403(Forbidden) Invalid permission error in my SPFx web part when trying to access SharePointSiteUsageDetail with MSGraph

  1. Office 365 usage reports are protected by both permissions and azure ad roles and supports two types of authorization including user delegated.

  2. Reports.Read.All delegated permission is required when you sign in with work or school account to > getSharePointSiteUsageDetail .Then the user consent is also needed along with admin consent ,where user must have one of the following roles:

Company Administrator, Exchange Administrator, SharePoint Administrator, Lync Administrator, Teams Service Administrator, Teams Communications Administrator, Global Reader, Usage Summary Reports Reader, or Reports Reader. The Global Reader and Usage Summary Reports Reader roles will only have access to tenant-level data, without visibility into detailed metrics., To consent on behalf of user, you need to have

i.e; the user must be a member of an Azure AD limited administrator role.

enter image description here

  1. MSGraphClient uses implicit authentication access token. Check the access token after Decoding in https://jwt.ms .It may not have had the “wids” claim ( which Denotes the tenant-wide roles assigned to this user, through the groupMembershipClaims property of the application manifest. ).This claim which lists which Azure AD roles are assigned to the delegated user .And so , if not present states it doesn’t have permissions.

Work around:

The permissions requested in the SPFx package need to be granted by a SharePoint Admin explicitly. Even the ones which do not need an admin consent . This is so that all permission scopes allowed to be consumed from SPFx customisations have to go through Admin approval. So Admin must grant the permissions again.

By default if no permissions are granted, the only available permissions scope is user_impersonation which allows you to get limited information from the Graph.

Please refer these links for more details:

  1. available-permission-scopes
  2. spfx/use-aadhttpclient
  3. Calling Microsoft Graph with Delegated Implicit Authentication(briantjackett.com)
  4. sharepoint – “Error 403, forbidden” while calling the Microsoft Graph -SPFx webpart? – Stack Overflow

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top