Microsoft Teams Desktop Personal app not working with SPFX and GraphApi

Question

I added a Personal Tab in MS Teams which references a SharePoint Webart with on it an SPFx webpart using @microsoft/microsoft-graph-client.

In the MS Teams Web Client on TEST and PROD the page loads as expected, and the @microsoft/microsoft-graph-client calls work. In the MS Teams Desktop client on TEST environment also work perfect.

However, in the MS Teams Desktop Client (on windows) on PROD environment the @microsoft/microsoft-graph-client does not work.

Looking in Fiddler, I can see the following happening (only on the dekstop client):

A call is made to https://o2fitcom.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%2758066c29-7a47-418b-9cb8-69adf68633b3%27&clientId=%2708e18876-6177-487e-b8b5-cf950c1e598c%27 with error result Failed to load resource: the server responded with a status of 403 ()

The call returns an HTTP 500 with message:

<m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"> <m:code>-2147024891, System.UnauthorizedAccessException</m:code> <m:message xml:lang="en-US">Attempted to perform an unauthorized operation.</m:message> </m:error>

I already success make solution work on TEST but not in PROD, checked all the configuration and manifest are the same. All the configuration of permission in the SharePoint Online Client Extensibility Web Application Principal are granted.

Answer 1

Finally I have a solution that:

1. Delete the app SharePoint Online Client Extensibility Web Application Principal and SharePoint Online Client Extensibility Web Application Principal Helper
2. Wait few mins let the AAD create them again.
3. After that request permission from custom app.
4. Go to API access page to grand again the permission will automatically sync to "SharePoint Online Client Extensibility Web Application Principal".
5. Test again the app. Also deactivate the Limited-access user permission lockdown mode could be help. Now all my app work as expected.

Why?

1. Limited-access user permission lockdown mode could block your permission to request api.
2. Delete App in AAD to get the the token and all the configuration sync again.
3. The way to grand permission from API Access it correct not grant from AAD App.