Target SharePoint environment
other (enter in the "Additional environment details" area below)
What SharePoint development model, framework, SDK or API is this about?
other (enter in the "Additional environment details" area below)
Developer environment
None
What browser(s) / client(s) have you tested
Additional environment details
Additional Environment Details:
SharePoint Embedded using Graph from an iOS client in a severless environment
- API: Microsoft Graph
v1.0 — POST /storage/fileStorage/containers
- Client type: Native iOS app, MSAL public client (no client secret/certificate)
- Auth: Delegated / on-behalf-of-user
- Scopes:
FileStorageContainer.Selected, FileStorageContainerTypeReg.Selected, User.Read
- Container type: Registered in the consuming tenant; container listing succeeds with the same token
- Regression observed: ~2026-06-26 (no client-side changes)
- Result: HTTP 403,
accessDenied, "Container creation by a public client is not allowed."
Diagnostic IDs (for server-side trace):
| Field |
Value |
| client-request-id |
20de4144-f3f3-4f59-ab63-e7f3e9557488 |
| request-id |
20de4144-f3f3-4f59-ab63-e7f3e9557488 |
| SPLogId |
c4c922a2-10b6-e000-22aa-fab58067c113 |
| Timestamp (UTC) |
Tue, 30 Jun 2026 21:28:59 GMT |
| x-ms-ags-diagnostic |
DataCenter: West US, ScaleUnit 007, Ring 4, Slice E |
Describe the bug / error
As of ~2026-06-26, our shipping iOS app can no longer create SharePoint Embedded
containers. POST /v1.0/storage/fileStorage/containers (Microsoft Graph v1.0) now
returns 403 accessDenied with the message "Container creation by a public
client is not allowed." Nothing changed on our side — this broke purely as a
service-side enforcement change.
We are a serverless, multi-tenant ISV: a native iOS app using MSAL as a public
client (no client secret/certificate) with delegated (on-behalf-of-user)
auth. Each customer runs in their own tenant. The container type is already
registered in the consuming tenant, and listing containers with the same token
succeeds — only creation is blocked. This indicates the restriction is
scoped specifically to the create/provisioning operation, not to auth, permissions,
or registration.
Core question: Is the public-client restriction on container creation
intended to apply to delegated calls from a native/mobile public client creating a
container in a consuming tenant? A native mobile app cannot hold a secret/cert and
therefore can never present a confidential-client token (appidacr=1/2). The SPE
auth doc (updated 2026-06-26) calls confidential clients recommended, but our
scenario is now hard-blocked — which appears to contradict Microsoft's own SPE
architecture guidance that explicitly lists mobile apps creating containers in
the customer tenant as a supported pattern. If this is the intended end state, what
is the supported path for a serverless multi-tenant mobile ISV that hosts no backend?
Error response:
{
"error": {
"code": "accessDenied",
"message": "Container creation by a public client is not allowed.",
"innerError": {
"date": "2026-06-30T21:28:59",
"request-id": "20de4144-f3f3-4f59-ab63-e7f3e9557488",
"client-request-id": "20de4144-f3f3-4f59-ab63-e7f3e9557488"
}
}
}
Impact: All new users in every consuming tenant are blocked from
provisioning a container (full onboarding outage). Existing users with containers
are unaffected (list/read/write still work delegated from the same public client).
Steps to reproduce
- Register a native iOS app in Entra ID as a public client (no client
secret/certificate); authenticate a user with delegated MSAL auth.
- Acquire a delegated Microsoft Graph token with scopes
FileStorageContainer.Selected, FileStorageContainerTypeReg.Selected, User.Read.
- Ensure the container type is already registered in the consuming tenant.
- Confirm the token/permissions are valid by listing containers — this succeeds:
GET https://graph.microsoft.com/v1.0/storage/fileStorage/containers?$filter=containerTypeId eq <containerTypeId>&$expand=drive
→ 200 OK, returns []
- Attempt to create a container with the same token:
POST https://graph.microsoft.com/v1.0/storage/fileStorage/containers
Body:
{
"displayName": "My Notebook",
"description": "Personal notebook",
"containerTypeId": ""
}
- Observe 403 Forbidden with code
accessDenied and message
"Container creation by a public client is not allowed."
