AADSTS500131: Assertion audience does not match the Client app presenting the assertion. [...]

[MarksPoint]

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

macOS

What browser(s) / client(s) have you tested

• [ ] 💥 Internet Explorer
• [ ] 💥 Microsoft Edge
• [X] 💥 Google Chrome
• [ ] 💥 FireFox
• [ ] 💥 Safari
• [X] mobile (iOS/iPadOS)
• [ ] mobile (Android)
• [ ] not applicable
• [X] other (enter in the "Additional environment details" area below)

Additional environment details

• browser version: Chrome Version 99.0.4844.51 (Official Build) (arm64)
• SPFx version: 1.14.0
• Node.js version: v14.17.0

The issue occurs in the Teams Desktop application, Version 1.5.00.6270 on MacOS (but issue also seen on Windows 11 machine).

Describe the bug / error

We get the following error when we try to access the Graph API:

Error: "AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was 'https://`TENANT`.sharepoint.com' and the expected audience is 'APPID' or one of the Application Uris of this application with App ID 'APPID'(SharePoint Online Client Extensibility Web Application Principal). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.\r\nTrace ID: ac9a997a-26ac-4319-8ea7-2ccf70f82900\r\nCorrelation ID: f4d0700d-c41d-49cd-aba4-3fac0d226a6b\r\nTimestamp: 2022-03-17 09:10:36Z"

where TENANT is our tenant name and APPID is the Application (client) ID of the SharePoint Online Client Extensibility Web Application Principal app registration.

It happens only in this specific situation:

• Using the Teams desktop client (Both seen on MacOS & Windows 11, see version above)
• Using a (custom) Teams app with a personal static tab pointing to (contentUrl): "https://{teamSiteDomain}/_layouts/15/teamslogon.aspx?spfx=true&dest=https://{teamSiteDomain}`SITEPATH`?app=portals" where SITEPATH is the path to the homesite of our SharePoint tenant, in our case '/sites/develop'. (Note that we've got Viva Connections 'activated' and this is the designated homesite.
• The error only occurs the first time you open the app (after you've closed the Teams app). Subsequent 'visits', like for instance when you switch to the Files tab and then go back to the custom app, it works without the error.

Note that is doesn't give this error in the Teams mobile client (tested on iOS, version 4.4.0), nor does it give the error in the Teams website client (tested in Chrome). It only shows this behavior in the Teams Desktop client.

Steps to reproduce

Part 1: The SPFx solution with the web part

To make it reproducable, I've created a new SPFx solution, version 1.14, using the Yeoman generator.

Attached you'll find the packaged solution teams-authentication-issue.sppkg.zip as well as the SPFx solution source code.zip

You can also build a new solution yourself. The steps are simple:

Yeoman generator Use the Yeoman generator to make a new SPFx 1.14 solution, include a Web Part, no React is necessary for this

Install the pnp graph dependency npm install @pnp/graph@2

add required permission scope to package-solution.json

 "webApiPermissionRequests": [
            {
                "resource": "Microsoft Graph",
                "scope": "Group.Read.All"
            }
        ]

update the WebPart code (HelloWorldWebPart.ts in my case)

protected onInit(): Promise<void> {
    return super.onInit().then((_) => {
        graph.setup({
            spfxContext: this.context,
        });
    });
}

public render(): void {
    // A simple loading message
    this.domElement.innerHTML = `Loading...`;

    // here we will load my groups
    graph
        .groups()
        .then((groups) => {
            this.domElement.innerHTML = `Groups: <ul>${groups
                .map((g) => `<li>${g.displayName}</li>`)
                .join('')}</ul>`;
        })
        .catch((err) => {
            this.domElement.innerHTML = `Error: ${JSON.stringify(err)}`;
        });
}

Part 2: Installing package & adding web part to page

1. Install the package in the tenant or site application catalog (we installed in site application catalog)
2. Make sure the API permissions are approved (to allow the groups call)
3. Add the app to the site
4. Add the included web part "Teams Graph Issue" to the homepage of the site (we removed all other web parts)
5. Republish the page
6. If all went well, you should see something that looks like this:

Part 3: The Teams package

Either use attached TeamsPackage.zip or make one yourself using the following manifest.json:

{
    "$schema": "https://developer.microsoft.com/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
    "manifestVersion": "1.11",
    "version": "1.0.0",
    "id": "85c03e76-08bf-4596-b27e-67fb45d779ae",
    "developer": {
        "name": "Contoso",
        "websiteUrl": "https://contoso.com",
        "privacyUrl": "https://contoso.com/privacypolicy",
        "termsOfUseUrl": "https://contoso.com/terms",
        "mpnId": ""
    },
    "icons": {
        "outline": "outline_icon.png",
        "color": "color_icon.png"
    },
    "accentColor": "#ffaa00",
    "name": {
        "short": "Hello World",
        "full": "Hello World"
    },
    "description": {
        "short": "Hello World",
        "full": "Hello World"
    },
    "isFullScreen": true,
    "staticTabs": [
        {
            "entityId": "com.contoso.personaltab",
            "name": "Hello World",
            "contentUrl": "https://{teamSiteDomain}/_layouts/15/teamslogon.aspx?spfx=true&dest=https://{teamSiteDomain}?app=portals",
            "searchUrl": "https://{teamSiteDomain}/_layouts/15/search.aspx?q={searchQuery}",
            "scopes": ["personal"]
        }
    ],
    "localizationInfo": {
        "defaultLanguageTag": "en",
        "additionalLanguages": []
    },
    "permissions": ["identity", "messageTeamMembers"],
    "validDomains": [
        "{teamSiteDomain}",
        "*.login.microsoftonline.com",
        "*.sharepoint.com",
        "*.sharepoint-df.com",
        "spoppe-a.akamaihd.net",
        "spoprod-a.akamaihd.net",
        "resourceseng.blob.core.windows.net",
        "msft.spoppe.com"
    ],
    "webApplicationInfo": {
        "id": "00000003-0000-0ff1-ce00-000000000000",
        "resource": "https://{teamSiteDomain}"
    }
}

