🐞 Bug report: Account pane not populated (no username, sites list, service health)

[germain-italic]

⭐ Priority

(Medium)😢 I'm annoyed but I'll live

📝 Describe the bug

• I can sign in and sign out on my tenant as full admin
• I can see the Tenant App Catalog
• But there is no Site App Catalogs menu
• I can deploy sppkg using the extension
• But I cannot select in which catalog (therefore my app is deployed tenant-wide)

👣 Steps To Reproduce

• Install extension
• Check installed dependencies
• Create a new project
• Sign in
• Wait and nothing appears under Account
• Try to use Refresh Account View, same result
• Using m365 spo site list works as expected

📜 Expected behavior

• Account name visible
• List of sites in the tenant visible

📷 Screenshots

❓SharePoint Framework Toolkit version

v3.4.0

❓Node.js version

v18.17.1

🤔 Additional context

From the Output window:

> M365 CLI - status: "Logged out"
[2024-07-25T22:34:24.121Z] [INFO]
> Device code: DJXNFPDQR
[2024-07-25T22:34:36.890Z] [ERROR]
> M365 CLI - login: [object Object]
[2024-07-25T22:34:36.891Z] [INFO]
> M365 CLI - Logged in to M365
[2024-07-25T22:34:36.894Z] [INFO]
> M365 CLI - status: {
  "connectedAs": "me@mydomain.com",
  "authType": "DeviceCode",
  "appId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
  "appTenant": "common",
  "cloudType": "Public"
}
[2024-07-25T22:34:36.906Z] [INFO]
> Running CLI command: spo tenant appcatalogurl get
"https://mytenant.sharepoint.com/sites/catalog_app"
[2024-07-25T22:34:43.154Z] [INFO]
> Running CLI command: spo site appcatalog list
[]
[2024-07-25T22:34:44.154Z] [INFO]
> Running CLI command: tenant serviceannouncement health list

[Adam-it]

hey @germain-italic thanks for opening up the issue and letting us know 👍 You Rock 🤩. From the log you provided it seems like there is already something wrong with login to CLI for M365

and then the list of site level app catalogs is empty.

Do you have separate installation of CLI for Microsoft 365 on the same node version you mentioned? (so 18.17.1)?

Could you try to do the following:

1. in SPFx Toolkit sign out from your tenant by running the VS Code command: Sign out from M365
2. [if you have local version of CLI run] m365 cli config reset
3. Restart VS: either run VS Code command Relaod Window or just close all opened VS Code and open
4. try to sign in again using VS Code

[germain-italic]

Thanks for your reply!

Do you have separate installation of CLI for Microsoft 365 on the same node version you mentioned? (so 18.17.1)?

Yes, it was installed before. But I also tried to uninstall it completely.

m365 cli config reset did not solve the issue.

I am very curious about what's hidden behind the error in the log:

[2024-07-26T21:58:44.613Z] [ERROR]
> M365 CLI - login: [object Object]

I've also tried downgrading to 6.11.0 and 5.9.0, but no luck.

[Adam-it]

Actually your local instance of CLI for M365 will not interfere with the CLI for M365 npm package which comes along in bundle with the VS Code extension. You may have both installed in different versions and it will work perfectly fine. The only problem is CLI config which is saved in user data and then both local CLI for M365 and the one bundled in VS Code extension share the same place. This is a minor issue and should not break any SPFx Toolkit functionality but still this was my first guess 😉.

Anyway. May I kindly as you to check using standard CLI for Microsoft 365 (installed locally not the one bundled in VS Code extension) to do the same operations and check if you see any response? So please run

1. standard login m365 login
2. query site appcatalogs m365 spo site appcatalog list and check if you see any response
3. query tenant health m365 tenant serviceannouncement health list and check if you see any response

[Adam-it]

in the 3.4.0 version of SPFx toolkit I managed to reproduce the strange case with login error object object

I debugged it and it turns out it is actually not an error. The CLI command returns the output of login command as stderr in this case, I think mainly due to the fact not to clutter the stdout but I am not sure TBH. Maybe it is also my fault when converting CLI to cjs and I made some mistake.

anyway I expect in your case it is same thing and that error is just standard response of logged account. For sure something not nice to see in the logs and needs to be fixed up but rather not the source of the issue.

