Graph API not working in Teams MOBILE client

[plodik]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

Windows

What browser(s) / client(s) have you tested

• [ ] 💥 Internet Explorer
• [ ] 💥 Microsoft Edge
• [ ] 💥 Google Chrome
• [ ] 💥 FireFox
• [ ] 💥 Safari
• [X] mobile (iOS/iPadOS)
• [ ] mobile (Android)
• [ ] not applicable
• [X] other (enter in the "Additional environment details" area below)

Additional environment details

• Teams mobile client on IOS and Sharepoint iOS app
• SPFx 1.13

Describe the bug / error

I have a simple spfx solution with Graph API request to get /users. When I run the solution in SPO page on windows browser, teams desktop windows client or SPO page in mobile ios browser, all is working.

When I run the solution on IOS mobile in Teams or SharePoint app, the graph api request is not working. It returns odata.error undefinedthe AadHttpClient is created successfully, but the actual api call is not working. It is not possible to troubleshoot this on mobile teams so I am not sure about the actual error if any.

Basically mobile Teams and mobile SharePoint app is not executing the graph call. Sharepoint REST API calls are working in the same solution on all platforms and apps.

Steps to reproduce

1. Simple spfx solution
2. Call made to graph api
3. Mobile teams app is not executing

Expected behavior

Working graph api call on mobile ios apps for Teams and Sharepoint.

[ghost]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[plodik]

I am updating with an isolated source code.

client.api("users").version("v1.0").select(["id", "userPrincipalName"]).get() .then((users) => { console.log(users); }) .catch(err => { console.log("error!!!" + err); })

The code successfully works on: Windows browser in SPO, Teams desktop app, Teams in browser The code goes into catch statement on: iOS Teams app, Sharepoint app

[sosandu]

I have a repro on SharePoint Mobile app on Android with same app

[lucabandMSFT]

This is for now a known issue. The Teams mobile team is working to fix this scenario and we will provide an update on this issue to share the progresses with all of you. In the meantime, the only viable workaround is to log in to SharePoint via a browser first.

We are also going to close all the other issues on this topic as dupe to this issue so we can have a single item to track and share progresses.

[plodik]

@lucabandMSFT Hello Luca, thanks for the reply. It is very good that we have confirmed it is a known bug and resolution is on its way. I will be monitoring other referenced issues. Thank you very much!

[efeaktasvalprovia]

@lucabandMSFT Hello Luca,

Is there any updates with this issue?

Thank you for your effort.

[cagdasdavulcu]

@lucabandMSFT hello Luca, we are getting the following exception message: {"odata.error":{"code":"10009","message":{"lang":"de-DE","value":"The target resource is invalid because it does not exist, cannot be found, or it is not correctly configured."}}} It would be great, if we can get any information about the solution. Thank you!

[Benny183]

@lucabandMSFT Hi Luca,

we are getting same Error from Teams Desktop Client:

{"odata.error":{"code":"10009","message":{"lang":"de-DE","value":"The target resource is invalid because it does not exist, cannot be found, or it is not correctly configured."}}}

It is working from SharePoint and from Teams browser version.

[lucabandMSFT]

@cagdasdavulcu , @Benny183, if this is happening on the Teams desktop client, and not mobile, do you mind opening an new issue to properly track it please?

@efeaktasvalprovia : that's work in progress right now: I will update the thread as soon as I have more details on release plan

[arnoldmatusz]

Same experience here with one of our new customers. What's quite awkward ist that we can see our tool (also an SPFx WebPart synced to Teams) working well (even on native apps on iOS and Android devices) in existing environments.

@lucabandMSFT can you give us more information about possible cases / setups / environments etc. where/when this problem occurs? Thanks.

[lucabandMSFT]

Hi @arnoldmatusz, as long as you log in to SharePoint first in a browser, Mobile works. Is when you never logged in to SharePoint that the problem occurs.

The good news is that the team is actively working on a fix so I believe I will be able to provide an update this month.

