[MS] Handling Legacy User Settings in SharePoint Framework - devamazonaws.blogspot.com

Introduction

The SharePoint Framework (SPFx) has undergone some important changes in how it handles Entra ID app registration and security models. Here you can find additional details about what was updated and about the new application IDs used by SPFx. These changes have important implications for developers who previously relied on legacy user settings stored through the old application registration model. This article explores the technical challenges and provides practical solutions for handling legacy user settings when transitioning to the new SharePoint Framework security architecture.

Understanding the SharePoint Framework Security Model Evolution

The Legacy Application Model

Previously, SharePoint Framework utilized an application called SharePoint Online Client Extensibility Web Application Principal. This application had several key characteristics:
  • Tenant-specific registration: The application was automatically created in each customer tenant when they began using SharePoint Framework with permission scopes.
  • Third-party application model: It was registered as a standard third-party application in every individual tenant.
  • Token management: It served as the foundation for client-side token acquisition in SharePoint Framework to access Microsoft Graph and other Entra ID-secured APIs.

The New Multi-Tenant Application Model

Starting from March 2025, Microsoft introduced a new application called SharePoint Online Web Client Extensibility with the following improvements:
  • First-party multi-tenant application: Provided and managed by Microsoft across all tenants.
  • Centralized management: Single application shared across all Microsoft 365 tenants.
  • Automatic permission migration: All previously granted permissions were automatically copied from the old application to the new one.

Benefits of the New Model

The transition to the new security model brings several advantages.

Performance Improvements

  • Faster token acquisition: Single application enables quicker token retrieval.
  • Shared token cache: Tokens are shared across first-party and third-party applications.
  • Reduced latency: Streamlined authentication flow.

Enhanced Reliability and Governance

  • Microsoft-managed infrastructure: Reduced dependency on tenant-specific configurations.
  • Pre-authorized permissions: Set of permissions pre-configured by Microsoft.
  • Administrative flexibility: Administrators can modify pre-authorized permissions based on organizational needs.
  • Risk management: Changes to pre-authorized permissions are at the administrator's discretion.
Important Note: Modifying pre-authorized permissions may break out-of-the-box functionality. Administrators should carefully evaluate the impact before making changes.

Permission Scope Considerations

When transitioning to the new application, all previously granted permissions have been automatically copied over which means that the existing SharePoint Framework applications continue to work without any required changes. Also .Selected permissions were copied. However, the specific resource assignments were not transferred. As such, the migration provides an excellent opportunity for:
  • Security audit: Review all existing SharePoint Framework permissions.
  • Permission cleanup: Remove unnecessary or outdated permission grants.
  • Compliance alignment: Ensure permissions align with current security policies.

The Challenge of Application ID Migration

Despite all the above benefits of the new security architecture, there is a fundamental challenge that arises from the changes. In fact, each application registration has a unique client ID and the legacy third-party has a client ID different from the one of the new first-party application:
  • Legacy Application: SharePoint Online Client Extensibility Web Application Principal (unique client ID for each different tenant).
  • New Application: SharePoint Online Web Client Extensibility (new client ID equal for all the tenants).
While most SharePoint Framework solutions rely on the platform's built-in token management and won't be affected, there is a specific scenario affected: the storage and retrieval of user settings using Microsoft Graph's special folders functionality. In fact, the AppRoot special folder of the legacy application is different from the one of the new application and any existing files were not copied over.

Understanding Microsoft Graph Special Folders Challenge

When it comes to user's settings stored in Microsoft Graph's special folder, you can rely on specific techniques to mitigate the impact of the changes. In the remainder part of this article you can see the suggested options. There is also a companion sample available on the Community Sample Solution Gallery. You can simply download the source code of the sample and then follow the remainder part of this article to understand how it works.

The AppRoot Special Folder

Microsoft Graph provides access to special folders, including the AppRoot special folder, which offers:
  • Per-user, per-application storage: Each user gets a dedicated folder for each application.
  • Application isolation: Settings stored by one application are isolated from others.
  • Client ID binding: The folder is uniquely identified by the application's client ID.

API Endpoint Structure

The AppRoot special folder can be accessed through the following Microsoft Graph endpoint: 
GET /me/drive/special/approot
To access specific application folders: 
GET /me/drive/root/apps/{applicationName}

The Legacy Settings Challenge

Since the AppRoot folder is bound to the application client ID:
  • Legacy settings location: /me/drive/root/apps/SharePoint Online Client Extensibility Web Application Principal
  • New settings location: /me/drive/root/apps/SharePoint Online Web Client Extensibility
Settings stored in the old application folder are not automatically accessible through the new application context. Microsoft did not migrate those files from the legacy application AppRoot folder to the new one. Consequently, SharePoint Framework solutions relying on AppRoot folder need to handle both the legacy and the new folder and potentially migrate content from the legacy folder to the new one.

Technical Solution Implementation

Solution Architecture Overview

The recommended approach to handle legacy user settings involves:
  1. Direct Graph API access: Use Microsoft Graph to access the old AppRoot folder.
  2. User-context authentication: Leverage user permissions to access their legacy settings.
  3. Data migration or dual-access pattern: Choose between copying settings or maintaining dual access.

SharePoint Framework Implementation

Setting Up the Microsoft Graph Client

In the code of your SharePoint Framework web parts and extensions, you should initialize an instance of the Microsoft Graph client object. 
// In the web part's onInit method
protected async onInit(): Promise<void> {
  await super.onInit();
  
  // Get the Microsoft Graph client
  this._graphClient = await this.context.msGraphClientFactory
    .getClient('3'); // Version 3 of the Graph client
}

Accessing Legacy Settings

Once you have a Microsoft Graph client object, you can access the legacy AppRoot folder using the following syntax: 
// Function to browse legacy application files
private async handleBrowseLegacyFiles(): Promise<void> {
  try {
    // Access the old application folder
    const legacyFolder = await this._graphClient
      .api('/me/drive/root:/Apps/SharePoint Online Client Extensibility Web Application Principal:/children')
      .get();
    
    // Process the files in the legacy folder
    const files = legacyFolder.value;
    
    for (const file of files) {
      // Get file content if needed
      const fileContent = await this._graphClient
        .api(`/me/drive/items/${file.id}/content`)
        .get();
      
      // Process or migrate the file content
      // Implementation depends on your specific requirements
    }
  } catch (error) {
    console.error('Error accessing legacy files:', error);
  }
}

Migration Strategies and Best Practices

When it comes to migration strategies, you can copy the settings from the old storage over to the new one, or you can provide a fall back strategy. In the following paragraphs you can find an example of both the options.

One-Time Data Migration Approach

If you want to do one-time data migration, you can provide a specific functionality in your web parts or extensions. For example, you can create a button in the property pane, or a startup function that gets executed first time you run the component. In the migration code, you can simply read the setting files from the legacy AppRoot folder and write them to the new AppRoot folder, like it is illustrated in the following code excerpt. 
private async migrateLegacySettings(): Promise<void> {
  try {
    // Read from legacy location
    const legacySettings = await this._graphClient
      .api('/me/drive/root:/Apps/SharePoint Online Client Extensibility Web Application Principal:/children')
      .get();
    
    // Write to new location
    for (const setting of legacySettings.value) {
      const content = await this._graphClient
        .api(`/me/drive/items/${setting.id}/content`)
        .get();
      
      await this._graphClient
        .api('/me/drive/special/approot:/' + setting.name + ':/content')
        .put(content);
    }
  } catch (error) {
    console.error('Migration failed:', error);
  }
}

Dual-Access Pattern

Another option you have, is to simply try to use the new AppRoot folder and, in case of missing settings, you fall back to the legacy AppRoot folder. Again, here you can find a sample code excerpt. 
private async getSettings(settingName: string): Promise<any> {
  try {
    // Try new location first
    const newSettings = await this._graphClient
      .api(`/me/drive/special/approot:/${settingName}:/content`)
      .get();
    
    return newSettings;
  } catch (error) {
    // Fall back to legacy location
    try {
      const legacySettings = await this._graphClient
        .api(`/me/drive/root/apps/SharePoint Online Client Extensibility Web Application Principal:/${settingName}:/content`)
        .get();
      
      return legacySettings;
    } catch (legacyError) {
      console.error('Settings not found in either location:', legacyError);
      throw legacyError;
    }
  }
}

