Share via

AAD Token acquisition fails

Arizaga Debry 60 Reputation points
2026-04-08T08:24:55.3533333+00:00

Hi

this.context.aadHttpClientFactory
  .getClient("https://graph.microsoft.com")
  .then((client) => {
    return client.get(
      "https://graph.microsoft.com/v1.0/me",
      AadHttpClient.configurations.v1
    );
  })
  .then((response) => response.json())
  .then((data) => {
    console.log(data);
  })
  .catch((error) => {
    console.error("Graph call failed:", error);
  });

The SPFx solution is deployed to the SharePoint Online app catalog, and API permissions (Microsoft Graph – User.Read) have been approved in the tenant. The web part runs fine in the local workbench using gulp serve, but once deployed to a SharePoint site, the token request fails with an access error.

Microsoft 365 and Office | SharePoint | Development
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jayden-P 18,895 Reputation points Microsoft External Staff Moderator
    2026-04-08T09:00:20.3533333+00:00

    Hi Arizaga Debry

    This behavior is common because the local workbench (gulp serve) uses a more permissive authentication flow that does not fully enforce SharePoint Online’s token service checks. In that mode, Azure AD can often issue tokens directly based on the developer’s sign-in context. 

    To troubleshoot it, you could try to follow these steps: 

    In your API’s Azure AD app registration

    Go to Expose an API and ensure an Application ID URI is defined (typically api://<client-id-of-this-app> or a custom URI such as https://yourtenant.onmicrosoft.com/yourapi). 

    Expose the required scopes (for example: access_as_user, user_impersonation, etc.). 

    Ensure user or admin consent is granted for those scopes if required. 

    Update package-solution.json

    Add or correct the webApiPermissionRequests array under the solution node: 

    "webApiPermissionRequests": [   
{   
"resource": "<Exact Display Name of your API app registration in Azure AD>",   
"scope": "<Scope name you exposed, e.g. user_impersonation or access_as_user>"   
}   
]   

    You can refer via this link.

    Re-package and re-deploy 

    gulp bundle --ship   
gulp package-solution --ship   

    Upload the new .sppkg file to the tenant app catalog (and deploy it if you are using tenant-wide deployment). 

    Approve the permission in SharePoint Admin Center 

    Go to SharePoint Admin Center > Advanced > API access 

    You should see a pending request for your API app name and scope 

    Select Approve (permission propagation may take a few minutes) 

    I hope this helps. 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

    2 people found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.