SharePoint Online- Bad service principal breaks SharePoint Admin API Access “Global Service Principal ID Error: Error: {}” Resolved

We recently ran into an issue when creating SPFX Azure Active Directory App registrations using an O-Auth Implicit flow that our SharePoint Admin Center API Access page then gave an error:

Could not retrieve Global Service Principal ID Error: Error: {}
Could not retrieve Global Service Principal ID Error: Error: {}
Could not retrieve Global Service Principal ID Error: Error: {}

And when using O365 CLI, I was getting the same error trying to add a new serviceprincipal or list them:

o365$ spo serviceprincipal grant list
Error: Another object with the same value for property identifierUris already exists.

Error: Another object with the same value for property identifierUris already exists.
Error: Another object with the same value for property identifierUris already exists.

So now I am completely locked out of interacting with SharePoint Online to Azure AD Applications until this is fixed.

I opened a case with SharePoint Online MS Support and they said its on the Azure side but they would look into it for me.

After a few days they got back to me and said it was due to a bad Azure AD App Registration tagged under SharePoint that is causing the error. GREAT! I now have a place to start.

  1. Go into Azure Active Directory and go to App Registrations and search for “SharePoint”. Your “broken app” is somewhere in one of these two registrations.

    App registrations for SharePoint
    App registrations for SharePoint
  2. Big thanks to this article where it says how to find the bad one, https://github.com/SharePoint/sp-dev-docs/issues/3891#issuecomment-494868401 
    In the API Access admin page of SP admin https://yourcompany-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/webApiPermissionManagement, go to view source and search for spfx3rdPartyServicePrincipalId. You will find a GUID, THIS IS THE GOOD ONE. The other application is bad.
    Good one (found in view source of Admin page- “spfx3rdPartyServicePrincipalId”:”ebxxxx-xxxxx-xxxxxxx899d1
  3. No go back into app registrations and map out what GUIDs belong where
    Good ID: “SharePoint Online Client Extensibility Web Application Principal
  4. That means the other one is bad! “SharePoint Online Client Extensibility Web Application Principal Helper
    According to the above article, deleting this one fixes it. AND IT DID!
    Object ID 218 is the good one, and the top one 421 is BAD!
  5. Sure enough, after removing the bad application I can now access the API Access page!

So after removing every single bad VM, app registration or enterprise app, it all comes down to removing the bad “SharePoint Online Client Extensibility Web Application Principal Helper” app registration above. Now everything works as expected and I can approve my app requests!

Big lesson learned!

Now I can do a Enable-SPOTenantServicePrincipal without errors:

Hope this helps and leave any comments below on your experience with this error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: