Listen to this Post
Recently, Microsoft changed where SharePoint Framework (SPFx) permissions are managed on Entra ID. During this transition, the permissions were meant to be copied automatically from the old application principal to the new one to avoid service disruption. However, for some customers, this automatic migration only worked for Microsoft Graph permissions, not for custom APIs running on Azure subscriptions protected by Entra ID authentication.
To help manage these permissions, PowerShell scripts can be used to verify and reassign the necessary API permissions. Below are some key commands and steps to troubleshoot and resolve such issues.
You Should Know:
1. Verify Existing SPFx Permissions
Use the following PowerShell command to check the current permissions assigned to your SPFx application in Entra ID:
Get-AzureADServicePrincipal -Filter "DisplayName eq 'Your_SPFx_App_Name'" | Get-AzureADServiceAppRoleAssignment | Select ResourceDisplayName, Id, PrincipalId
2. Grant API Permissions Manually
If permissions were not migrated, use this script to grant them manually:
$spfxApp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Your_SPFx_App_Name'"
$apiApp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Your_Custom_API_Name'"
Assign required permission
$requiredPermission = $apiApp.AppRoles | Where-Object { $_.Value -eq "Your_Required_Permission" }
New-AzureADServiceAppRoleAssignment -ObjectId $spfxApp.ObjectId -PrincipalId $spfxApp.ObjectId -ResourceId $apiApp.ObjectId -Id $requiredPermission.Id
3. Check Microsoft Graph Permissions
Ensure Graph permissions are correctly assigned:
$graphApp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$requiredGraphPermission = $graphApp.AppRoles | Where-Object { $_.Value -eq "User.Read" }
New-AzureADServiceAppRoleAssignment -ObjectId $spfxApp.ObjectId -PrincipalId $spfxApp.ObjectId -ResourceId $graphApp.ObjectId -Id $requiredGraphPermission.Id
4. Troubleshooting Permission Issues
If permissions are not applying, check the service principal’s consent status:
Get-AzureADOAuth2PermissionGrant -All $true |
Where-Object { $_.ClientId -eq $spfxApp.AppId } |
Select ResourceId, Scope, ConsentType, ExpiryTime
5. Re-register the SPFx App if Needed
In extreme cases, re-registering the app may be necessary:
Remove-AzureADServicePrincipal -ObjectId $spfxApp.ObjectId Re-register the app via Azure Portal and reapply permissions
What Undercode Say:
Managing SharePoint Framework (SPFx) permissions in Entra ID requires careful verification, especially after Microsoft’s backend changes. PowerShell remains a powerful tool to audit, assign, and troubleshoot API permissions. Always ensure:
– Permissions are correctly listed in Azure AD > App Registrations.
– Graph and custom API permissions are explicitly granted.
– Service principals are not corrupted (re-register if needed).
For further automation, consider using Azure CLI (az ad app permission commands) or Microsoft Graph API (POST /servicePrincipals/{id}/appRoleAssignments).
Expected Output:
- Verified SPFx permissions in Entra ID.
- Correctly assigned Graph and custom API permissions.
- Resolved permission migration issues via PowerShell.
Reference: Managing SharePoint Framework API Permissions
References:
Reported By: Activity 7313796266688192512 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