When checking again the screenshot of your logs it seems the tenant serviceannouncement health list command never executes and brings some response 🤔

it just hangs or loads 🤔. No output, no error. This is strange and kinda make sense why you do not see the account view as it is loaded only after tenant health command finished but it seems in your case it never ends and that is why the account view is never loaded

[Adam-it]

I have some ideas to make this a bit more bulletproof and maybe it will solve your case. I will try to create some fixup over the weekend and do a pre-release of the extension so you may test it out ASAP (but you will need to switch to pre-release of the VS Code extension to have an early fix) in the mean time please double check getting the health and site level app catalogs using standard CLI and let me know if you see any response.

[Adam-it]

ok I did an update to the cjs version of CLI to log to stdout which will resolve the strange error in logs for the login command

https://github.com/Adam-it/cli-microsoft365/commit/66beef86d69b54c12793b13f13d3351135d3e542

As I checked in esm version of CLI we already do that so I guess it was my mistake. Sorry for that This will be part of next release be default As I said I am almost sure this is not the source of the problem and I still need to revisit some code to understand that. @germain-italic in the meantime the additional check using from this comment would be extremely helpful to me 🙏

[germain-italic]

1. standard login m365 login

Purposefully done with 6.x to avoid 7.x ESM collision:

PS D:\Sites\sp_modern\app-extension> m365 version
"v6.11.0"

PS D:\Sites\sp_modern\app-extension> m365 login

   ╭──────────────────────────────────────────────────╮
   │                                                  │
   │        Update available 6.11.0 → 7.10.0          │
   │   Run npm i -g @pnp/cli-microsoft365 to update   │
   │                                                  │
   ╰──────────────────────────────────────────────────╯

"To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code GS8PPWHTK to authenticate."
{
  connectedAs: '*****@*****.com',
  authType: 'DeviceCode',
  appId: '31359c7f-bd7e-475c-86db-fdb8c937548e',
  appTenant: 'common',
  cloudType: 'Public'
}

2. query site appcatalogs m365 spo site appcatalog list and check if you see any response

PS D:\Sites\sp_modern\app-extension> m365 spo site appcatalog list
[]

3. query tenant health m365 tenant serviceannouncement health list and check if you see any response

PS D:\Sites\sp_modern\app-extension> m365 tenant serviceannouncement health list
Error: [object Object]

PS D:\Sites\sp_modern\app-extension> m365 tenant serviceannouncement health list --verbose
Error: [object Object]

PS D:\Sites\sp_modern\app-extension> m365 tenant serviceannouncement health list --debug  
Executing command tenant serviceannouncement health list with options {"options":{"debug":true,"output":"json"}}
Existing access token ***** still valid. Returning...
Request:
{
  "url": "https://graph.microsoft.com/v1.0/admin/serviceAnnouncement/healthOverviews",
  "method": "get",
  "headers": {
    "common": {
      "Accept": "application/json, text/plain, */*"
    },
    "delete": {},
    "get": {},
    "head": {},
    "post": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "put": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "patch": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/6.11.0",
    "accept-encoding": "gzip, deflate",
    "X-ClientService-ClientTag": "M365CLI:6.11.0",
    "accept": "application/json;odata.metadata=none",
    "authorization": "Bearer *****"
  },
  "responseType": "json",
  "decompress": true
}
Request error:
{
  "url": "https://graph.microsoft.com/v1.0/admin/serviceAnnouncement/healthOverviews",
  "status": 403,
  "statusText": "Forbidden",
  "headers": {
    "transfer-encoding": "chunked",
    "content-type": "application/json",
    "vary": "Accept-Encoding",
    "strict-transport-security": "max-age=31536000",
    "request-id": "a0447260-e450-4442-b604-9fa5cd4a5374",
    "client-request-id": "a0447260-e450-4442-b604-9fa5cd4a5374",
    "x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"South Africa North\",\"Slice\":\"E\",\"Ring\":\"2\",\"ScaleUnit\":\"001\",\"RoleInstance\":\"JN2PEPF0000138B\"}}",
    "x-instance": "westeurope/_readvm_15",
    "x-timetaken": "0",
    "date": "Sun, 28 Jul 2024 15:23:26 GMT",
    "connection": "close"
  },
  "error": {
    "error": {
      "code": "UnknownError",
      "message": "",
      "innerError": {
        "date": "2024-07-28T15:23:26",
        "request-id": "a0447260-e450-4442-b604-9fa5cd4a5374",
        "client-request-id": "a0447260-e450-4442-b604-9fa5cd4a5374"
      }
    }
  }
}
Error: [object Object]

My tenant has only 2 accounts, the admin which I'm logging with, and another unlicensed test account I created after that to see how non-admins view my code in SharePoint.

