search

SharePoint / sp-dev-docs

SharePoint & Viva Connections Developer Documentation
https://docs.microsoft.com/en-us/sharepoint/dev/
Creative Commons Attribution 4.0 International
1.24k stars 1k forks source link

Graph Endpoints that require administrative roles not working #9368

Open Tanddant opened 10 months ago

Tanddant commented 10 months ago

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

Additional environment details

SPFx 1.17.2 Chrome Version 119.0.6045.200 (Official Build) (64-bit)

Describe the bug / error

I'm having an interesting issue, when I'm using the MSGraphClientV3 in SPFx the following call fails:

PATCH https://graph.microsoft.com/v1.0/admin/people/profileCardProperties/UserPrincipalName

BODY

{
    "annotations": [
        {
            "displayName": "UPN",
            "localizations": [
                {
                    "displayName": "Test122",
                    "languageTag": "ar-TN"
                }
            ]
        }
    ]
}

I get an 403 Forbidden

Response

{
    "error": {
        "code": "UnknownError",
        "message": "",
        "innerError": {
            "date": "2023-12-04T12:35:12",
            "request-id": "18740317-0dd0-4bd9-abf6-cb28e777c11e",
            "client-request-id": "7b1ef20a-fc9d-64d3-3ed8-c12e27c8a81c"
        }
    }
}

What (with the help of the Graph support team) have narrowed it down to is that if I create a token via. Postman, Graph Explore, or elsewhere, I get a property like this

"wids": [
      "62e90394-69f5-4237-9190-012177145e10",
      "b79fbf4d-3ef9-4689-8143-76b194e85509"
],

where as the SPFx token only has a "haswids": "true",

Steps to reproduce

Create SPFx solution, grant the PeopleSettings.ReadWrite.All graph permissions, and follow the docs to get a GraphClientV3

https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial#using-msgraphclientv3

Try the request from above, and watch it fail, retry in Graph Explorer to validate your user does indeed have the required permissions.

Expected behavior

The token should grant the same permissions as the Graph Explorer (not same scopes, but same roles)

ghost commented 10 months ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

Tanddant commented 10 months ago

There is a whole X'thread where I discussed this a few weeks back

https://twitter.com/alexaterentiev/status/1723447400843432104

AJIXuMuK commented 10 months ago

Thanks @Tanddant for raising the issue! We can repro it and will be working on the fix. No ETA as of now though as the fix requires bump of MSAL library which is not a quick thing to do.

Tanddant commented 10 months ago

Thanks @Tanddant for raising the issue! We can repro it and will be working on the fix. No ETA as of now though as the fix requires bump of MSAL library which is not a quick thing to do.

No worries - thanks for recognizing the issue, we'll see what time brings 🤞 - now this is here for others to find 😊