We recently ran into an issue when creating SPFX Azure Active Directory App registrations using an O-Auth Implicit flow that our SharePoint Admin Center API Access page then gave an error:
Could not retrieve Global Service Principal ID Error: Error: {}
Could not retrieve Global Service Principal ID Error: Error: {}
And when using O365 CLI, I was getting the same error trying to add a new serviceprincipal or list them:
o365$ spo serviceprincipal grant list Error: Another object with the same value for property identifierUris already exists.
Error: Another object with the same value for property identifierUris already exists.
So now I am completely locked out of interacting with SharePoint Online to Azure AD Applications until this is fixed.
I opened a case with SharePoint Online MS Support and they said its on the Azure side but they would look into it for me.
After a few days they got back to me and said it was due to a bad Azure AD App Registration tagged under SharePoint that is causing the error. GREAT! I now have a place to start.
Go into Azure Active Directory and go to App Registrations and search for “SharePoint”. Your “broken app” is somewhere in one of these two registrations.
No go back into app registrations and map out what GUIDs belong where Good ID: “SharePoint Online Client Extensibility Web Application Principal”
That means the other one is bad! “SharePoint Online Client Extensibility Web Application PrincipalHelper”
According to the above article, deleting this one fixes it. AND IT DID!
Object ID 218 is the good one, and the top one 421 is BAD!
Sure enough, after removing the bad application I can now access the API Access page!
So after removing every single bad VM, app registration or enterprise app, it all comes down to removing the bad “SharePoint Online Client Extensibility Web Application Principal Helper” app registration above. Now everything works as expected and I can approve my app requests!
Big lesson learned!
Now I can do a Enable-SPOTenantServicePrincipal without errors:
Hope this helps and leave any comments below on your experience with this error.
Eric Schrader is currently a partner, manager of support, and the Cloud Solutions Architect at Sileo Technology Solutions in Torrance, CA. He has architected over 100 solutions for clients in SharePoint Server, SharePoint Online, Microsoft Azure, Office 365, Teams, and more. Eric has a strong background in developing cloud-based microservices in Azure and AWS using many different technologies and platforms, including Identity Management with Azure Active directory and hybrid scenarios.
View all posts by Eric Schrader