[cwdata]

Hi @lucabandMSFT, as that workaround failed for us, could you please elaborate more on the exact steps required? I suppose we need to log in with a browser on the mobile device, not on a PC? If the user has more than one browser installed on his device, which one should he use? And is he supposed to open the site connected to the Team where the app is installed or does any SharePoint site do?

[arnoldmatusz]

Hi @lucabandMSFT thanks for the quick response. Unfortunately it's the same here, as for @cwdata . Is your workaround also expected to work, when the original call is towards a webservice within Azure (connected to the same Azure AD)? We are experiencing the exact same behaviour when calling a webservice on our web app on Azure? Thanks in advance.

[plodik]

Hello all, I have also tried the workaround on iOS device without luck. I logged off from Teams app, opened the browser (Edge), logged to SPO site with the webpart on the page and got the results from Graph API correctly. Then I opened Teams app, opened the app with same webpart as in browser and got the error message.

@lucabandMSFT Can you please provide more details regarding the discussed workaround? Thanks a lot.

[lucabandMSFT]

Thanks for the feedback folks. Logging in with the same user on a browser (no matter if you log in via browser in the mobile or desktop) should temporarily unlock the scenario. But we know that is quite unreliable as a behavior which is why the team is working on a better solution as we speak.

Another question: do you have any conditional access policy in place in accessing the page from Teams or in accessing the specific API?

[arnoldmatusz]

No conditional access policies in our case.

Can you give us a litte more background to this? We have our functionality running flawlessly on multiple tenants and currently one that's causing the error message and behaviour above.

To be sincere we've already seen this behaviour multiple times (ca. 30% of cases) and we managed to solve the problem by deleting the "SharePoint Online Client Extensibility Web Application Principal" app registration and having it recreated by navigating to API Access in the SharePoint Administration. But this time, the deletion doesn't seem to help.

Thanks again!

[lucabandMSFT]

@arnoldmatusz , that seems quite uncommon. is it possible for you to collect a trace and send it to us please?

[plodik]

I use my simple tenant for testing without conditional access configured. I have not tried the recreation of the principal account. However logging with the browser is not fixing it at all.

[lucabandMSFT]

@plodik, can you share your email here? @GrahamMcMynn and I will follow up with you directly.

[arnoldmatusz]

@arnoldmatusz , that seems quite uncommon. is it possible for you to collect a trace and send it to us please?

Hi @lucabandMSFT ... I'm sure our client will allow us to share this information privately. How do I contact you?

[plodik]

@plodik, can you share your email here? @GrahamMcMynn and I will follow up with you directly.

@lucabandMSFT i will write you over MSFT email 😉

[lucabandMSFT]

For everyone that are still having issues even after logging in in the browser to SharePoint. To fix the current behavior do the following steps:

• go to portal.azure.com
• go to app registrations
• go to the SharePoint Online Client Extensibility Web Application Principal
• go to manifests
• set "accessTokenAcceptedVersion": 1

Save This will re-enable the "through SharePoint login" auth path while Teams is fixing mobile to support {teamSiteDomain} moniker.

[mgwojciech]

We tried this solution as well but with no luck. What's interesting is we had to update identifierUri to match pattern api://{tenant-id}/microsoft.spfx3rdparty.com. However in mobile it's looking for api://{site-subscription-id}/microsoft.spfx3rdparty.com. Now, for the twist. We tried to change the identifierUri to match the site subscription id pattern but then we get exception message The application identifier uri api://{site-subscription-id}/microsoft.spfx3rdparty.com is invalid. Any ideas how we can proceed?

[JMTeamway]

Hi all !

I am also facing the 400 Bad request error on AcquireOBOToken request, but in a different setup. May this description help in better understanding the issue.

I developped an SPFX application customizer (SPFX 1.11, pnp/graph 2.10). This extension makes a graph call : graph.me.getMemberGroups(true). It is deployed on several Team sites. It works well on Win 10/Chrome, Android / Chrome, IOS/Safari, Teams Tab SharePoint page display.

