![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 76%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | SharePoint | Development
The process of building custom applications and tools that interact with Microsoft SharePoint, including SharePoint Online in Microsoft 365.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 19%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Hi Deborthia Azbill,
Thank you for posting your question in the Microsoft Q&A forum.
Based on what you described, if your SPFx web part is calling Microsoft Graph using the built-in SPFx Graph client (MSGraphClientV3 / msGraphClientFactory), then the behavior you’re seeing can often be explained by how SPFx permissions are actually handled after deployment:
When you deploy an SPFx solution, the Graph permissions used by SPFx are not taken from a custom Entra ID “App registration” that you created. Instead, SPFx permission requests are managed through SharePoint’s tenant-level API permission system. Specifically:
- You must declare the required Graph scopes using
webApiPermissionRequestselement inconfig/package-solution.json. - After deploying the
.sppkgto the App Catalog, a Global Administrator must go to SharePoint Admin Center > API management and Approve the pending permission requests.
So, in many cases, granting permissions in an Entra app registration (and consenting that app) does not help an SPFx web part that uses MSGraphClientV3, because the runtime token is issued based on SharePoint’s SPFx principal plus what’s approved in the SharePoint Admin Center API access page.
If you already did all the above and still get 403, could you get back with:
- Which library/client you’re using to call Graph (e.g., MSGraphClientV3, AadHttpClient, PnPjs graph, MSAL, etc.), and
- Which Microsoft doc/tutorial you followed to build the web part?
That will help pinpoint whether the calls are going through SPFx’s built-in auth flow (expected), or through a different auth path that would require different configuration.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.