If you try to approve API access requests in SharePoint online and get a generic error like the one below, just remember the first rule of IT: “turn it off and on again”
code: -1, Microsoft.Azure.ActiveDirectory.GraphClient.InternalServerErrorException
message: Encountered an internal server error.
I encountered this error while doing a (failed) demo, and after posting it on Twitter, Vesa Juvonen provided a simple solution to it.
It turns out, there is a background process to ensure that some configurations are in place. This check runs when you open the API access page in the SharePoint admin portal, and one of the validations is to ensure that the required App registrations are in place.
IMPORTANT: the next step will remove all previously approved API access. If you want to add them again, take note of the approved requests and check instructions below. You can easily extract a list using Office 365 CLI
serviceprincipal grant list
Go to the Azure portal and open the App registrations page withing Azure AD. Delete the following app registration that is used for granting API access: SharePoint Online Client Extensibility Web Application Principal
Next, go to (or refresh) the API access page in SharePoint. You will notice that all previously approved requests have been deleted and you can now successfully approve pending requests. Be patient, as you may need to wait some time for everything to be setup behind the scenes. In my case it was fairly quick.
You can easily add the deleted permissions again, and new ones, by using Office 365 CLI
# example for Microsoft Graph Mail.Read
spo serviceprincipal grant add --resource 'Microsoft Graph' --scope 'Mail.Read'
Mentioned Twitter thread: