Get AAD Roles from React SPFx Webpart

Question

I have a simple React SPFX Webpart. We have deployed it to our SP Online site. It currently displays the SP Groups of the current user.

const queryUrl = `${this.context.pageContext.site.absoluteUrl}/_api/web/currentuser/groups`;
const siteGroupsData = await this.context.spHttpClient.get(
  queryUrl,
  SPHttpClient.configurations.v1
);
const siteGroups: any[] = (await siteGroupsData.json()).value;
const justNames = siteGroups.map((m) => m.Title);
const groups = justNames.join(",");

I need to also display the AAD groups\roles?

Do I need to use Microsoft Graph? MSAL? How? There is so much old and confusing information.

I have tried using the following

import { Providers, SharePointProvider } from "@microsoft/mgt";
Providers.globalProvider = new SharePointProvider(this.context);

The above produces the following error in the console: InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource. Trace ID: Correlation ID: Timestamp: 2022-11-15 15:07:21

Is this only a problem with the Workbench?

I see examples on the web that are for full REACT SPAs, but this is a webpart, and the user is already logged in. I don't feel like I should have to request a token. Maybe it is just a SP Online configuration setting that is needed.

Thanks!

Answer 1

This error AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource. Mainly occurs when admin has not consented to access application .

• Check if you have exposed API ,added Scope with API permissions that are required for the graph query to query users, groups and approles and granted consent.Same check in SPFx .

In SPFx the requests may be approved or denied by admin during authentication process.

That case the access is denied with error

Please check the same with admin or if user consent is enabled.

Make sure they are granted consent .

And also check if user consent is allowed for that app in enterprise applications> usersettings.or (here)

Set to Not allow depending on application .

All these permissions are usually stored in the SharePoint Online Client Extensibility Azure AD application which are granted through web API requests.So its mainly the lack of consent from admin or user that causes this issue.

The admin might have disabled permissions by using Disable-SPOTenantServicePrincipal or denied that permission using Deny-SPOTenantServicePrincipalPermissionRequest -RequestId <Guid> .See Global and SharePoint administrators can manage requests using powershell commands.

If the admin gives consent for the required permissions , the query will be successful

Note that guest user doesn’t have permissions to query multiple number more than 1 userfor ex: /groups/{id}/members

Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

For spfx web part,there is a known issue when using Microsoft graph api we cannot be able to get role claims as it uses implicit grant with delegated permsissions which doesn’t give roles.

See below decoded token which doesn’t have wids claim.