I developped a REACT Native application that embed a react-native-webview displaying my SharPoint site. This application displays correctly SharePoint content, and some webparts I did not develop that are using Graph API. This React Application fails both in Android and IOS at calling graph api with the 400 error on the AcquireOBOToken request.

In my scenario, Teams (Web or desktop) is not involved, and still I'm facing a similar issue.

If anyhow I can help providing better information please let me know.

[nflourens-dev]

@lucabandMSFT do you have a timeline for the fix the Teams Mobile dev team is working on? I am investigating an alternative for building a solution which can operate as a ‘broker’ to acquire a valid token in a Teams SPFX context. But I am not sure if it is worth the investment.

[lucabandMSFT]

@nflourens-dev, sorry for my delay in answering. Teams has committed to start rolling the fix end of Q1. Which means it will probably be in Apple / Play stores around mid of Q2 Calendar year 2022

[nflourens-dev]

Tanks for the update regarding the expected timeline for the Teams Mobile Client fix. Meanwhile we will be using the workaround as mentioned in this topic by changing the "accessTokenAcceptedVersion" property value to "1" for the SharePoint Online Client App Principal (as that seems to work for our solutions).

[c-eiser13]

Good morning, do we know if the same fix will be applied to the SharePoint iOS app? I am having the same issue with the SharePoint app, where a page is being viewed in the app that contains an SPFx web part that makes a call to the graph, and that web part throws an error.

[MarksPoint]

Just to confirm that these steps were a solution to a situation where we got errors:

For everyone that are still having issues even after logging in in the browser to SharePoint. To fix the current behavior do the following steps:

• go to portal.azure.com
• go to app registrations
• go to the SharePoint Online Client Extensibility Web Application Principal
• go to manifests
• set "accessTokenAcceptedVersion": 1

The above steps solved the issue (at least for now) in the following situation where our SPFx web part wasn't able to communicate with the MS Graph (or other API's behind Azure AD security):

• Web part placed on a Viva Connections homepage
• Use native Teams app on iOS
• Go to Viva Connections app
• Go to Resources tab
• Click first link "Contoso Hub"
• See that the web part fails
• See the following error (in our collected logs): "Token request previously failed"

[GrahamMcMynn]

Hi @MarksPoint - It sounds like your issue is fixed for now (let me know if I misunderstood that).

Just wanted to point out that the error you were seeing (Token request previously failed) happens now whenever you request a token for something that already failed. We only request a token once every 5 minutes if it previously failed. The reason why we are doing that is that it allows us to detect problems better. Too many solutions were written that had a tight loop that would request a token, fail, then try requesting it again even though the problem was not transient. By blocking the requests before they hit the server it allows us to monitor our service better so we have a better idea of what is actually failing and affecting customers.

The actual error that you were seeing would only be shown the first time (or once every 5 minutes if you are in a tight loop).

[ghost]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within the next 7 days of this comment. Please see our wiki for more information: Issue List Labels: Needs Author Feedback & Issue List: No response from the original issue author

[harshdamaniahd]

Tanks for the update regarding the expected timeline for the Teams Mobile Client fix. Meanwhile we will be using the workaround as mentioned in this topic by changing the "accessTokenAcceptedVersion" property value to "1" for the SharePoint Online Client App Principal (as that seems to work for our solutions).

I tried this. do we also need to sign in to web browser after doing this ?

[Rtoribiog]

Hello , the workaround didn't work for me. We tried to update sharepoint online client app principal and it raises this error.

Failed to update SharePoint Online Client Extensibility Web Application Principal application. Error detail: Values of IdentifierUris property must use a verified domain of the organization or its subdomain: https://microsoft.spfx3rdparty.com/ [H7jdSnBpV1NKr+xbmXrg8c] @lucabandMSFT

[GrahamMcMynn]

@Rtoribiog - can you delete the app SharePoint Online Client Extensibility Web Application Principal from AAD and then revisit the web api access page? https://microsoft.spfx3rdparty.com should no longer be added to the identifier Uri's.

