Error: AADSTS500011: The resource principal named "URL" was not found in the tenant

Question

I am trying to add an app to our SharePoint Online site using the template from https://learn.microsoft.com/en-us/sharepoint/dev/spfx/web-parts/get-started/build-a-hello-world-web-part and we get the error below when we deploy to SharePoint and add the app/Web part to a test SharePoint site. We are using TypeScript as the template uses.

Has anyone else encountered this issue or know where to look for the issue?

Found [object Object]Driver Display External Error: Error: AADSTS500011: The resource principal named https://driverdisplayexternal.azurewebsites.net was not found in the tenant named 7018324c-9efd-4880-809d-b2e6bb1606b6. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 358b22eb-cd2c-4091-b592-5a57cbc21d00 Correlation ID: ec96d656-1a36-42e2-a2b9-3ff78efc1e2e Timestamp: 2019-10-01 16:26:06Z

We have added a call to our own client as shown below. We are not sure why the resource principal was not found. The Tenant ID's match and things seem to be set up properly for authentication.

HelloWorldWebPart.ts

...
   this.context.aadHttpClientFactory
      .getClient('https://driverdisplayexternal.azurewebsites.net')
      .then((client: AadHttpClient): void => {

        client
          .get('https://driverdisplayexternal.azurewebsites.net/api/values', AadHttpClient.configurations.v1)
          .then((response: HttpClientResponse): Promise < Order[] > => {
            this.domElement.innerHTML += 'Received a response from Driver Display External: ' + response;
            return response.json();
          })

          .catch(error => {

            this.domElement.innerHTML += 'Driver Display External Error:  ' + error;
            console.error(error);
          });
      });
...

package-solution.json

{
  "$schema": "https://developer.microsoft.com/json-schemas/spfx-build/package-solution.schema.json",
  "solution": {
    "name": "helloworld-webpart-client-side-solution",
    "id": "**ID**",
    "version": "4.1.0.0",
    "includeClientSideAssets": true,
    "isDomainIsolated": false,
    "webApiPermissionRequests": [
      {
        "resource": "DriverDisplayExternal",
       "scope": "User.Read.All"
      }
     ]
  },
  "paths": {
    "zippedPackage": "solution/helloworld-webpart.sppkg"
  }
}

Any help or direction to where the issue may be would be very appreciated. Thanks in advance!

If you want to call the service protected by Azure AD, the resource url must be Azure AD application's app id url. For more details, please refer to https://stackoverflow.com/questions/36059051/the-application-named-https-test113-onmicrosoft-com-ftp-was-not-found-in-the-t — Jim Xu, Oct 02 '19 at 01:52
@JimXu I tried this and it unfortunately didn't work. Thank you for the suggestion. — Dan, Oct 02 '19 at 16:25
Could you tell me if you can call the api from other tools such as postman? — Jim Xu, Oct 07 '19 at 01:01
Yes we can with postman. My co worker created a new application with a different way of getting what we need but we still haven't resolved this issue unfortunately. — Dan, Oct 07 '19 at 13:17
Is that you protect your api by Azure AD? If so, could you tell me if the tenant of AD application you use to protect API and the SharePoint's tenant is the same? — Jim Xu, Oct 08 '19 at 06:47
Yes they should be on the same tenant. We do protect our API by Azure AD yes. — Dan, Oct 08 '19 at 16:10

score 2 · Answer 1 · answered Oct 02 '19 at 05:35

2

Never used this API, but if I had to guess you need to change the value here:

      .getClient('https://driverdisplayexternal.azurewebsites.net')

You can use either the client id / application id, or the application ID URI.

answered Oct 02 '19 at 05:35

juunas

54,244
13
113
149

Thanks for the quick response Juunas. I tried to put my client id / application id and I received a different error. "TypeError: Failed to fetch". I don't believe this is any closer but I appreciate the suggestion! – Dan Oct 02 '19 at 13:46
1

Entering the Application/Client ID of the application registered in Azure containing the custom permission scopes fixed it for me. So i.e. .getClient('application id guid') – Koen Zomers Oct 18 '19 at 11:31
Tried to use the application/client ID and unfortunately didn't work. Still stuck. – Dan Oct 30 '19 at 18:52

score 1 · Answer 2 · answered Jun 11 '21 at 07:49

Sometimes this problem can occurr when you set a wrong name for the scope you are requesting access for or another configuration parameter.

I suggest to check carefully the scopes name, or maybe directly use the "copy" button from the Azure portal.

In my case it was a simple typo on a scope name.

score 0 · Answer 3 · answered May 13 '20 at 07:23

Not sure if you figured the answer or not. When you used SPFx to request your own custom web api end point. there are couple steps:

request the permission so that you can go to SPO admin to approve the permission you request. for this case, the webApiPermissionRequests->resources needs to your AAD Application's Service Principal DisplayName. once you had AAD App create, you can run Get-AzureADServicePrincipal to get all your ServicePrincipal.
once you request the permission, from your code, you need to call AadHttpClient.getClient() to get aadHttpClient object based on the api resourceEndpoint you want, for this case, you need to pass your web api's Application ID URI which can be found from your AAD App's manifest->"identifierUris". General speaking, this should be something like api://[clientid] format. but you can change it to any unique value. I hope it helps.

score 0 · Answer 4 · answered Nov 18 '20 at 13:49

0

In my case i had to use the App Id when i was consuming a multi tenant API.

answered Nov 18 '20 at 13:49

Dimos Dennis

26
1
4

score 0 · Answer 5 · edited Aug 09 '21 at 19:36

In my case, TenantId and ClientId were both ok.

They can be found in AAD. TenantId is right there on landing page:

and then on the same page click Applications then tab All Applications find your application there should be ClientId check if they match.

If that is still not enough, click on the application and find roles

For me, it was roles that were missing after adding those wheels started rolling again:

Error: AADSTS500011: The resource principal named "URL" was not found in the tenant

5 Answers5