Does it help?

[germain-italic]

it just hangs or loads 🤔. No output, no error.

True.

As I understand there is a permission error, I looked for appId: '31359c7f-bd7e-475c-86db-fdb8c937548e' in Azure Portal, and found the permissions for PnP Office 365 Management Shell:

API	name	Claim	value
Microsoft	Graph	Reports.Read.All	Read
Microsoft	Graph	AppCatalog.ReadW…	Read
Microsoft	Graph	Directory.AccessAs…	Access
Microsoft	Graph	Directory.ReadWrit…	Read
Microsoft	Graph	Group.ReadWrite.All	Read
Microsoft	Graph	IdentityProvider.Re…	Read
Microsoft	Graph	Mail.Send	Send
Microsoft	Graph	Reports.Read.All	Read
Microsoft	Graph	User.Invite.All	Invite
Office	365	SharePoint	Online
Office	365	SharePoint	Online
Office	365	SharePoint	Online
Windows	Azure	Active	Directory
Windows	Azure	Service	Manage…

I guessed from this SO topic that a scope AuditLog.Read.All exists in Graph API, but I can't find it.

However, I noticed this call-to-action:

So I tried and was asked for Audit Log permissions:

After that:

PS D:\Sites\sp_modern\app-extension> m365 logout

PS D:\Sites\sp_modern\app-extension> m365 login
"To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code LCUGDU283 to authenticate."
{
  connectedAs: '*****',
  authType: 'DeviceCode',
  appId: '31359c7f-bd7e-475c-86db-fdb8c937548e',
  appTenant: 'common',
  cloudType: 'Public'
}

PS D:\Sites\sp_modern\app-extension> m365 spo site appcatalog list
[]
DONE

PS D:\Sites\sp_modern\app-extension> m365 tenant serviceannouncement health list
[
  {
    "service": "Exchange Online",
    "status": "serviceDegradation",
    "id": "Exchange"
  },
  (...)

]

And finally:

[germain-italic]

As I said I am almost sure this is not the source of the problem and I still need to revisit some code to understand that.

Do you have control over what permissions are asked by the extension when performing m365 login through it?

[Adam-it]

@germain-italic awesome research 🤩. It seems you had some old instance of CLI installed which you used for login and it seems you did lack permission. The SPFx Toolkit uses CLI for auth so it will always ask for permissions CLI for M365 needs even if the SPFx toolkit needs less. It's not possible to do it otherwise. How it works is that on the PnP Community tenant we have a multi tenant enterprise app in our EntraID. We named it PnP Management Shell (it's actually very old name of CLI for M365 back when it was still Office 365 not Microsoft 365). When you install CLI either locally or bundled in SPFx toolkit when doing very first login you need to as admin consent the PnP Management Shell app with all the permissions to your tenant. When we release new major or minor version of CLI we sometimes add commands that require more permission we did not have at start. So we add it to our enterprise app and provide feed in release blog post that in order to use some new command you will need to reconsent.

BTW you do not need to use V6 version of CLI locally to avoid any conflicts between cjs and ESM. I even encourage you to use latest version of CLI always which is currently v8- beta. We will release major v8 on Wednesday we are prepping the release blog post and we are almost good to go.

BTW 2 you may always use the m365 cli reconsent command to recheck and reapproved all permissions. https://pnp.github.io/cli-microsoft365/cmd/cli/cli-reconsent

[germain-italic]

Yes I was using M365 v7 prior to installing the SPFx Toolkit. Then I downgraded to v6 and even v5 to try debugging. Now I upgraded to v7 again and both are still working.

Thanks for your help!

[Adam-it]

Awesome so it was due to lack of permission. Still SPFx Toolkit could somehow help point this down. I would need to think on that. Let's leave this issue open for a while 👍. Thanks for your feed and help in solving the bug 👏. You Rock 🤩. BTW, if I may ask, how is SPFx Toolkit? Is it helpful? Any feed you wanna share? Is there anything missing ?

[Adam-it]

merged a fixup to make this more stable. This will be part of upcoming pre-release