After deleting that app and having it recreated you will have to re approve all your web api permissions.

[Rtoribiog]

Hello @GrahamMcMynn , we cannot apply changes in production evironment if it's not documented , with rollback procedure, etc ..

Is there any documentation related with this change? how to delete the app and how to recreate it back then?

We have several webparts relying on this and it can break the intranet, it's quite critical.

[ghost]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within the next 7 days of this comment. Please see our wiki for more information: Issue List Labels: Needs Author Feedback & Issue List: No response from the original issue author

[Rtoribiog]

hello @GrahamMcMynn , can you build like a quick list of steps that we need to follow in order to delete the app and make it working? Is there any rollback procedure to take in count? Thanks

[ghost]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within the next 7 days of this comment. Please see our wiki for more information: Issue List Labels: Needs Author Feedback & Issue List: No response from the original issue author

[mgwojciech]

I did some more digging. In my case I've noticed in chunk.adalauthcontext file there is a method _fetchAccessToken. In this method another method is called _fetchAccesTokenSilent. To _fetchAccesTokenSilent there are two paremeters passed - first one is request resource uri (for example https://graph.microsoft.com) and the second one is some kind of config parameter ({usedNewAuth: false}). However _fetchAccesTokenSilent accepts 3 parameters. The last one is used to call _getOboAuthToken. In my case this is where things break as there is no 3rd parameter. If I understand correctly - now we should call _exchange1PTokenFor3P with at least one parameter being app resource uri, but we end up calling it with undefined parameters.

If anyone still has this issue You can check that by setting a break point in chunk.adalauthcontext file in line 216 (at least in the current version of the file it's line 216).

Of course I might be wrong here as this and passing the undefined parameters might be correct there so feel free to correct me here.

[lucabandMSFT]

@Rtoribiog, sorry for the delay in answering: Can you check if you our your customer can navigate to the API Access page in SharePoint Tenant Admin with an account that is both SPO Tenant admin and AAD Global Admin and see if that solves the issue?

if not, I'm more than happy to jump to a call with your and your customer to explain why and what the workaround proposed by @GrahamMcMynn would solve if that can help.

thanks

[Rtoribiog]

Hello @lucabandMSFT , we did the workaround you mentioned. But still doesn't work. We see an infinite loading and that's all. A part of this i would like to mention that we have conditional access enabled. Can we setup a call to see if you can figure it out where is the problem? Thanks

[mgwojciech]

@Rtoribiog check if in Your Teams app manifest under webApplicationInfo.resource You have "https://{teamSiteDomain}". If so, change it to Your tenant url. Update the app version (and maybe a name for testing, to see if You are getting new version in mobile). This should get You pass this infinite spinner.

[Rtoribiog]

hello @mgwojciech , thanks for the hint. We were using previously tenant url in the manifest but stopped working, then we changed to "https://{teamSiteDomain}", worked for a while but stopped working again due the sharepoint app registration. Then i'm not sure if this will work but i will take a look. Thanks

[ghost]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within the next 7 days of this comment. Please see our wiki for more information: Issue List Labels: Needs Author Feedback & Issue List: No response from the original issue author

[Rtoribiog]

@lucabandMSFT any hint ? Thanks

[lucabandMSFT]

@Rtoribiog , sorry for my delay in answering.

Can you please paste here the manifest from AAD for the "SharePoint Online Client Extensibility Web Application Principal" object?

Please ensure that any information there that you perceive as sensible is removed before pasting it. I want to check if there are some incongruencies in the manifest.

Thanks

[NLRotterdam]

@lucabandMSFT We are facing a very simillar, but bit different issue.

-Our spfx app in the Teams mobile app is usually functioning 100%. -The solution works 100% in Teams desktop and also when exposed asa normal webpart in SharePoint. -Sometimes (at seemingly random times) it loses access with error AADSTS50078: -If this is the case only Graph and Azure Function calls fail. -Sometimes clearing storage and opening SharePoint fixes it. Other times the user has to repeat this process multiple to clear the error. -We have also tried all the steps here and nothing is working.

