SPFx Web Part assets and external users


March 23, 2020 - 11:34, by Steven Van de Craen - 0 Comments

Last week we ran into an issue where external (guest) users on SharePoint Online needed access to custom developed SharePoint Framework Web Parts deployed to the app catalog. By default don’t have access to this location so they receive an access denied on the web part assets.

We brainstormed about deploying to a public CDN but decided against this as it would open up the assets to potentially everyone rather than all our external users. Perhaps this is an unnecessary concern but we’re rolling with it.

A few years ago Microsoft made a change in how guest users receive access to SharePoint by deprecating/disabling the use of “Everyone” or “All Authenticated Users” for external users. See: https://docs.microsoft.com/en-us/office365/troubleshoot/access-management/grant-everyone-claim-to-external-users

While possible to restore this functionality it is better to introduce a dynamic group in Azure Active Directory to identify guest users. Note that this functionality requires Azure AD Premium P1 or higher.

 

Specify the membership type during group creation:

Specify the membership type during group creation

 

Next use the rule builder to select all guest users (or other requirements you might have). My query is (user.userType -eq "Guest")

(user.userType -eq "Guest")

 

It may take a few minutes before the group membership reflects the rule(s).

It may take a few minutes before the group membership reflects the rule(s).

 

Finally, when the group is fully propagated it can be added to the SPO App Catalog with read rights. Note that it might take up to 24 hours (not official) for the group to show up in the People Picker.

Guest Users in People Picker

 

Hope this helps.