Guest user can't access Client Side Assets resources in SharePoint App Catalog site

When using third party web part or custom web part, there is a property named includeClientSideAssets that push resources to Client Site Assets library of the SharePoint App catalog site. Anytime a user is using one of those web parts, he will retrieve resources from this centralized area.

This Client site assets library is hidden and is at least read-only for every member of your organization but it is not accessible to external user. As consequence external users are getting errors like below.

[SPLoaderError.loadComponentError]:
Failed to load component "544c1372-42df-47c3-94d6-017428cd2baf" (pnpSearchResultsWebPart). Original error: Failed to load path dependency "SearchResultsWebPartStrings" from component "544c1372-42df-47c3-94d6-017428cd2baf" (pnpSearchResultsWebPart). Original error: Error loading https://component-id.invalid/544c1372-42df-47c3-94d6-017428cd2baf_4.1.0/SearchResultsWebPartStrings
Unable to load script https://mytenant.sharepoint.com/sites/AppCatalog/ClientSideAssets/59903278-dd5d-4e9e-bef6-562aae716b8b/search-parts-searchresultswebpartstrings_en-us_9aae9ccf7c7c12e9c05321896a08e265.js

INNERERROR:
Failed to load path dependency "SearchResultsWebPartStrings" from component "544c1372-42df-47c3-94d6-017428cd2baf" (pnpSearchResultsWebPart). Original error: Error loading https://component-id.invalid/544c1372-42df-47c3-94d6-017428cd2baf_4.1.0/SearchResultsWebPartStrings

In my case, the error was triggered using PnP search result web part.

The everybody security group does not include external user.

In order to give external user access to Client site assets library there are 3 options:

  1. Create dynamic group
  2. Use Office 365 CDN
  3. Enable/Disable All Users (membership) group display.

1 - Create a Dynamic group

You could create a dynamic group using Azure Active Directory (AAD), name it something like: All external user.
Set your group like so: user.userType -eq "Guest"
Then give read permission to the client side asset library to this group.


Drawback
This group will be displayed in people pickers even if the current container (SharePoint Site/OneDrive folder/teams) does not have external sharing enabled.
AAD Premium P1 is required to be able to use dynamic group feature.

2 - Use O365 CDN

Content Delivery Network (CDN) provide high availability and performance by geographically distributing resource files. Office 365 provides 2 types of CDN: 
  • Public: Anybody with CDN resource URL can access them.
  • Private: Any of your tenant user cant can access your resources.
In all cases, Guest user can access resources because they are authenticated.
 
O365 CDN flow
O365 CDN flow - picture by Microsoft

Drawback
That's a heavier process. You need to understand how CDN works before implementing this solution.
You will have to wait around 15 min to have resource files available through CDN.

3 - Enable/Disable All Users (membership) group display


By default, SharePoint people picker shows two groups that represent most of user: 
  1. Everyone except external users
  2. All company members
None of those groups encompass guest users. However, AAD have some hidden groups. One of them All Users (membership) contains all user authenticated by AAD.

In order to display this group, you will have to run the following PowerShell command:

Set-SPOTenant -ShowEveryoneClaim $true

Once this group is available, you have to give it read permission to the client side asset library.

You will have to enable external sharing on your site. If you don't need this group anymore you could hide it again using:

Set-SPOTenant -ShowEveryoneClaim $false

Even if you hide the group, it will keep its permissions.

Drawback
You need to have access to SharePoint PowerShell CLI.










Comments

  1. Nice article, having exactly this problem installing PnPSearch with a client that only gives guest accounts to externals, giving option 3 a try

    ReplyDelete
    Replies
    1. I'm glad this blog post has helped you. See you

      Delete

Post a Comment

Popular posts from this blog

How to give app access on a specific SharePoint site using Azure AD API permission

Ensure SharePoint User with Power Automate