Cli-microsoft365: Bug report: Updating an app for teams gives a 403.

Created on 21 Jan 2021  路  6Comments  路  Source: pnp/cli-microsoft365

Description

When i try to push a new version of the Teams app, i get a 403 unauthorized error. The user i am using are a global administrator. I've even created a new global admin, just to verify.

I successfully log in using this method:
m365 login --authType password --userName brandnewusername --password password
m365 teams app update --id guid --filePath "d:\tempTeamsApp_buildId-dev.zip" --verbose

But when i run the last command i get this error:
Updating app with id '0fb5f49b-a660-4b24-a118-d191bc8e42c3' and file 'd:\tempTeamsProjectPortalApp_9811-dev.zip' in the app catalog...
Error: Request failed with status code 403

Steps to reproduce

m365 login --authType password --userName brandnewusername --password password
m365 teams app update --id guid --filePath "d:\tempTeamsApp_buildId-dev.zip" --verbose

m365 teams app list: shows me the correct output
m365 status: shows me that i am connected as the correct user also.

Expected result

The expected result would be to successfully update the app in the app catalog.

Actual result

Error: Request failed with status code 403

Environment

Using M365-Cli v3.4.0.
i have tried multiple node versions. (15.6.0 and 14.15.4).

question waiting on response
Source
picture eiriksanderfjeld
👍2

Most helpful comment

This worked before new year. It worked both locally and in Azure DevOps deploy pipeline.

picture eiriksanderfjeld on 21 Jan 2021
👍2

All 6 comments

Thanks for reporting @eiriksanderfjeld apologies for the trouble, we will take a look ASAP.

Can I ask whether this is the first time you have used the command or has this just stopped working?

garrytrinder picture garrytrinder on 21 Jan 2021

This worked before new year. It worked both locally and in Azure DevOps deploy pipeline.

eiriksanderfjeld picture eiriksanderfjeld on 21 Jan 2021
👍2

Thanks for the extra information, it seems like we've introduced a regression when refactoring the code base to remove some dependencies.

Again, apologies for the trouble, we will aim to get you unblocked ASAP.

garrytrinder picture garrytrinder on 21 Jan 2021

Hey @eiriksanderfjeld, I can't reproduce the issue using the latest preview version. Could you please give it a try and see if the issue is still there? If you're still seeing the issue, could you please run the command with --debug and share with us the detailed output (don't forget to truncate the access token). Appreciate your help.

waldekmastykarz picture waldekmastykarz on 21 Jan 2021
👍1

Right, thanks. Here is the output from debug. I've removed ids, token and data buffer. If i decode the token i get this scp:
"scp": "AllSites.FullControl AppCatalog.ReadWrite.All Directory.AccessAsUser.All Directory.ReadWrite.All Group.ReadWrite.All IdentityProvider.ReadWrite.All Mail.Send Reports.Read.All TermStore.ReadWrite.All User.Invite.All User.Read.All",

+   & "node$exe"  "$basedir/node_modules/@pnp/cli-microsoft365/dist/ind ...
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Executing comma...utput":"json"}}:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Updating app with id '123123123123123' and file 'd:\temp\App_9811-dev.zip' in the app catalog...
Existing access token  still valid. Returning...
Request:
{
  "url": "https://graph.microsoft.com/v1.0/appCatalogs/teamsApps/123123123123123",
  "method": "put",
  "data": {
    "type": "Buffer",
    "data": [
        ...removed..
    ]
  },
  "headers": {
    "common": {
      "Accept": "application/json, text/plain, */*"
    },
    "delete": {},
    "get": {},
    "head": {},
    "post": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "put": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "patch": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/3.4.0",
    "accept-encoding": "gzip, deflate",
    "content-type": "application/zip",
    "authorization": "Bearer <snipp>"
  },
  "responseType": "text",
  "decompress": true
}
Request error
{
  "status": 403,
  "statusText": "Forbidden",
  "headers": {
    "cache-control": "private",
    "content-type": "application/json",
    "request-id": "",
    "client-request-id": "",
    "x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"West Europe\",\"Slice\":\"SliceC\",\"Ring\":\"5\",\"ScaleUnit\":\"000\",\"RoleInstance\":\"AGSFE_IN_76\"}}",
    "strict-transport-security": "max-age=31536000",
    "date": "Fri, 22 Jan 2021 09:11:22 GMT",
    "connection": "close",
    "content-length": "640"
  },
  "data": "{\r\n  \"error\": {\r\n    \"code\": \"Forbidden\",\r\n    \"message\": \"Failed to execute AuthService backend request GetSkypeTokenRequest. Workload Unknown. Request Url: https://authsvc-server.teams.microsoft.com/v1.0/authz, Request Method: POST, Response Status Code: Forbidden, Response Headers: Strict-Transport-Security: max-age=31536000; includeSubDomains\\r\\nDate: Fri, 22 Jan 2021 09:11:22 GMT\\r\\nServer: Kestrel\\r\\n, Reason Phrase: Forbidden\",\r\n    \"innerError\": {\r\n      \"date\": \"2021-
01-22T09:11:23\",\r\n      \"request-id\": \"\",\r\n      \"client-request-id\": \"d\"\r\n    }\r\n  }\r\n}"
}
Error: Request failed with status code 403
eiriksanderfjeld picture eiriksanderfjeld on 22 Jan 2021
👍1

Using the same account, can you update the same app through the Teams UI?

waldekmastykarz picture waldekmastykarz on 22 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

StfBauer picture StfBauer  路  3Comments
waldekmastykarz picture waldekmastykarz  路  3Comments
aakashbhardwaj619 picture aakashbhardwaj619  路  3Comments
plamber picture plamber  路  3Comments
joshua-probst picture joshua-probst  路  3Comments