Multi-tenant organisation - when a webpart tries to access Graph API, the user is prompted to login #10435
Description
Target SharePoint environment
SharePoint Online
What SharePoint development model, framework, SDK or API is this about?
💥 SharePoint Framework
Developer environment
Windows
What browser(s) / client(s) have you tested
- 💥 Internet Explorer
- 💥 Microsoft Edge
- 💥 Google Chrome
- 💥 FireFox
- 💥 Safari
- mobile (iOS/iPadOS) - Edge
- mobile (Android)
- not applicable
Additional environment details
- latest Edge
- SharePoint Framework 1.21.1
- Node 22.16.0
Multi-tenant organisation - the SharePoint Online instance is access by users from other tenants, via their external member account - automatically provisioned by Entra as part of the sync process.
Describe the bug / error
We have a number of users who are reporting that when they access a SharePoint Page which has a webpart that needs access to the Graph API, they are being pinged to the standard Microsoft login form, prefilled with their external member username (i.e. user.name_domain.com#ext#@tenant.onmicrosoft.com).
Obviously, they can't login with that account, because it has no password.
On one machine, we managed to solve it (for now) by clearing a bunch of cookies. However, on other machines, we tried the same approach, and it makes no difference.
I'm wondering if there has maybe been a recent change to authentication, which is causing token generation for the Graph API to fail, when the user is an external member, rather than a tenant user. I wondered if anything like this had been reported already?
Steps to reproduce
- Access SharePoint Online page with a webpart that needs access to Graph API (even something very simple/low privilege), with external member access
- Note that a Microsoft login form appears, with the external member username prefilled.
Expected behavior
Expected behavior, is that the user wouldn't be asked to login - and they will be issued with a Graph API token. This used to be the case until a week or so ago.