We have been developing this app for a long time and it will be used by 30.000 students, so it's paramount that this gets resolved. Any steps that we could take?

For reference, this is our SharePoint Online Client Extensibility Web Application Principal manifest:

{ "id": "f9f98229-5dc3-4e59-8f79-88e254a5bffc", "acceptMappedClaims": null, "accessTokenAcceptedVersion": 1, "addIns": [], "allowPublicClient": null, "appId": "0a54c116-a2e0-4dae-a20b-51aaa758717e", "appRoles": [], "oauth2AllowUrlPathMatching": false, "createdDateTime": "2020-08-04T09:58:24Z", "description": null, "certification": null, "disabledByMicrosoftStatus": null, "groupMembershipClaims": null, "identifierUris": [ "api://{TENANTID}/microsoft.spfx3rdparty.com" ], "informationalUrls": { "termsOfService": null, "support": null, "privacy": null, "marketing": null }, "keyCredentials": [], "knownClientApplications": [], "logoUrl": null, "logoutUrl": null, "name": "SharePoint Online Client Extensibility Web Application Principal", "notes": null, "oauth2AllowIdTokenImplicitFlow": true, "oauth2AllowImplicitFlow": true, "oauth2Permissions": [ { "adminConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on behalf of the signed-in user.", "adminConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal", "id": "bebcf95f-40da-4297-a6e2-2ea01ac125ac", "isEnabled": true, "lang": null, "origin": "Application", "type": "User", "userConsentDescription": "Allow the application to access SharePoint Online Client Extensibility Web Application Principal on your behalf.", "userConsentDisplayName": "Access SharePoint Online Client Extensibility Web Application Principal", "value": "user_impersonation" } ], "oauth2RequirePostResponse": false, "optionalClaims": null, "orgRestrictions": [], "parentalControlSettings": { "countriesBlockedForMinors": [], "legalAgeGroupRule": "Allow" }, "passwordCredentials": [ { "customKeyIdentifier": "LfA7uVeKsUWsAoQQoZqdgQ==", "endDate": "2070-08-04T09:58:25.364108Z", "keyId": "d764774f-2333-4c41-bc06-1cee023f2f97", "startDate": "2020-08-04T09:58:25.364108Z", "value": null, "createdOn": null, "hint": null, "displayName": null } ], "preAuthorizedApplications": [ { "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264", "permissionIds": [ "bebcf95f-40da-4297-a6e2-2ea01ac125ac" ] }, { "appId": "08e18876-6177-487e-b8b5-cf950c1e598c", "permissionIds": [ "bebcf95f-40da-4297-a6e2-2ea01ac125ac" ] }, { "appId": "00000003-0000-0ff1-ce00-000000000000", "permissionIds": [ "bebcf95f-40da-4297-a6e2-2ea01ac125ac" ] } ], "publisherDomain": "{tenant}.onmicrosoft.com", "replyUrlsWithType": [ { "url": "https://{tenant}-admin.sharepoint.com/_forms/spfxsinglesignon.aspx", "type": "Web" }, { "url": "https://{tenant}.sharepoint.com/_forms/spfxsinglesignon.aspx?redirect", "type": "Web" }, { "url": "https://{tenant}.sharepoint.com/_forms/spfxsinglesignon.aspx", "type": "Web" }, { "url": "https://{tenant}.sharepoint.com/", "type": "Web" } ], "requiredResourceAccess": [], "samlMetadataUrl": null, "signInUrl": null, "signInAudience": "AzureADMyOrg", "tags": [], "tokenEncryptionKeyId": null }

Thanks in advance and kind regards, Niels Noorlander

[ghost]

This issue has been automatically marked as stale because it has marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within the next 7 days of this comment. Please see our wiki for more information: Issue List Labels: Needs Author Feedback & Issue List: No response from the original issue author

[ghost]

Closing issue due to no response from the original author. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: No response from the original issue author