Versions Compared

Version Old Version 3 New Version Current
Changes made by

Andi Muka

Richard Adler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In order for the SharePoint integration to work correctly the administrator of the SharePoint tenant will need to give API access to our app, before the users can start using the product.

For this you have to create new Service Principal via following PowerShell script:

Info

Prerequisite Connect-AzureAd module should be installed if not already installed:

  • Install-Module AzureAD

Code Block
Connect-AzureAD -TenantId "<yourTenantID>";
New-AzureADServicePrincipal -AppId "7a24742e-0a1c-4225-844f-4d0948d515c4";

Approve API Access via the SharePoint Admin Center

After creating the enterprise application in your tenant, you can approve the access in the SharePoint Admin Center.

  • This can be done in the SharePoint admin center under API access "tenanthttps://<tenantName>-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement"

  • An entry SharePoint Connector for Jira will be listed once the SharePoint solution is installed

  • Approving the API access will allow the app to start the communication with our APIs

...

  • Once you click on Approve a popup will appear where you need to consent the app

...

  • Once accepted a redirect will be made and you can close the popup after that and .

...

  • After giving the consent, the users can start using the app.

Info

Currently Microsoft is changing the way they handle the API Access for SharePoint WebParts. When you receive an error during the approval process, you have to give the permission manually via the PowerShell script in the following section.

Approve API Access via PowerShell

You are able to give the API Access manually via a PowerShell Script.

...

You have to provide following parameters for the script:

  • appID: 7a24742e-0a1c-4225-844f-4d0948d515c4

  • scope: api://senora.products.communardo.com/access_as_user

  • tenantId: <your tenant id>

The script will use the Microsoft Graph SDK, which has to be installed on your machine. An installation guide can be found here.

Code Block
<#
.SYNOPSIS
This cmdlet privovides a way for developer and system administrators to add permissions to AAD protected APIs for SharePoint Framework custom code.

.PARAMETER appID
the ID of the app to set permissions for
.PARAMETER scope
the scope of the permission request to add

.EXAMPLE
AddSPFxPermissions -appID "00000003-0000-0000-c000-000000000000" -scope "Sites.Read.All"

.NOTES
requires Graph SDK to be installed. Follow documentation here: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0
#>

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string] $appID,

    [Parameter(Mandatory=$true)]
    [string] $scope,

    [Parameter(Mandatory=$true)]
    [string] $tenantId
)
# when the app is still not working use following sPFxAppID instead 6326b94e-cdee-4c5c-809b-00830522ca86
$sPFxAppID = "08e18876-6177-487e-b8b5-cf950c1e598c"
$objectGrant = $null

connect-MgGraph -scopes "Application.ReadWrite.All", "Directory.ReadWrite.All" -TenantId $tenantId -NoWelcome
try{
    #Get the SPFx Service Principal
    $sPFxSP =  Get-MgServicePrincipal -Filter "appid eq '$spfxAppID'"
    #get the endpoint service princpal (required to identify the object ID)
    $resourceSP =  Get-MgServicePrincipal -Filter "appid eq '$appID'"

    #check if some scopes have been already added for the endpoint
    $oGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sPFxSP.Id
    foreach ($item in $oGrants)
    {
        if( $item.ResourceId -eq $resourceSP.Id)
        {
            $objectGrant = $item
            break
        }
    }

    #if $objectGrant is not null, we check if the scope already exists there
    if ($null -ne $objectGrant)
    {
        if ($objectGrant.Scope | Select-String $scope -Quiet ){
            throw "Scope has already been granted"
        }
        #The scope was not added, added it to the $objectGrant and update it
        $objectGrant.Scope += " $scope"
        Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $objectGrant.Id -Scope $objectGrant.Scope -ErrorAction Stop | Out-Null
    }
    #otherwise, we just create the new object witht the scope 
    else{
        $params = @{
            "clientId" = $sPFxSP.id
            "ConsentType" = "AllPrincipals"
            "ResourceId" = $resourceSP.id
            "scope" = $scope
          }
        New-MgOauth2PermissionGrant -BodyParameter $params -ErrorAction Stop | Out-Null
    }
    
    Write-Host "Permissions set for SPFx app with ID $appID"
}
catch{
    Write-Host "the following error occurred: $_.Exception" -ForegroundColor Red
}
finally{
    Disconnect-MgGraph 
    Write-Host "Command completed."
}

Info

Starting from the second week of March 2025, Microsoft started to transition to the “SharePoint Online Web Client Extensibility” application principal to be used for SPFx permission management. If the app is still not working after you have executed the above script, your tenant might still be using the old SPFx permission management. For this you have to change the sPFxAppID in the script to 6326b94e-cdee-4c5c-809b-00830522ca86 and run the script again.

More info on the changes can be found here https://devblogs.microsoft.com/microsoft365dev/changes-on-sharepoint-framework-spfx-permission-grants-in-microsoft-entra-id/