or more errors occurred."}}}

Request:

https://tenant.sharepoint.com/sites/site/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=%27client-id%27

Client Id is correct and equals to SharePoint Online Client Extensibility Web Application Principal client ID.

I also visited API management page in SharePoint Admin Portal and re-approved permissions. No changes.

In Azure I see Office 365 SharePoint Online as Authorized Application (as mentioned by @IgnasLabinas)

[joselarios]

I was receiving the same error as @IgnasLabinas, which was found using Fiddler to investigate the network traffic.

I also added the Client ID in the error to the "SharePoint Online Client Extensibility Web Application Principal" application, as mentioned, and now it works.

To echo the concern mentioned by @IgnasLabinas, is this the correct solution?

[filuna]

I'm facing similar problem, but not the same message - I 'm receiving {"odata.error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}} We have already tried all suggested solutions/workarounds. Are you still working on it? In web it works, in desktop Teams it doesn't. Thanks

Filip

[msft-github-bot]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within next 7 days of this comment. Thank you for your contributions to SharePoint Developer activities.

[AJIXuMuK]

This one has not been fully resolved yet and shouldn't be closed.

[ghost]

@filuna can you email me with the following information? I can investigate this tomorrow? My email is lahuey@microsoft.com

1. Tenant URL
2. SPRequestGuid on very recent failed request

[msft-github-bot]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within next 7 days of this comment. Thank you for your contributions to SharePoint Developer activities.

[CPritch]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within next 7 days of this comment. Thank you for your contributions to SharePoint Developer activities.

Do not close please, Mr. Bot. Can we get a confirmation that this is not the workaround as intended or at least a progress update on the real fix? I'm quite frankly appalled at the lack of updates on several fronts of the modern environment.

[ghost]

@CPritch The following steps can unblock the Teams Tab scenario for the desktop/mobile apps. We're working on automating this process, which has been tricky for a couple different reasons. We should have an announcement as soon as we can turn on the automation. Sorry about the confusion

Manual Steps Step 1. Visit the new API Permission Management Page on the Tenant Admin Site. This creates a client secret behind the scenes. Step 2. Go to -> https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview Step 3. Click on SharePoint Online Client Extensibility Web Application Principal Step 4. Click Manifest on the left menu Step 5. Copy the id from the oAuth2Permission array

"oauth2Permissions": [
        {
            "adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "id": "2143704b-186b-4210-b555-d03aa61823cf",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "type": "User",
            "userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.",
            "userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal",
            "value": "user_impersonation"
        }
    ],

Step 6. Replace “preAuthorizedApplications” entry with the following json

"preAuthorizedApplications": [
    {
        "appId": "00000003-0000-0ff1-ce00-000000000000",
        "permissionIds": [
            "ID OF THE USER_IMPERSONATION Scope"
        ]
    }
],

Step 7. Hit Save.

[ghost]

@filuna never got back to me on this issue. If there are an additional issues, please open a new GitHub issue. It seems that the original issue has been resolved with the previously mentioned workaround here -> https://github.com/SharePoint/sp-dev-docs/issues/3923#issuecomment-514726341

[AJIXuMuK]

@lahuey - you could ask any other person in here before closing the issue.

[ghost]

@AJIXuMuK are you having issues as well? The original poster is no longer responding on the thread. I would love to help if you're running into issues.

[AJIXuMuK]

@lahuey - yes, and I commented here multiple times. Now I created a separate issue #4357

[filuna]

I'm sorry for my silence, I have vacation now. I will try the proposed solution when I'm back ( after next week). Filip

24. 7. 2019 19:32, 19:32, lahuey notifications@github.com napsal/a:

       @filuna never got back to me on this issue. If there are an additional issues, please open a new GitHub issue. It seems that the original issue has been resolved with the previously mentioned workaround here -> https://github.com/SharePoint/sp-dev-docs/issues/3923#issuecomment-514726341

       -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/SharePoint/sp-dev-docs/issues/3923#issuecomment-514726991

[TheTedAdams]

Hi @lahuey, in our testing we have found that the mentioned manifest edit is ALSO required to make spfx work in the SharePoint mobile app. I have never seen mention of this manifest edit in any context other than teams tabs, can you just confirm that this is known and expected that SPFx web parts cannot get graph tokens in Teams OR SharePoint mobile apps without doing the manual manifest edit?

[ghost]

@TheTedAdams I can confirm this. This workaround/flow is required for environments that ADAL.js doesn't work. I will work with our team to make sure that this is clearly documented.

If there are any other issues outside of the Cannot read property 'match' of undefined (addressed here -> https://github.com/SharePoint/sp-dev-docs/issues/4357), please open a new GitHub issue.

Thanks!

[msft-github-bot]

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues