Cannot get consent to connect SPFX webpart with Azure Devops

0
votes

I'm trying to connect to Azure Devops from within a Sharepoint web part.

I have added a couple of permission requests in package-solution.json:

"webApiPermissionRequests": [
    {
      "resource": "Windows Azure Active Directory",
      "scope": "User.Read"
    },
    {
      "resource": "Azure DevOps",
      "scope": "user_impersonation"
    },
    {
      "resource": "SharePoint Online Client Extensibility Web Application Principal",
      "scope": "user_impersonation"
    }
    ...

and use the AAD factory to call an Azure DevOps api, like so:

this.context.aadHttpClientFactory.getClient('499b84ac-1321-427f-aa17-267ca6975798').then((client: AadHttpClient) => {      
  client.get(`https://dev.azure.com/reinder0498/_apis/projects?api-version=6.0`, AadHttpClient.configurations.v1)
  .then((response: HttpClientResponse) => {
      console.log(response);
      return response.json();
  })
  .then((projects: any): void => {
      console.log(projects);
  });
});

But then I get this error: "The user or administrator has not consented to use the application with ID '177c71fc-1022-4e3c-82cd-faa17d9864bf' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource."

I've looked at pending and approved requests in Sharepoint Admin center but could not see any requests coming in... What else do I have to do to use the aadHttpClientFactory to connect to Azure DevOps API's?

enter image description here

update

If I browse to that Sharepoint Online Client app in AAD, the button to grant admin consent is disabled:

enter image description here

2
azureazure-devopsazure-active-directorysharepoint-onlinespfx
Could you check the following documentation to see whether it helps you: docs.microsoft.com/en-us/sharepoint/dev/spfx/…?Cece Dong - MSFT
@CeceDong-MSFT I have seen it, but that is about enterprise API's and I want to connect to Azure DevOps.Reinder Wit

2 Answers

1
votes

Was able to figure it out myself. The thing is that you need to run it inside your teams environment to have the approval request created in your Sharepoint environment.

I now have these permission requests configured:

{
   "resource": "Azure DevOps",
   "scope": "user_impersonation"
},
{
   "resource": "Windows Azure Active Directory",
   "scope": "User.Read"
}

I uploaded my web part to Sharepoint, synced it to Teams and then opened it inside Teams. At some point I got the error message about the consent and then afterwards I saw the approval request appear in Sharepoint Admin.

Once approved, my web part successfully connected to the DevOps REST API.

0
votes

The error occurs for the application registered with Azure AD (Delegated Permissions), which requires either user or an administrator’s consent for the permissions it needs. You need configure permissions in the azure portal for your application and or create a url and grant permissions first . Below is link on how too construct the url. You only need to do it once and can remove permissions when needed.

Grant tenant-wide admin consent to an application

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent

Also, here is a GitHub issue raised and solved regarding your setup. SPFX USER