Expected behavior
A delegated container-creation call from a native/mobile public client should
either:
(a) Succeed — consistent with prior behavior (this worked until ~2026-06-26)
and with Microsoft's documented "mobile app creates containers in the customer
tenant" pattern, with the calling user automatically assigned the Owner role; OR
(b) If the restriction is intended, fail with clear, documented guidance on the
supported path for serverless multi-tenant mobile ISVs, including any
transition/grace period or per-app/per-tenant configuration to re-enable
public-client creation.
At minimum, the behavior and requirements for public vs. confidential clients on the
container create operation should be explicitly documented, since listing,
permissions, and registration all continue to work from the same public-client token.
Target SharePoint environment
other (enter in the "Additional environment details" area below)
What SharePoint development model, framework, SDK or API is this about?
other (enter in the "Additional environment details" area below)
Developer environment
None
What browser(s) / client(s) have you tested
Additional environment details
Additional Environment Details:
SharePoint Embedded using Graph from an iOS client in a severless environment
v1.0—POST /storage/fileStorage/containersFileStorageContainer.Selected,FileStorageContainerTypeReg.Selected,User.ReadaccessDenied, "Container creation by a public client is not allowed."Diagnostic IDs (for server-side trace):
20de4144-f3f3-4f59-ab63-e7f3e955748820de4144-f3f3-4f59-ab63-e7f3e9557488c4c922a2-10b6-e000-22aa-fab58067c113Tue, 30 Jun 2026 21:28:59 GMTDescribe the bug / error
As of ~2026-06-26, our shipping iOS app can no longer create SharePoint Embedded
containers.
POST /v1.0/storage/fileStorage/containers(Microsoft Graph v1.0) nowreturns 403 accessDenied with the message "Container creation by a public
client is not allowed." Nothing changed on our side — this broke purely as a
service-side enforcement change.
We are a serverless, multi-tenant ISV: a native iOS app using MSAL as a public
client (no client secret/certificate) with delegated (on-behalf-of-user)
auth. Each customer runs in their own tenant. The container type is already
registered in the consuming tenant, and listing containers with the same token
succeeds — only creation is blocked. This indicates the restriction is
scoped specifically to the create/provisioning operation, not to auth, permissions,
or registration.
Core question: Is the public-client restriction on container creation
intended to apply to delegated calls from a native/mobile public client creating a
container in a consuming tenant? A native mobile app cannot hold a secret/cert and
therefore can never present a confidential-client token (
appidacr=1/2). The SPEauth doc (updated 2026-06-26) calls confidential clients recommended, but our
scenario is now hard-blocked — which appears to contradict Microsoft's own SPE
architecture guidance that explicitly lists mobile apps creating containers in
the customer tenant as a supported pattern. If this is the intended end state, what
is the supported path for a serverless multi-tenant mobile ISV that hosts no backend?
Error response:
{
"error": {
"code": "accessDenied",
"message": "Container creation by a public client is not allowed.",
"innerError": {
"date": "2026-06-30T21:28:59",
"request-id": "20de4144-f3f3-4f59-ab63-e7f3e9557488",
"client-request-id": "20de4144-f3f3-4f59-ab63-e7f3e9557488"
}
}
}
Impact: All new users in every consuming tenant are blocked from
provisioning a container (full onboarding outage). Existing users with containers
are unaffected (list/read/write still work delegated from the same public client).
Steps to reproduce
secret/certificate); authenticate a user with delegated MSAL auth.
FileStorageContainer.Selected,FileStorageContainerTypeReg.Selected,User.Read.GET https://graph.microsoft.com/v1.0/storage/fileStorage/containers?$filter=containerTypeId eq <containerTypeId>&$expand=drive→
200 OK, returns[]POST https://graph.microsoft.com/v1.0/storage/fileStorage/containersBody:
{
"displayName": "My Notebook",
"description": "Personal notebook",
"containerTypeId": ""
}
accessDeniedand message"Container creation by a public client is not allowed."
Expected behavior
A delegated container-creation call from a native/mobile public client should
either:
(a) Succeed — consistent with prior behavior (this worked until ~2026-06-26)
and with Microsoft's documented "mobile app creates containers in the customer
tenant" pattern, with the calling user automatically assigned the Owner role; OR
(b) If the restriction is intended, fail with clear, documented guidance on the
supported path for serverless multi-tenant mobile ISVs, including any
transition/grace period or per-app/per-tenant configuration to re-enable
public-client creation.
At minimum, the behavior and requirements for public vs. confidential clients on the
container create operation should be explicitly documented, since listing,
permissions, and registration all continue to work from the same public-client token.