When to use isolated SPFX webpart?

%3CLINGO-SUB%20id%3D%22lingo-sub-673234%22%20slang%3D%22en-US%22%3EWhen%20to%20use%20isolated%20SPFX%20webpart%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-673234%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20creating%20a%20SPFX%20webpart%20that%20will%20consume%20an%20Azure%20Function%20and%20the%20Azure%20Function%20is%20configured%20for%20AAD%20authentication.%20Very%20similar%20to%20the%20steps%20described%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Fwww.vrdmn.com%2F2018%2F02%2Fsharepoint-framework-calling-aad.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eblog%20post%3C%2FA%3E%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F18494%22%20target%3D%22_blank%22%3E%40Vardhaman%20Deshpande%3C%2FA%3E.%20I%20am%20using%20the%20same%20web%20api%20permissions%20as%20described%20in%20the%20blog%20(user_impersonation%20and%26nbsp%3BWindows%20Azure%20Active%20Directory%2C%20User.Read).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%20whether%20I%20should%20use%20isolated%20webpart%20option%3F%20The%20Azure%20Function%20is%20exposing%20a%20very%20limited%20functionality%20and%20the%20site%2Fpage%20where%20the%20SPFX%20webpart%20will%20be%20hosted%20is%20managed%20by%20our%20team%20so%20no%20risks%20of%20sniffing%20access%20tokens.%20What%20are%20the%20risks%20when%20not%20using%20isolated%20webpart%3F%20If%20the%20only%20risk%20that%20other%20SPFX%20webpart%20can%20consume%20this%20specific%20Azure%20Function%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUpdate%3A%20Link%20to%20blogpost%20added.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-682194%22%20slang%3D%22en-US%22%3ERe%3A%20When%20to%20use%20isolated%20SPFX%20webpart%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-682194%22%20slang%3D%22en-US%22%3EHi%20%40Suleman%3CBR%20%2F%3ESPFx%20web%20parts%20which%20Web%20API%20using%20WebApiPermissionRequests%20requires%20SharePoint%20%2F%20Global%20Admin%20approval%20through%20admin%20center.%20Once%20approved%2C%20other%20web%20parts%20can%20use%20similar%20permissions%20even%20though%20they%20are%20not%20in%20particular%20site%20collection.%20Using%20Isolated%20SPFx%20web%20part%20is%20solution%20to%20that%20problem.%20When%20Isolated%20SPFx%20web%20part%20request%20Web%20API%20permissions%2C%20permissions%20are%20only%20granted%20to%20that%20web%20part%20through%20unique%20ID%20of%20that%20SPFx%20web%20part%20by%20Azure%20AD.%20All%20calls%20to%20Web%20API%20only%20receive%20valid%20access%20token%20if%20Web%20API%20calls%20goes%20through%20that%20same%20SPFx%20web%20part.%20In%20that%20way%2C%20Web%20API%20permissions%20approval%20is%20Isolated%20to%20specific%20web%20part.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I am creating a SPFX webpart that will consume an Azure Function and the Azure Function is configured for AAD authentication. Very similar to the steps described in this blog post by @Vardhaman Deshpande. I am using the same web api permissions as described in the blog (user_impersonation and Windows Azure Active Directory, User.Read).

 

My question is whether I should use isolated webpart option? The Azure Function is exposing a very limited functionality and the site/page where the SPFX webpart will be hosted is managed by our team so no risks of sniffing access tokens. What are the risks when not using isolated webpart? If the only risk that other SPFX webpart can consume this specific Azure Function?

 

Thx!

 

Update: Link to blogpost added.

1 Reply
Highlighted
Hi @Suleman
SPFx web parts which Web API using WebApiPermissionRequests requires SharePoint / Global Admin approval through admin center. Once approved, other web parts can use similar permissions even though they are not in particular site collection. Using Isolated SPFx web part is solution to that problem. When Isolated SPFx web part request Web API permissions, permissions are only granted to that web part through unique ID of that SPFx web part by Azure AD. All calls to Web API only receive valid access token if Web API calls goes through that same SPFx web part. In that way, Web API permissions approval is Isolated to specific web part.