Advanced Scenarios and Architecture Patterns

Decoupled Architecture with Azure Functions

For more sophisticated or enterprise-ready scenarios, consider implementing a decoupled architecture using a back-end Azure Function that handles reading and writing the user's settings via Microsoft Graph on-behalf-of the current user. You can find a comprehensive sample of this architectural pattern in the article Mastering User Settings in SharePoint Framework. The main benefits of using an Azure Function are:
  • Server-side processing: Reduced client-side complexity.
  • Centralized logic: Single point of truth for settings management.
  • Enhanced security: Sensitive operations performed server-side.
  • Scalability: Better handling of large-scale migrations.

Conclusion

The transition from the legacy SharePoint Framework security model to the new multi-tenant application architecture represents a significant improvement in performance, reliability, and governance. However, it requires careful consideration of legacy user settings stored in the legacy AppRoot special folders. By following the technical guidance and best practices outlined in this article, organizations can successfully navigate the transition while preserving user settings and maintaining a positive user experience.

Additional Resources


Post Updated on February 12, 2026 at 06:25PM
Thanks for reading
from devamazonaws.blogspot.com

Comments

Post a Comment

Popular posts from this blog

[MS] Debugger breakpoints are usually implemented by patching the in-memory copy of the code - devamazonaws.blogspot.com

In practice, when you set a code breakpoint in the debugger, the debugger replaces the instruction at that location with a breakpoint instruction.¹ When execution reaches that instruction, it will encounter the breakpoint instruction and break into the debugger. When the program has been stopped in the debugger, what happens next can vary from debugger to debugger. Some debuggers remove all their breakpoints when the program stops, and then restore the breakpoints when the program resumes. Other debuggers leave the breakpoints in place even when the program is stopped. In both cases, if you inspect the memory in the debugger, you will see the original unpatched code. In the first case, it's because the code really is unpatched; the breakpoint instructions are removed. In the second case, it's because the debugger is lying to you and showing you the original bytes even though they aren't what are in memory right now. Most of the time, this deception is insignificant. Eve...
Read more

Amazon EKS now enforces upgrade insights checks as part of cluster upgrades - devamazonaws.blogspot.com

Today, Amazon Elastic Kubernetes Service (EKS) announced a new control to prevent accidental cluster upgrades when issues are already detected that may impact application compatibility with the next Kubernetes version. This feature leverages EKS upgrade insights and is significant step towards giving cluster administrators confidence with Kubernetes version upgrades. EKS upgrade insights automatically scan clusters against a list of potential Kubernetes version upgrade impacting issues such as deprecated Kubernetes API usage. EKS periodically updates the list of insight checks to perform, based on evaluations of changes in the Kubernetes project, as well as changes introduced in the EKS service along with new versions. With this new control, EKS will prevent you from upgrading the EKS clusters if there are any Kubernetes version upgrade impacting issues surfaced by EKS upgrade insights. Once the upgrade impacting issues are resolved, you will be able to upgrade the Kubernetes versio...
Read more

[MS] Exciting new T-SQL features: Regex support, Fuzzy string-matching, and bigint support in DATEADD – preview - devamazonaws.blogspot.com

We are thrilled to announce the public preview of three powerful T-SQL features that will elevate your SQL queries: Regular Expressions (Regex) support, Fuzzy string-matching , and bigint support in DATEADD . These enhancements are now available in Azure SQL Database and SQL Database in Microsoft Fabric , offering developers more flexibility, efficiency, and precision in their data operations. They will also help simplify complex operations that previously required workarounds or external processing. In this post, we'll explore the capabilities of each feature, provide practical examples, and explain how they will transform the way you write T-SQL queries. Regular Expressions (Regex) support in T-SQL Regular expressions are a powerful tool for pattern matching and data extraction. They allow you to search, validate, and manipulate text based on specific patterns. With native Regex support in T-SQL, you can now use POSIX-compliant regular expressions to perform sophisticated stri...
Read more