We recently ran into an issue when creating SPFX Azure Active Directory App registrations using an O-Auth Implicit flow that our SharePoint Admin Center API Access page then gave an error:
Could not retrieve Global Service Principal ID Error: Error: {}
Could not retrieve Global Service Principal ID Error: Error: {}
And when using O365 CLI, I was getting the same error trying to add a new serviceprincipal or list them:
o365$ spo serviceprincipal grant list Error: Another object with the same value for property identifierUris already exists.
Error: Another object with the same value for property identifierUris already exists.
So now I am completely locked out of interacting with SharePoint Online to Azure AD Applications until this is fixed.
I opened a case with SharePoint Online MS Support and they said its on the Azure side but they would look into it for me.
After a few days they got back to me and said it was due to a bad Azure AD App Registration tagged under SharePoint that is causing the error. GREAT! I now have a place to start.
Go into Azure Active Directory and go to App Registrations and search for “SharePoint”. Your “broken app” is somewhere in one of these two registrations.
App registrations for SharePoint
Big thanks to this article where it says how to find the bad one, https://github.com/SharePoint/sp-dev-docs/issues/3891#issuecomment-494868401
In the API Access admin page of SP admin https://yourcompany-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement, go to view source and search for spfx3rdPartyServicePrincipalId. You will find a GUID, THIS IS THE GOOD ONE. The other application is bad.
Good one (found in view source of Admin page- “spfx3rdPartyServicePrincipalId”:”ebxxxx-xxxxx-xxxxxxx899d1“
No go back into app registrations and map out what GUIDs belong where Good ID: “SharePoint Online Client Extensibility Web Application Principal”
That means the other one is bad! “SharePoint Online Client Extensibility Web Application PrincipalHelper”
According to the above article, deleting this one fixes it. AND IT DID!
Object ID 218 is the good one, and the top one 421 is BAD!
Sure enough, after removing the bad application I can now access the API Access page!
So after removing every single bad VM, app registration or enterprise app, it all comes down to removing the bad “SharePoint Online Client Extensibility Web Application Principal Helper” app registration above. Now everything works as expected and I can approve my app requests!
Big lesson learned!
Now I can do a Enable-SPOTenantServicePrincipal without errors:
Hope this helps and leave any comments below on your experience with this error.
Your last screenshot still shows Helper App. But had deleted this, right? or is this different one. Or it gets automatically created when principal is enabled?
Yea steps 1 and 2 in the above article go over why there were 2 entries. You really need the “good one” so if you don’t have 2, this is probably not going to solve your issue. Keep me posted!
Thanks for this interesting post. So in fact the Enable-SPOTenantServicePrincipal creates the two applications? And what are these two applications used for? Is it a backend for SPO API access requests
I was thinking one is by default and the other is the custom one, but it breaks due to a conflict. Been a few years but that was how I was able to get myself to sleep at night.
Thanks, really helpful post. Got me up and running really quick
Your last screenshot still shows Helper App. But had deleted this, right? or is this different one. Or it gets automatically created when principal is enabled?
Yea steps 1 and 2 in the above article go over why there were 2 entries. You really need the “good one” so if you don’t have 2, this is probably not going to solve your issue. Keep me posted!
Thanks for this interesting post. So in fact the Enable-SPOTenantServicePrincipal creates the two applications? And what are these two applications used for? Is it a backend for SPO API access requests
I was thinking one is by default and the other is the custom one, but it breaks due to a conflict. Been a few years but that was how I was able to get myself to sleep at night.