Part 4: install the Teams package

1. In the Teams Desktop client go to Apps
2. Click Manage your apps
3. Click Upload a custom app
4. Use the package mentioned in Part 3
5. Click Add

You should be automatically navigated to the app. This is where it fails! It looks something like this:

If you switch to the Files tab and then back to the app, you'll see that it now works fine:

Note: Closing the Teams app and re-opening will trigger the error (once) again.

Using the browser, it works correctly all the time:

Also, using Teams mobile it works fine all the time:

Expected behavior

Obviously, we don't want to get the error. Instead, we want it to always work correctly in all scenarios.

[ghost]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[GrahamMcMynn]

Hi @MarksPoint - Can you verify that the manifest you are using you have NOT modified the value here: "webApplicationInfo": { "id": "00000003-0000-0ff1-ce00-000000000000", "resource": "https://{teamSiteDomain}" }

ie you have left https://{teamSiteDomain} untouched and did NOT modify it to be the url of your tenant

That error is a known issue if you were to actually resolve that value in your app. Please confirm that you have not done this.

[MarksPoint]

Hi @GrahamMcMynn , I confirm that I did NOT change that value in the manifest and left it UNTOUCHED. It's exactly as it was pasted here in my OP (and in the attached zip package as well). So, it says:

"webApplicationInfo": {
        "id": "00000003-0000-0ff1-ce00-000000000000",
        "resource": "https://{teamSiteDomain}"
    }

[GrahamMcMynn]

Thanks for confirming that, I'll try to dig into this and figure out what is going wrong.

[GrahamMcMynn]

@MarksPoint - Would it be possible to send me a trace of the request failing? If that is possible could you send it to grahamc at microsoft.com?

[MarksPoint]

@GrahamMcMynn , I've sent you two HAR-files. One recorded during a failed attempt, one during a successful attempt.

[GrahamMcMynn]

@MarksPoint - in your tab URL you added the query string ?app=portals. Why are you doing that? It is unsupported. It makes the code think you are our first party app. However, you are NOT running as our first party app and therefore the code fails to get tokens correctly. You must remove that query string.

[MarksPoint]

@GrahamMcMynn - We've added this because from what we've understood, this is the way to make sure we get the SharePoint navigation working in Teams. If we remove ?app=portals, only the page itself is loaded but all navigation is hidden.

Is there another way to get the navigation working?

For your info: using the 1st party Viva Connections app isn't feasible for our clients, because the experience on mobile devices is so much different from what they see on the desktop: The 'native' Dashboard and News tabs are forced on mobile instead of the actual homepage (including our custom solution they expect).

[MarksPoint]

@GrahamMcMynn - I would like to add to the discussion about whether this is supported or not that this exception also occurs in all the Viva Connections packages that were created with Microsoft's own PowerShell script: https://www.microsoft.com/en-us/download/confirmation.aspx?id=102888

And here a colleague of yours explains what's typical in these Teams packages that are created using the PowerShell script, including the fact that "?app=portals" is part of the content url: https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/the-home-site-app-for-microsoft-teams/bc-p/2258116/highlight/true#M5698

I can't stress enough how urgent this issue is for us (and possibly for other vendors as well) because customers who used this PowerShell script to generate their Home Site/Viva Connections Teams package this way, now see errors when they use the Teams desktop client with their SharePoint intranet together with any 3rd party web part trying to connect to an Azure AD secured API.

I'd like to add to this that, according to our logs, this exception occured first at March 4th. Before this, everything worked fine with these Teams packages.

[GrahamMcMynn]

@MarksPoint - we will be rolling out a fix for this that will make 3rd party authentication work even if you have the app=portals in the query string. It will unfortunately not be in production until approximately April 13th (that is due to our rollout cadence).

You are correct, this was a regression as we did not expect customers to be using app=portals in the query string (and I read the comment from somebody at msft suggesting that). We are making this change realizing customers are using app=portals and we will support that going forward.

[GrahamMcMynn]

@MarksPoint - Please let me know if this issue has been resolved for you.

[MarksPoint]

Hi @GrahamMcMynn , we're still seeing this issue at the moment. Is the solution rolled out to all tenants already?

Below a chart of the number of times we logged the issue. (the amount is smaller after March 28th when we rolled out a new version of our solution with a change in how we handle this specific issue)

The last occurence was 1,5 hours ago around 8PM CET.

[MarksPoint]

@GrahamMcMynn - Good news: We haven't seen the issue since that last one yesterday evening around 8PM! We'll keep monitoring the tenants of course, but it looks promising and today we're very happy (and so are our customers!). Thanks for your assistance in this. I'll close this issue tomorrow afternoon if it's still looking good.

[GrahamMcMynn]

@MarksPoint - thanks for following up!

[MarksPoint]

Closing the issue as we no longer see it occur on our end!

[ghost]

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues