We recently ran into an issue when creating SPFX Azure Active Directory App registrations using an O-Auth Implicit flow that our SharePoint Admin Center API Access page then gave an error:
Could not retrieve Global Service Principal ID Error: Error: {}
Could not retrieve Global Service Principal ID Error: Error: {}
And when using O365 CLI, I was getting the same error trying to add a new serviceprincipal or list them:
o365$ spo serviceprincipal grant list Error: Another object with the same value for property identifierUris already exists.
Error: Another object with the same value for property identifierUris already exists.
So now I am completely locked out of interacting with SharePoint Online to Azure AD Applications until this is fixed.
I opened a case with SharePoint Online MS Support and they said its on the Azure side but they would look into it for me.
After a few days they got back to me and said it was due to a bad Azure AD App Registration tagged under SharePoint that is causing the error. GREAT! I now have a place to start.
Go into Azure Active Directory and go to App Registrations and search for “SharePoint”. Your “broken app” is somewhere in one of these two registrations.
No go back into app registrations and map out what GUIDs belong where Good ID: “SharePoint Online Client Extensibility Web Application Principal”
That means the other one is bad! “SharePoint Online Client Extensibility Web Application PrincipalHelper”
According to the above article, deleting this one fixes it. AND IT DID!
Object ID 218 is the good one, and the top one 421 is BAD!
Sure enough, after removing the bad application I can now access the API Access page!
So after removing every single bad VM, app registration or enterprise app, it all comes down to removing the bad “SharePoint Online Client Extensibility Web Application Principal Helper” app registration above. Now everything works as expected and I can approve my app requests!
Big lesson learned!
Now I can do a Enable-SPOTenantServicePrincipal without errors:
Hope this helps and leave any comments below on your experience with this error.
Your last screenshot still shows Helper App. But had deleted this, right? or is this different one. Or it gets automatically created when principal is enabled?
Yea steps 1 and 2 in the above article go over why there were 2 entries. You really need the “good one” so if you don’t have 2, this is probably not going to solve your issue. Keep me posted!
Thanks, really helpful post. Got me up and running really quick
Your last screenshot still shows Helper App. But had deleted this, right? or is this different one. Or it gets automatically created when principal is enabled?
Yea steps 1 and 2 in the above article go over why there were 2 entries. You really need the “good one” so if you don’t have 2, this is probably not going to solve your issue. Keep me posted!