Now that spfx 1.6 has launched we have support for calling azure ad secure APIs such as Microsoft Graph and Azure Functions.
I've used the samples from https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient to create a simple page that calls the graph.
I've extended this sample ever so slightly to call an Azure Function that is itself secured via Azure AD.
The spfx webpart calls the following graph api:
https://graph.microsoft.com/v1.0/users?$select=displayName,mail,userPrincipalName&$filter=(givenName%20eq%20%27Sender%27)%20or%20(surname%20eq%20%27Sender%27)%20or%20(displayName%20eq%20%27Sender%27)
The azure function is very simple:
https://.azurewebsites.net/api/GetUserDetails?name=Sender
If I am logged on as normal user of the tenant, I can successfully call the graph api and the azure function.
if I try to browse to the page as an Azure AD B2B user I can successfully call the azure function, but the call to the graph is met with the following response:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Guest users are not allowed to perform this action.",
"innerError": {
"request-id": "4b862c51-70db-4ed0-ab5d-861197ae2512",
"date": "2018-09-11T09:27:26"
}
}
}
Now I do get that a Azure AD B2B user will have a problem calling certain graph APIs, and perhaps the /users is one such API - but I would like to know is there any docs that can tell me what graph API a B2B user can call?
For example could I present a B2B user with a list of all the Microsoft Teams they are a member of in my tenant?
For the record I have tried this with two types of B2B users. The first is a bog standard @outlook.com Microsoft Account, the second was an organisational account from another Office 365 tenant. Both users have the same return value from the graph api call.
