Sp-dev-docs: Access denied for permission Group.ReadWrite.All and Directory.ReadWrite.All for Graph API in SPFx solution
Category
- [x] Bug
I am getting the following issue when I try to add a member to O365 Group using Graph Client. I have provided the below access to SharePoint Online Client Extensibility Web Application Principal
The error is:
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '[email protected]' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2020-09-09T21:34:00",
"request-id": "2cd9e8d3-e1a1-41c9-ad4f-992255727169"
}
}
}
When I sign in using O365 account other than Group owners account, I get this error. It works fine when I use the Group Owner account to run the same code.
zenaidura
All 4 comments
Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.
msft-github-bot
on 10 Sep 2020
Using application permissions in SPFx solutions is strongly discouraged... you're effectively granting every single script in your tenant those permissions.
IOW, anyone in your tenant can open the console, request an access token using the SPFx AadHttpClient, and do anything they want with those permissions to groups in your tenant.
andrewconnell
on 16 Sep 2020
Thanks Andrew for the insight.
That’s actually a good advice and we have changed our implementation so we
are using httptrigger flow to get the membership done under privileged
account. So we can mark this one closed.
Thanks,
Ashar
On Wed, Sep 16, 2020 at 9:20 AM Andrew Connell notifications@github.com
wrote:
>
>
Using application permissions in SPFx solutions is strongly discouraged...
you're effectively granting every single script in your tenant those
permissions.IOW, anyone in your tenant can open the console, request an access
token using the SPFx AadHttpClient, and do anything they want with those
permissions to groups in your tenant.—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/SharePoint/sp-dev-docs/issues/6257#issuecomment-693438055,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ACHEGA6USOGW7SZRASKUPKTSGDCS7ANCNFSM4RDMXR2Q
.--
Ashar Khan
LinkedIn: http://linkedin.com/in/ashar
Website: http://www.ashark.net
zenaidura
on 16 Sep 2020
Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues
![msftbot[bot] picture](https://avatars2.githubusercontent.com/in/26612?v=4&s=40)
msftbot[bot]
on 23 Sep 2020
Related issues
ken-harris
·
3Comments
bengtmoss
·
3Comments
jonthenerd
·
3Comments
waldekmastykarz
·
3Comments
mikeparkie
·
3Comments
Most helpful comment
Using application permissions in SPFx solutions is strongly discouraged... you're effectively granting every single script in your tenant those permissions.
IOW, anyone in your tenant can open the console, request an access token using the SPFx AadHttpClient, and do anything they want with those permissions to groups in your tenant.