Authentication error while calling azure api's in SPFX webpart in teams desktop

Nishma Parvin 5 Reputation points

We are facing authentication error while calling azure api’s in SharePoint online site.
It is an SPFX webpart solution package deployed in SharePoint online site. The site is working fine with MSAL authentication in web browsers, teams mobile and team's browser, this issue is happening only in team's desktop client.
This issue is happening only for few users and for others it is working fine.
We have tried below scenarios.

  1. We have checked the browser /windows configuration, and it is same with working machines.
  2. We have checked the AD groups and even adding users in same group again behaviour is same.
  3. We have written some local console to fetch JWT token using silent token generated from teams, then we are getting below error

"{"error":"invalid_grant","error_description":"AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was '{SharePoint tenant}' and the expected audience is '{App id}' or one of the Application Uris of this application with App ID '{AppID(AppName)}. The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.\r\nTrace ID: d40818d7-dca2-42e6-9292-82255554c900\r\nCorrelation ID: 02abc117-2215-4331-bc88-6abc6d1e99dc\r\nTimestamp: 2023-08-07 04:41:29Z","error_codes":[500131],"timestamp":"2023-08-07 04:41:29Z","trace_id":"d40818d7-dca2-42e6-9292-82255554c900","correlation_id":"02abc117-2215-4331-bc88-6abc6d1e99dc","error_uri":""}"

We have created (custom) Teams app with a personal static tab pointing to (contentUrl): "https://{teamSiteDomain}/_layouts/15/teamslogon.aspx?spfx=true&dest=https://{teamSiteDomain}SITEPATH" where SITEPATH is the path to the homesite of our SharePoint tenant.

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
7,678 questions
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
8,099 questions
{count} vote

1 answer

Sort by: Most helpful
  1. ChengFeng - MSFT 3,765 Reputation points Microsoft Vendor

    Hi @Nishma Parvin

    Thanks for letting us know your user experience. According to your case description, I do understand how frustrated you are now.


    When I received this case, I looked up a lot of information and did a lot of research. I regret to inform you that the issue seems to be related to assertion audience mismatch between client application and server application.

    This can happen when the client application requests a token for a different resource than the server application expected.

    Following what I know so far, I provide a method:

    One possible solution is to ensure that the client application and server application have the same Application ID URI in Azure AD.

    You can check and update the Application ID URI in the Azure portal under Application Registration > Your Application > Public API. The Application ID URI should be a unique identifier for the application, such as

    If you ensure consistency, but still have issues. Then I suggest that you report the problem in this platform, which can better help you solve the problem

    User's image

    Here is link for your reference:

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards

    Cheng Feng